• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion for Using DHCP with ISA/VPN Server Clients article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Discussion for Using DHCP with ISA/VPN Server Clients article Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion for Using DHCP with ISA/VPN Server Clients a... - 12.Mar.2003 3:43:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for the Using DHCP with ISA/VPN Server Clients at http://www.isaserver.org/tutorials/dhcpoptions.html

Thanks!
Tom

[ March 16, 2003, 09:09 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 14.Mar.2003 10:48:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

great article!

As you probably remember, my preferred VPN client access solution is to use a variant of the off-subnet address assignment without the limitations of it:
code:
Internal LAN ----- [layer-3 switch] ----- [ISA] ----- Internet
^^^
stub subnet

The key point is that what I call the 'stub subnet' must have an address range not contained in the Classfull address range of the Internal network. Of course, on this stub subnet no other devices but the ISA and the layer-3 switch should be connected. This greatly simplifies the routing definition and don't have the limitation you can't use DHCP assigned addresses for the VPN clients.

Maybe you can update the article with that info. [Big Grin]

Thanks,
Stefaan

(in reply to tshinder)
Post #: 2
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 16.Mar.2003 9:09:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

Good point! I often just think of the stub subnet as a dedicated off subnet range. However, I can see that its not immediately obvious that you must make sure its not within a classful range already in use on the network. I'll update or link to a new short article on the subject.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 17.Mar.2003 7:28:00 PM   
msquire

 

Posts: 2
Joined: 18.Dec.2002
Status: offline
Hi all,
Maybe I should post this to usenet, but when our users connect to VPN, they can't browse the internet. One solution is to uncheck the option on the client side, to use the default gateway on remote network. That keeps our clients from resolving internal DNS names however which is problematic for Outlook access. Any ideas?

Thanks,
Mark

(in reply to tshinder)
Post #: 4
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 17.Mar.2003 8:56:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Mark,

check out http://www.isaserver.org/tutorials/Solving_the_Mystery_of_the_VPNRASWeb_Proxy_Client.html

HTH,
Stefaan

(in reply to tshinder)
Post #: 5
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 13.May2003 9:40:00 PM   
afortier747

 

Posts: 4
Joined: 13.May2003
From: Ottawa, Canada
Status: offline
I appreciated your article. But I am still having trouble obtaining IP addresses from the DHCP server.

Please email me at my email address so that I can explain further.
Thanks

(in reply to tshinder)
Post #: 6
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 14.May2003 4:16:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andre,

Make sure you configure the DHCP setup something like what you see in the ISA Server/DHCP article over at www.isaserver.org/shinder

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 14.May2003 4:44:00 PM   
afortier747

 

Posts: 4
Joined: 13.May2003
From: Ottawa, Canada
Status: offline
Hi Tom,
I followed the article Using DHCP with ISA / VPN.
My DHCP server is on another box.
Inside the ISA Server, I tell it to go to the DHCP IP address (which works fine on the ISA server if I tell it to grab an IP automatically).

When I check the RAS setup, the internal interface has an IP address of 169.x.x.x which is definitely not what I want.

Should I install the DHCP on the ISA box, and exclude these addresses on the actual DHCP server?

(in reply to tshinder)
Post #: 8
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 14.May2003 5:37:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andre,

Do not install DHCP on the ISA Server and don't make the ISA Server a DHCP client.

Did you configure the DHCP Relay Agent?

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 14.May2003 7:35:00 PM   
afortier747

 

Posts: 4
Joined: 13.May2003
From: Ottawa, Canada
Status: offline
The ISA server has static IP addresses both internally and externally.
DHCP is not on the ISA box.
DHCP Relay Agent is set for the Internal interface - this is the interface which says that it cannot find a DHCP server and is going to doll out 169.x.x.x addresses. This is the culprit, and this is where I am stuck.

We have ISA Standard (in case that will make a difference).

Thank you again for your help.

(in reply to tshinder)
Post #: 10
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 14.May2003 7:47:00 PM   
afortier747

 

Posts: 4
Joined: 13.May2003
From: Ottawa, Canada
Status: offline
Hi Tom,
I got the ISA box working.
I changed the parameters in RRAS to not chose which NIC card to get DHCP, DNS, and WINS from. I selected the internal NIC card. Restarted RRAS and poof, it's working!

(in reply to tshinder)
Post #: 11
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 14.May2003 8:38:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andre,

That will do it!

Good to hear you got it working and thanks for the followup!

Tom

(in reply to tshinder)
Post #: 12
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 22.Jun.2003 5:36:00 PM   
Lobotomy

 

Posts: 33
Joined: 3.Jun.2002
From: Sweden
Status: offline
Hello Tom.

As per your article, I've configured VPN on an ISA server.
The DHCP server is on another, internal machine.
In the RRAS console, I've added the DHCP Relay agent, and set it to using the "Internal" adapter.
I've also added the internal DHCP server's ip-address in the settings for the agent.

When getting the ports (as I'm starting the RRAS service), I can see in the Network Monitor, that the RRAS service recieves the DHCP options OK, but the RRAS service on the ISA server does not give these settings to the client.

I can log on to the VPN server, but try as I might, I can't get the server to send the DHCP options. The server only gives the VPN client the settings from the internal nic, as defined in the RRAS console when right-clicking the server, choosing properties and viewing the tab "IP"

This might perhaps have something to do with the fact that the DHCP server is a NT 4 machine (although LAN clients with Windows 2000 and Windows XP can use this server correctly)?

Anyhow, any ideas?

Update 1, 15 minutes after posting this post the first time:
Just noticed a thing.
When checking the Event Viewer, it is now FULL of
red error icons, stating: Microsoft Firewall, Error 11001. These were not there before I started allowing inbound VPN calls.

I've searched the bulletin boards, but from I could see therer are a lot of speculations (often involving RRAS or changes in the NIC ip configuration), but no real solutions. Is this still the case?

Update 2 (approximately one hour later):
Did a network trace during VPN client logon. When perusing this capture, I noticed that while there seems to be DHCP Inform packages, there are no DHCP ACK frames in the network capture.
So there seems to be something wrong with the DHCP relay agent and the internal DHCP server.
As I stated earlier, I've configured the DHCP Relay Agent to use the internal DHCP server, and the internal DHCP server is a NT 4 server residing in a separate domain (one way trust, that is, the ISA server trusts the internal domain, but the internal domain does not trust the ISA machine's domain. From what I know about DHCP, this protocol has no user security, as ip-addresses are leased when a machine boots, long before a user can authenticate, the fact that the ISA machine is in a domain that is not trusted by the internal domain that the DHCP server resides in might also be a factor. I don't think so, but I'm grasping at straws here.
I tried fiddling with the DHCP BOOTP options, and increased the hop count threashold, and decreased the boot threashhold (seconds), but to no avail.

// Henrik

[ June 22, 2003, 07:03 PM: Message edited by: Lobotomy ]

(in reply to tshinder)
Post #: 13
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 22.Jun.2003 7:09:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Henrik,

I don't believe the WinNT 4.0 DHCP server understands DHCPINFORM messages. That could be the reason why the options aren't being delivered to your clients. If you have another DHCP server on the internal network that you know supports DHCPINFORM (such as Win2k/Win2003), then try that out.

The 11001:

Event ID
11001

Event Message
%1 failed. The failure occurred during %5 because the configuration property %4 of the key %3 could not be accessed. Use the source location %6 to report the failure. The error code in the Data area of the event properties indicates the cause of the failure. For more information about this event, see ISA Server Help. The error description is: %2.

Explanation
The service failed to start because the data in the storage is corrupt, due to incorrect configuration of either the registry or Active Directory.

User Action
If a backup exists, in ISA Management click Servers and Arrays, then right-click Name, and choose Restore. This will restore the configuration, except for server-specific configuration information, such as cache content. If this does not solve the problem, uninstall ISA Server from the Control Panel. You will lose all the configuration parameters and will have to reinstall. Reinstalling a new copy of ISA Server without uninstalling the previous copy will not solve the problem.

Not sure what might be causing this. Did you let the ISA VPN Wizard *start* and *configured* RRAS for you? If not, there might be some conflicts that you need to work out. Also, make sure the firewall isn't a domain controller or a Web server.

HTH,
Tom

(in reply to tshinder)
Post #: 14
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 22.Jun.2003 8:33:00 PM   
Lobotomy

 

Posts: 33
Joined: 3.Jun.2002
From: Sweden
Status: offline
Hello Tom, and thanx for the prompt reply.

The installation that is failing is for a customer.
As we are running ISA server at the office also, I went back there to test this there.
As it was, we had a mis-configuration there.
I had erroniously chosen the internal network adapter as the DHCP Relay Agent Interface, and thus, it did not give out DHCP options either.
I fixed it, by removing this faulty interface and added the correct inteface (the one called Internal, that is provided by RRAS), and now it works correctly here at the office.
Ofcourse, the difference being that we are running Win 2K DHCP here.

So it is most probably the DHCP server that is the problem. Alas, there is also a monetary consideration, and I'll probably have a tough time selling in upgrading from Windows NT 4 to Win2K / Win2003 for this reason only.
[Wink]

As to the 11001 error:
Yep, I let the wizard configure the rules.
Although, since I know from experience, that L2PT connections are bit tricky to get right, I disabled the two packet filters pertaining to the L2PT protocol and left only the two PPTP protocols enabled (besides all the others that had been there previously ofcourse).

Perhaps it was that. Or perhaps it could have something to do with trying to get the DHCP options from the NT 4 server, and failing.
I can see if I can tweak around a bit, by
  • Enable the L2PT filter again (although they will not work since no certificates are installed or configured.)
  • Set the RRAS to give out static ip-addresses instead, since the NT 4 DHCP is not working any way, and the number of clients are quite limited.
I'll get back to you and post my findings here.
BTW.
The ISA server machine IS a domain controller, residing in a domain all by itself.
This because I don't want the ISA server to be part of the internal domain, and thus, if they hack the firewall, have full access to the internal domain.

The "firewall" domain only has this one computer and has a trust set up with the internal domain so that the ISA Server domain trusts the internal domain, but not the reverse.

This is according to "Best practices" as I have seen them posted at this site.
It does not have IIS installed though. All web services are on internal machines that are published through the ISA machine with Web Publishing Rules (no checking. All request are let through as anonymous request).

// Henrik

[ June 22, 2003, 08:41 PM: Message edited by: Lobotomy ]

(in reply to tshinder)
Post #: 15
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 22.Jun.2003 10:55:00 PM   
Lobotomy

 

Posts: 33
Joined: 3.Jun.2002
From: Sweden
Status: offline
Error 11001 revisited.
I solved it. And without restoring an exisitng backup (which I ofcourse did not have [Roll Eyes] )

First I tested the following:
  • I did re-enable the L2PT filters again. No change. Error still occur.
  • Then I rewmoved the DHCP option, since it wasn't functioning anyway. No change. Error still occurred.
Then I looked a bit closer at the registry keys mentioned in the event viewver error items.
There were 2 sources: Microsoft Firewall and H.323 Gatekeeper.
As the gatekeeper service is not used, I removed it and disabled the H.323 Application Filter.
This made the error with this source disappear.
Fine.
I then looked at the rest of the errors. Using regedit, I looked at the keys in question. They were all entries having to do with server publishing rules. Not all the server publisihing, just the rules that I had created. The rules that were created using for example the MAIL wizard still functioned.

OK, I thought. What's so special about these rules, I asked myself. I looked at them, and saw that all these had "Applies To" criteria. That is, these specific rules could only be used for a specific Client Address Set.
I couldn't just remove these sets, since these publishing rules are NOT meant for public access.
So I did a quick and dirty test, which was to:
  • Add a dummy client address set (ip 1.0.0.1)
  • Add this new client set to the server publishing rules as Exceptions to the "Applies To" rule.
I then restarted the services, and connected once again with a VPN client (as this would earlier absolutely cascade events in the event viewer).
Lo and behold. No more errors.
So, to recap. In my case, it helped to add an exception to the "Applies to" list in the server publishing rule in question. Might not work for others, but it would be nice to know if this is in fact the reason that these errors have occured for others beside myself. And also, why the errors occurs only when adding VPN support to the ISA Server.
It's somehow like the VPN wizard deletes the keys in question, then rebuilds them again, but misses the subkey (ClientSetsExcluded).

Would be nice to hear some experts' thoughts on this one (over to you Tom [Smile] (or others))

Cheers

// Henrik

(in reply to tshinder)
Post #: 16
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 3.Nov.2004 10:15:00 AM   
mymmb

 

Posts: 2
Joined: 30.Oct.2004
From: iran
Status: offline
[QUOTE]Originally posted by spouseele:
[QB]Hi Mark,

http://www.isaserver.org/tutorials/Solving_the_Mystery_of_the_VPNRASWeb_Proxy_Client. html

can use VPN and SecureNAT?
with this capability we can use user security.
or
you have other solution to use user security.

(in reply to tshinder)
Post #: 17
RE: Discussion for Using DHCP with ISA/VPN Server Clien... - 3.Nov.2004 9:02:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi mohsenmohammady,

if VPN clients must go out to the Internet *through* the VPN tunnel then they must also be Web Proxy and Firewall clients. A SecureNAT client is not supported in this particular scenario with ISA 2000.

HTH,
Stefaan

(in reply to tshinder)
Post #: 18
DHCP failing - VPNs down - 12.Jul.2006 5:11:22 PM   
BWBAdmin

 

Posts: 1
Joined: 12.Jul.2006
Status: offline

I have been using the ISA 2004 Firewall for about 4 months now as a VPN server. It is configured for PPTP VPNs and uses DHCP to assign addresses to VPN clients. Just yesterday the VPNs were down for the first time. After a few minutes of investigating I noticed the problem. VPN clients were getting 169.254.x.x addresses assigned to them.


The errors in the event viewer on ISA basically said that the ISA server could not contact a DHCP server and that it was going to assign a 169.254.x.x address.
I checked the DHCP server, which is a DC on my network, and everything was fine. The scope was up and active, assigning addresses as usual.
I made several attempts to re-establish communications by rebooting each the ISA box and the DC, disabled/enabled VPN access in ISA, and rebuilt the DHCP scope on the DC - all to no avail.

In the end I had to edit my “Internal” network on ISA to exclude a block of address, and create a static address pool for the VPN clients. This worked immediately and VPNs were back up.
So my question is, what could have caused this to happen?
I understand the benefits of using DHCP for address assignment, but I’m having a hard time selling my boss (the CTO) on the idea. He seems to think the static pool is more stable and would like to leave it at that. I on the other hand, would like to figure-out why this happened and go back to using DHCP as soon as possible.

- Justin 
 

(in reply to spouseele)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> Discussion for Using DHCP with ISA/VPN Server Clients article Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts