Welcome to ISAserver.org

VPN IP settings and domain authentication

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> VPN IP settings and domain authentication

Page: [1]

Message

<< Older Topic Newer Topic >>

VPN IP settings and domain authentication - 26.Nov.2007 11:14:10 AM

schuster

Posts: 4
Joined: 26.Nov.2007
Status: offline

Ok, we have a several things going on that are puzzling me. First, I have the VPN setup to assign IP addresses from an internal DHCP server. This works to a point, in that they are given a valid ip on our internal network (10.16.6.X) but they cannot access any other subnets. They do not get their domain logon script, mapped drives, etc. They have dial-in access priviledge enabled.

When I do a ipconfig /all on the client, I see that the assigned ip address is also set as the gateway. I then thought I would try and setup a pool of static ip's rather than using DHCP. I try to add 5 or so ip's and it complains "The Internal network includes ip addresses in the range 10.16.6.50-10.16.6.55. Networks cannot contain addresses that overlap with another network." So, back to DHCP it goes, but still messed up. Do you think this might be a RRAS issue/configuration problem?

I have also setup the ISA server as a domain member, but am not having any luck getting domain authentication to occur through the vpn. I have a system rule setup to allow the LDAP protocol for All Users but no joy.

To be honest, I am more used to the terminology and actions of ISA 2000 and am trying to ingore all that when dealing with 2006, but expect I need a nudge (or two) in the right direction.

This is running as a edge firewall on Windows 2003 w/sp2. Will be happy to provide additional info as needed if someone can assist.

Thanks!

Post #: 1

Featured Links*

RE: VPN IP settings and domain authentication - 26.Nov.2007 1:16:48 PM

mylo

Posts: 138
Joined: 26.Mar.2002
Status: offline

Just a few responses to your questions. I'm assuming also you're following the ISA Configure VPN Client wizard.

- Have you defined the necessary access rules to allow your VPN clients to communicate with your internal network?
- An assigned IP address as the gateway is normal behaviour over a VPN connection
- Your static IP addresses are overlapping with IP addresses assigned within your DHCP range. Either exclude those ranges for ISA from your DHCP or revert to using DHCP to assign addresses
- Domain authentication should work out the box... after all you're authenticating against the domain when you use your VPN client. What happens after the initial connection is defined according to what you allow via access rules

Hope this helps.

Regards,
Mylo

(in reply to schuster)

Post #: 2

RE: VPN IP settings and domain authentication - 27.Nov.2007 9:35:26 AM

schuster

Posts: 4
Joined: 26.Nov.2007
Status: offline

Thanks for the reply and suggestions. Yes, I followed the configure VPN wizard.
I have setup a rule to allow vpn clients access to my internal network. I worked out the static/dhcp ip assignment issue by using a small pool of static ips and excluded those ips from the dhcp server.

What I am getting is a connection is made sucessfully. I get a ip address assigned to the vpn client. When I do a ipconfig, I see my primary and secondary dns servers listed, yet cannot ping or conect via hostname. I also cannot access any resources on other subnets. I am also getting a 255.255.255.255 SM which I have not seen before, but understand is perfectly fine under certain situations.

Certainly seems like a routing problem of some kind. I defined static routes in the VPN server's routing table and can access resources on other subnets just fine from the server, yet nothing on the client side. Do you think additional rules are necessary or something is missing?

Again, as I understand it, ISA 2006 is just a bid firewall. Concepts from ISA 2000 like Destination Sets, Site & Content Rules and Client Address Sets (as well as LATs) are not in ISA 2006, so I probably have additional rules I need to setup.

Thanks for the help.

(in reply to mylo)

Post #: 3

RE: VPN IP settings and domain authentication - 27.Nov.2007 1:44:30 PM

elmajdal

Posts: 5106
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online

Hi,

have u created such rule :

Allow > Protocols > From VPN Clients > To Internal > Users/Groups

check this article : http://www.isaserver.org/articles/2004vpnserver.html

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to schuster)

Post #: 4

RE: VPN IP settings and domain authentication - 29.Nov.2007 9:08:02 AM

schuster

Posts: 4
Joined: 26.Nov.2007
Status: offline

Thanks, I will double-check, but I believe it was created with the VPN wizard. Thanks for your help and the link.

(in reply to elmajdal)

Post #: 5

RE: VPN IP settings and domain authentication - 29.Nov.2007 9:46:42 AM

bbbld

Posts: 10
Joined: 23.May2002
Status: offline

elmajdal,

I am experiencing the same problem as schuster and I had created the rule as you have suggested but my rule looks much different as yours because I do not the ability to add "all protocols" as it shows in your image. I am going off of memory because I am no where near my ISA at this moment but I am quite sure that I did not have the ability to add "all protocols". I will check and hopefully I am wrong and your help will prove to be correct....

Thanks,

Michael

quote:

ORIGINAL: elmajdal

Hi,

have u created such rule :

Allow > Protocols > From VPN Clients > To Internal > Users/Groups

check this article : http://www.isaserver.org/articles/2004vpnserver.html