• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Remote VPN clients not receiving DHCP options

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Remote VPN clients not receiving DHCP options Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Remote VPN clients not receiving DHCP options - 29.Sep.2004 12:28:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi all,

The following page describes my problem: http://www.westmesatech.com/isa/dhcpproblem.html

The client VPN connection works fine, but as soon as the client sends the DHCPInform DHCP request, ISA denies the connection even though there are explicit rules to allow it.

Any ideas on what's really going on here?

Thanks!

Bill

[ January 05, 2005, 12:23 AM: Message edited by: Bill Stewart ]

< Message edited by AbqBill -- 12.Dec.2007 1:55:04 PM >
Post #: 1
RE: Remote VPN clients not receiving DHCP options - 29.Sep.2004 5:16:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

I'm checking this out now.

Tom

(in reply to AbqBill)
Post #: 2
RE: Remote VPN clients not receiving DHCP options - 29.Sep.2004 6:30:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

Here ya go: http://www.msfirewall.org/testing/dhcprelay.htm

I'll do a complete explanation on why this is required in the book, but this will get you up and running.

HTH<
Tom

(in reply to AbqBill)
Post #: 3
RE: Remote VPN clients not receiving DHCP options - 29.Sep.2004 4:01:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

Thanks for the sample rules. Sometimes another pair of eyes to look at the problem is just what the doctor ordered.

Is this because a DHCP request is a broadcast (255.255.255.255), so you have to allow it to Anywhere?

Thanks!

Bill

[ September 29, 2004, 04:14 PM: Message edited by: Bill Stewart ]

(in reply to AbqBill)
Post #: 4
RE: Remote VPN clients not receiving DHCP options - 29.Sep.2004 8:57:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

It still isn't working. I have updated the problem page: http://www.westmesatech.com/isa/dhcpproblem.html

I am at a loss to explain why this doesn't work.

Bill

[ January 05, 2005, 12:25 AM: Message edited by: Bill Stewart ]

< Message edited by AbqBill -- 12.Dec.2007 1:56:54 PM >

(in reply to AbqBill)
Post #: 5
RE: Remote VPN clients not receiving DHCP options - 29.Sep.2004 9:05:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

Is there a typo in your Rule #2?

If not, then you tell me what the problem is. Think about the flow of traffic and then you'll be able to give me the answer [Wink]

HTH,
Tom

(in reply to AbqBill)
Post #: 6
RE: Remote VPN clients not receiving DHCP options - 29.Sep.2004 9:16:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

No, there's no typos in there. [Smile]

Do I need to create a Computer network object containing the ISA Server's IP address? Why wouldn't Local Host work in this instance?

Thanks,

Bill

(in reply to AbqBill)
Post #: 7
RE: Remote VPN clients not receiving DHCP options - 30.Sep.2004 12:12:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Nope -- created a Computer network object containing the internal IP address of the ISA Server and it still does not work. What am I not seeing?

Thanks!

Bill

(in reply to AbqBill)
Post #: 8
RE: Remote VPN clients not receiving DHCP options - 30.Sep.2004 3:15:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

Compare your rule 2 with mine [Big Grin]

HTH,
Tom

(in reply to AbqBill)
Post #: 9
RE: Remote VPN clients not receiving DHCP options - 30.Sep.2004 6:18:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

I created a network object called DHCP Server (like in your rule #2) and set it equal to the IP address of the internal interface of the ISA Server (which happens to also be the DHCP server in this case). I applied the policies, but this didn't change anything.

Or are you talking about something else?

Thanks!

Bill

(in reply to AbqBill)
Post #: 10
RE: Remote VPN clients not receiving DHCP options - 30.Sep.2004 4:55:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

I updated my firewall rules to exactly match your rule #2 (with the exception that my destination includes the Quarantined VPN Clients Network object):

http://www.westmesatech.com/isa/dhcpproblem.html

I don't see any (significant) differences between your rules and mine. What am I missing?

Thanks!

Bill

[ January 05, 2005, 12:27 AM: Message edited by: Bill Stewart ]

< Message edited by AbqBill -- 12.Dec.2007 2:00:26 PM >

(in reply to AbqBill)
Post #: 11
RE: Remote VPN clients not receiving DHCP options - 30.Sep.2004 7:41:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

What are the details of your DHCP Relay Agent config?

Thanks!
Tom

(in reply to AbqBill)
Post #: 12
RE: Remote VPN clients not receiving DHCP options - 30.Sep.2004 10:55:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

I updated my problem page with pictures of the DHCP Relay Agent configuration:

http://www.westmesatech.com/isa/dhcpproblem.html

Thanks!

Bill

[ January 05, 2005, 12:27 AM: Message edited by: Bill Stewart ]

< Message edited by AbqBill -- 12.Dec.2007 1:59:36 PM >

(in reply to AbqBill)
Post #: 13
RE: Remote VPN clients not receiving DHCP options - 30.Sep.2004 11:55:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

I replicated it again and it works. Check this out:

http://www.msfirewall.org/testing/dhcprelay2.htm

HTH,
Tom

(in reply to AbqBill)
Post #: 14
RE: Remote VPN clients not receiving DHCP options - 1.Oct.2004 12:32:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

Are you running the DHCP service on the ISA firewall in your configuration?

Thanks,

Bill

(in reply to AbqBill)
Post #: 15
RE: Remote VPN clients not receiving DHCP options - 1.Oct.2004 1:15:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

No. The DHCP server is on a DNS, WINS, IAS, Certificate and Web server on the Internal Network.

HTH,
Tom

(in reply to AbqBill)
Post #: 16
RE: Remote VPN clients not receiving DHCP options - 1.Oct.2004 5:33:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

Try running the DHCP service on the ISA Server itself and see if you can get it to work. I forsee this as a common configuration (lots of PIX firewalls I've seen run DHCP on the inside interface), and it'd be great if we could replicate this on the ISA firewall.

Thanks!

Bill

(in reply to AbqBill)
Post #: 17
RE: Remote VPN clients not receiving DHCP options - 1.Oct.2004 7:52:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

Never thought of that one! I'll give it a try tomorrow and see what happens. Seems sort of 'off label' to me, since you an install DHCP on any Windows server on the network.

Not sure what I would do different, or if it could even work. Does it work without the ISA firewall software installed?

BTW -- what DHCP options do you want to assign VPN clients?

Thanks!
Tom

[ October 01, 2004, 07:53 AM: Message edited by: tshinder ]

(in reply to AbqBill)
Post #: 18
RE: Remote VPN clients not receiving DHCP options - 1.Oct.2004 5:04:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:
Never thought of that one! I'll give it a try tomorrow and see what happens. Seems sort of 'off label' to me, since you an install DHCP on any Windows server on the network.
Hi Tom,

Yes, you can run DHCP on another server, but I'm envisioning the ISA Server "appliance" scenario where it's the only "server" on a branch office network (not a file or print server, just a firewall). In that case, running the DHCP service on it would practically be a no-brainer.

quote:
Does it work without the ISA firewall software installed?
Unfortunately I have not been able to test this scenario because this is my production server. Do you have any pointers on doing this with VMWare?

quote:
BTW -- what DHCP options do you want to assign VPN clients?
The DNS suffix, primarily.

Thanks!

Bill

(in reply to AbqBill)
Post #: 19
RE: Remote VPN clients not receiving DHCP options - 1.Oct.2004 5:09:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

OK, that all makes sense to me.

I'll first test without the ISA firewall software installed to see if its even possible. And if I get it to work, then I'll install ISA and see if it break it. These all seem like local host connections, but if things made sense, we'd never have to do experiments [Big Grin]

Let you know sometime this weekend. I need to finish Chapter 4 tonight or Debi is going to whip me with a cat 'o nine tails [Smile]

Thanks!
Tom

(in reply to AbqBill)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Remote VPN clients not receiving DHCP options Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts