VPN clients getting wrong IPs from DHCP server (ISA 2006)
Posted on 2010-01-06
I have an unusual setup that I am trying to get working correctly and have not found anything posted that quite fits my scenario, so here goes.
ISA 2006 server, standard.
Two physical NICs, the one facing "in" is setup to use two VLANs, and those show up fine as network adapters to Windows and ISA also recognizes them fine. Call them Vlan101 (10.2.1.0/24, my VPN vlan) and Vlan102 (10.2.0.0/24, my general user vlan). When I tell ISA to provide my VPN clients an IP from a DHCP server, I only have two options for the "Use the following network to obtain DHCP, etc, etc", the logical networks "internal" and "external" that ISA uses. I have this set to internal. The "internal" network address range I have spanning the whole 10.0.0.0/8 range.
I also have DHCP relay agent setup in RRAS. The Interface listed for this relay agent is the virtual adapter associated with VLAN 101, my vpn vlan. The relay agent is pointing to my DHCP server, which is on a completely different vlan altogether and I have verified that I have good route/connectivity to this server from the ISA server. DHCP server is setup and servicing multiple vlans successfully.
I also verified that the virtual adapter for vpn101, the vpn vlan, is at the top of the list for "..the order in which they are accessed by network services" under the Adapters and Bindings tab of the Network Connections>Advanced Settings function.
If I have both virtual adapters enabled (10.2.1.x and 10.2.0.x) and a vpn client connects in from outside (that is all I allow), they are getting an IP from vlan102, i.e. 10.2.0.100. This is not what I want, I want them to get an IP from vlan101, 10.2.1.x. If I disable the virtual network card associated with vlan102, then restart RRAS, the ISA server then grabs from the correct scope, 10.2.1.x. If I undo this change, then the ISA server goes back to pulling from the wrong scope again. I am assuming that the DHCP server is just providing IPs to the ISA server based on the address of the DHCP relay agent.
How the heck do I get ISA/RRAS to use the correct adapter for the DHCP Relay Agent so that the DHCP server is providing the correct IPs???