Remote VPN clients not receiving DHCP options (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN



Message


AbqBill -> Remote VPN clients not receiving DHCP options (29.Sep.2004 12:28:00 AM)

Hi all,

The following page describes my problem: http://www.westmesatech.com/isa/dhcpproblem.html

The client VPN connection works fine, but as soon as the client sends the DHCPInform DHCP request, ISA denies the connection even though there are explicit rules to allow it.

Any ideas on what's really going on here?

Thanks!

Bill

[ January 05, 2005, 12:23 AM: Message edited by: Bill Stewart ]




tshinder -> RE: Remote VPN clients not receiving DHCP options (29.Sep.2004 5:16:00 AM)

Hi Bill,

I'm checking this out now.

Tom




tshinder -> RE: Remote VPN clients not receiving DHCP options (29.Sep.2004 6:30:00 AM)

Hi Bill,

Here ya go: http://www.msfirewall.org/testing/dhcprelay.htm

I'll do a complete explanation on why this is required in the book, but this will get you up and running.

HTH<
Tom




AbqBill -> RE: Remote VPN clients not receiving DHCP options (29.Sep.2004 4:01:00 PM)

Hi Tom,

Thanks for the sample rules. Sometimes another pair of eyes to look at the problem is just what the doctor ordered.

Is this because a DHCP request is a broadcast (255.255.255.255), so you have to allow it to Anywhere?

Thanks!

Bill

[ September 29, 2004, 04:14 PM: Message edited by: Bill Stewart ]




AbqBill -> RE: Remote VPN clients not receiving DHCP options (29.Sep.2004 8:57:00 PM)

Hi Tom,

It still isn't working. I have updated the problem page: http://www.westmesatech.com/isa/dhcpproblem.html

I am at a loss to explain why this doesn't work.

Bill

[ January 05, 2005, 12:25 AM: Message edited by: Bill Stewart ]




tshinder -> RE: Remote VPN clients not receiving DHCP options (29.Sep.2004 9:05:00 PM)

Hi Bill,

Is there a typo in your Rule #2?

If not, then you tell me what the problem is. Think about the flow of traffic and then you'll be able to give me the answer [Wink]

HTH,
Tom




AbqBill -> RE: Remote VPN clients not receiving DHCP options (29.Sep.2004 9:16:00 PM)

Hi Tom,

No, there's no typos in there. [Smile]

Do I need to create a Computer network object containing the ISA Server's IP address? Why wouldn't Local Host work in this instance?

Thanks,

Bill




AbqBill -> RE: Remote VPN clients not receiving DHCP options (30.Sep.2004 12:12:00 AM)

Nope -- created a Computer network object containing the internal IP address of the ISA Server and it still does not work. What am I not seeing?

Thanks!

Bill




tshinder -> RE: Remote VPN clients not receiving DHCP options (30.Sep.2004 3:15:00 AM)

Hi Bill,

Compare your rule 2 with mine [Big Grin]

HTH,
Tom




AbqBill -> RE: Remote VPN clients not receiving DHCP options (30.Sep.2004 6:18:00 AM)

Hi Tom,

I created a network object called DHCP Server (like in your rule #2) and set it equal to the IP address of the internal interface of the ISA Server (which happens to also be the DHCP server in this case). I applied the policies, but this didn't change anything.

Or are you talking about something else?

Thanks!

Bill




AbqBill -> RE: Remote VPN clients not receiving DHCP options (30.Sep.2004 4:55:00 PM)

Hi Tom,

I updated my firewall rules to exactly match your rule #2 (with the exception that my destination includes the Quarantined VPN Clients Network object):

http://www.westmesatech.com/isa/dhcpproblem.html

I don't see any (significant) differences between your rules and mine. What am I missing?

Thanks!

Bill

[ January 05, 2005, 12:27 AM: Message edited by: Bill Stewart ]




tshinder -> RE: Remote VPN clients not receiving DHCP options (30.Sep.2004 7:41:00 PM)

Hi Bill,

What are the details of your DHCP Relay Agent config?

Thanks!
Tom




AbqBill -> RE: Remote VPN clients not receiving DHCP options (30.Sep.2004 10:55:00 PM)

Hi Tom,

I updated my problem page with pictures of the DHCP Relay Agent configuration:

http://www.westmesatech.com/isa/dhcpproblem.html

Thanks!

Bill

[ January 05, 2005, 12:27 AM: Message edited by: Bill Stewart ]




tshinder -> RE: Remote VPN clients not receiving DHCP options (30.Sep.2004 11:55:00 PM)

Hi Bill,

I replicated it again and it works. Check this out:

http://www.msfirewall.org/testing/dhcprelay2.htm

HTH,
Tom




AbqBill -> RE: Remote VPN clients not receiving DHCP options (1.Oct.2004 12:32:00 AM)

Hi Tom,

Are you running the DHCP service on the ISA firewall in your configuration?

Thanks,

Bill




tshinder -> RE: Remote VPN clients not receiving DHCP options (1.Oct.2004 1:15:00 AM)

Hi Bill,

No. The DHCP server is on a DNS, WINS, IAS, Certificate and Web server on the Internal Network.

HTH,
Tom




AbqBill -> RE: Remote VPN clients not receiving DHCP options (1.Oct.2004 5:33:00 AM)

Hi Tom,

Try running the DHCP service on the ISA Server itself and see if you can get it to work. I forsee this as a common configuration (lots of PIX firewalls I've seen run DHCP on the inside interface), and it'd be great if we could replicate this on the ISA firewall.

Thanks!

Bill




tshinder -> RE: Remote VPN clients not receiving DHCP options (1.Oct.2004 7:52:00 AM)

Hi Bill,

Never thought of that one! I'll give it a try tomorrow and see what happens. Seems sort of 'off label' to me, since you an install DHCP on any Windows server on the network.

Not sure what I would do different, or if it could even work. Does it work without the ISA firewall software installed?

BTW -- what DHCP options do you want to assign VPN clients?

Thanks!
Tom

[ October 01, 2004, 07:53 AM: Message edited by: tshinder ]




AbqBill -> RE: Remote VPN clients not receiving DHCP options (1.Oct.2004 5:04:00 PM)

quote:
Never thought of that one! I'll give it a try tomorrow and see what happens. Seems sort of 'off label' to me, since you an install DHCP on any Windows server on the network.
Hi Tom,

Yes, you can run DHCP on another server, but I'm envisioning the ISA Server "appliance" scenario where it's the only "server" on a branch office network (not a file or print server, just a firewall). In that case, running the DHCP service on it would practically be a no-brainer.

quote:
Does it work without the ISA firewall software installed?
Unfortunately I have not been able to test this scenario because this is my production server. Do you have any pointers on doing this with VMWare?

quote:
BTW -- what DHCP options do you want to assign VPN clients?
The DNS suffix, primarily.

Thanks!

Bill




tshinder -> RE: Remote VPN clients not receiving DHCP options (1.Oct.2004 5:09:00 PM)

Hi Bill,

OK, that all makes sense to me.

I'll first test without the ISA firewall software installed to see if its even possible. And if I get it to work, then I'll install ISA and see if it break it. These all seem like local host connections, but if things made sense, we'd never have to do experiments [Big Grin]

Let you know sometime this weekend. I need to finish Chapter 4 tonight or Debi is going to whip me with a cat 'o nine tails [Smile]

Thanks!
Tom




Page: [1] 2 3   next >   >>