ISA 2006 & DHCP VPN Setup

I've setup a ISA2006 server, which has VPN clients connecting succesfully and been assigned IPs by a DHCP server.

They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.

As a result these machines are not able to connect to other vlans.  

If a machine obtains an IP address off the DHCP server directly then they receive all the correct IP information, so I assume its something the ISA server is doing.

I've had a read around but cant seem to find anything that might point me in the right direction.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

They receive the correct IP address, and correct DNS servers, however their default gateway is always set to their own IP, and not the gateway configured on the DHCP server.
That is what it is supposed to do

As a result these machines are not able to connect to other vlans.  
They are not supposed to be able to.  That is a security design in the technology of VPN (no matter what brand/vendor it comes from).  It is designed to protect the network receiving the connection by limiting the scope of what other networks the VPN Client may be joined to at the same time.
If you want the system to drop its pants security wise then you need to override this with what is sometimes called Split-Tunneling.  To do this with a Windows DUN based VPN Client, find the setting that says "Use Gateway on Remote Network" and disable it.  However this will cause a reversal of the behavor,...meaning that on the Remote Network side of things,...the VPN Client will only be able to communicate with the subnet that they directly VPN'ed into.  This would be the subnet that matches the IP they received when they connected.  They will not be able to connect to any other subnets "futher out" on the remote side.  This could also violate security policy set by the company that owns remote system and they can revoke your access if they find out.  But if it is your own company then I guess you don't have to worry about that.
pmason08Author Commented:
I see what your saying, the issue I have is the network was set up with a rather silly amount of vlans for each department, and as a result the VPN users need to be able to access servers in different vlans.

Assuming I didnt change the gateway settings, what would be the recommended way to gain access to these, servers?

I didn't suggest any gateway changes.  The change I suggested is simply a "toggle" in the DUN settings.  It is your only option beyond setting really ugly Static Routes on each and every effected Client that points to the LAN Router to get to the other subnets.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
If I understand you right, you should not need to disable the "Use Gateway on Remote Network" setting.

Instead, add static routes on your ISA Server (in the Routing and Remote access console, not ISA) to make sure the ISA server has routes to all of your different vlans.

The next step depends on how your vlan IP subnets are set up.

if all of your vlans are subnetted under one IP range, and your "supernet" is setup as your internal network, just make sure you have a policy rule that allows all outbound protocols from the VPN Clients network to the Internal network.

If not, then you need to create a Network in ISA for each of your vlans ip ranges, and then add a network access rule to allow VPN Clients to route to those networks, and also add a policy rule allowing all outbound protocols (or selected protocols if you wish) from VPN Clients to those networks.

Then your shouldn't have any problems. The thing to realise is that even though it has the IP address of the PC as the default gateway, it really is the ISA server that is your default gateway.

If you need detailed instructions on configuring ISA for those, let me know.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.