As per your article, I've configured VPN on an ISA server.
The DHCP server is on another, internal machine.
In the RRAS console, I've added the DHCP Relay agent, and set it to using the "Internal" adapter.
I've also added the internal DHCP server's ip-address in the settings for the agent.
When getting the ports (as I'm starting the RRAS service), I can see in the Network Monitor, that the RRAS service recieves the DHCP options OK, but the RRAS service on the ISA server does not give these settings to the client.
I can log on to the VPN server, but try as I might, I can't get the server to send the DHCP options. The server only gives the VPN client the settings from the internal nic, as defined in the RRAS console when right-clicking the server, choosing properties and viewing the tab "IP"
This might perhaps have something to do with the fact that the DHCP server is a NT 4 machine (although LAN clients with Windows 2000 and Windows XP can use this server correctly)?
Anyhow, any ideas?
Update 1, 15 minutes after posting this post the first time:
Just noticed a thing.
When checking the Event Viewer, it is now FULL of
red error icons, stating: Microsoft Firewall, Error 11001. These were not there before I started allowing inbound VPN calls.
I've searched the bulletin boards, but from I could see therer are a lot of speculations (often involving RRAS or changes in the NIC ip configuration), but no real solutions. Is this still the case?
Update 2 (approximately one hour later):
Did a network trace during VPN client logon. When perusing this capture, I noticed that while there seems to be DHCP Inform packages, there are no DHCP ACK frames in the network capture.
So there seems to be something wrong with the DHCP relay agent and the internal DHCP server.
As I stated earlier, I've configured the DHCP Relay Agent to use the internal DHCP server, and the internal DHCP server is a NT 4 server residing in a separate domain (one way trust, that is, the ISA server trusts the internal domain, but the internal domain does not trust the ISA machine's domain. From what I know about DHCP, this protocol has no user security, as ip-addresses are leased when a machine boots, long before a user can authenticate, the fact that the ISA machine is in a domain that is not trusted by the internal domain that the DHCP server resides in might also be a factor. I don't think so, but I'm grasping at straws here.
I tried fiddling with the DHCP BOOTP options, and increased the hop count threashold, and decreased the boot threashhold (seconds), but to no avail.
[ June 22, 2003, 07:03 PM: Message edited by: Lobotomy ]