I have a ISA Server 2006 firewall (but the exact same behaviour happens with TMG 2010) sitting in front of my company network; the internal network subnet is 192.168.60.0/24 and is correctly configured in ISA. All internal computers use ISA as their default gateway.
I want my VPN clients to use addresses in another subnet, let's say 192.168.17.0/24. So I configured static address assignment in ISA, and I also manually configured the DNS addresses (192.168.60.1 and 192.168.60.3).
Firewall policies are in place to allow all traffic between VPN clients and the internal network.
I don't want VPN clients to use the VPN as their default gateway, so I unchecked the relevant checkbox in the VPN connection properties; I don't want their Internet traffic to go through the VPN, only the traffic directed to the company network.
A client can succesfully establish a VPN connection and get an IP address in the 192.168.17.X range. It can ping the ISA server and even RDP to it (the policies allow this).
But it doesn't get a route to the 192.168.60.0/24 subnet, so it can't talk to the internal network.
If I manually add a static route to the client saying "you can talk to 192.168.60.0/24 using the VPN interface", everything works fine.
How can I automatically supply this static route to VPN clients?
Also, I have a network-behind-network scenario, as there is another internal network (192.168.1.0/24) reachable via a different router; ISA Server knows how to talk to it because it has a static route defined, but, again, VPN clients don't get any information about it.
Same question as above: how to supply static routes to VPN clients?
I was finally able to get this to work by assigning addresses to VPN clients using DHCP and then using the DHCP options to hand out those static routes. This also required enabling the DHCP Relay Agent on the RRAS underlying ISA/TMG.
Hi Massimo, I'm trying to do the same on my isa box but something's wrong: which option did you put in the DHCP scope? And configured how? VPN client use their dynamic IP as the gateway to the ISA box, so how should I configure the gateway for the extra routes?
I configured the firewall to assign addresses to VPN clients from a static pool, and then created a scope in the DHCP server using the same pool; I put DNS and WINS settings there, and also used DHCP option 121, "classless static routes". There, I configured a static route to the internal network, and used the first address of the VPN pool as the gateway address; it looks like the exact address you use doesn't matter, because the actual route supplied to the VPN client is in the form "use the VPN link to reach this network".
you mentioned that you configured ISA to assign addresses from a static pool, but then you created a scope in the DHCP server using the same pool?
If you are using ISA to assign addresses to VPN clients, the DHCP scope in this case would not apply to the clients as address assignment is not performed by DHCP right?
I am currently trying to implement a static route to VPN clients via ISA, and have tried your method, but I don't see how the scope in DHCP helps when you are assigning addresses using ISA directly, instead of via DHCP.