I had vpn-DHCP working fine, but without the name resolution....if I used VNC or remote desktop connection to an internal computer from home, I had to connect to the IP rather than computer name.
I thought your article sounded like it would resolve that issue, but it didn't help. And as mentioned in your article, now when I do a ipconfig /all, there are two DNS server address for each of the two internal DNS servers. With the setup I had before, I only had one listing for each DNS server.
Both before, and after implementing what your article describes, a ipconfig /all does not show anything for connection-specific DNS suffix.
Use the Monitoring\Logging function to see where the packets are getting dropped. I've followed this article and it does work - you just need to "follow the path" to see where it's going wrong.
Before you connect, change the Logging to filter based on Source Network = VPN Clients and see if you see the DHCP Request packet come through. If that shows Initiated Connection, look at the logs and filter on Protocol = DHCP Reply to make sure the response from the server is allowed.
1.Client connects and obtains IP from ISA 2.Once connected, client broadcasts DHCP Inform packet looking for additional options 3.DHCP Relay Agent on ISA picks this up and relays it to DHCP Server 4.DHCP Server replies DIRECTLY to VPN Client with the additional options requested.
Just to make sure we're on the same page, in order for step 3 to work, you need a Access Rule allowing DHCP Request from VPN Clients to Local Host rule and in order for step 4 to work, you need an Access Rule allowing DHCP Reply from Internal (or a Computer object for the DHCP Server) to VPN Clients.
How long did you watch the logging? It take a short amount of time for the client to send the DHCP Inform packets so leave the logging running for a few minutes, just to make sure ISA displays everything.
I did let it run for a while, whenever I (from home) pinged using computer name, or tried to connect usig VNC with computer name, ISA showed Denied Connection NetBios Name Service...From: VPN Clients TO: Local Host.
I can, of course, make an allow rule for NetBios Name Service, from VPN Clients to Local Host, but is my understanding correct in that I shouldn't have to?
Well #2 looks good. Tell you what, when you're in the Logging tab, go to the View menu and select Add/Remove Columns. When that dialog box come sup, add the "Result Code" column from the left into the right column and then move it to the top 3 or 4 entries.
Now looks at the entry that shows "Denied Connection" for the DHCP Request and let me know what is listed in the Result Code field.
mostly the second one. But, just noticed time difference. I'm using MSDE, so should be local time right? Log setup using your last log setup directions, show the log entries from yesterday, last one around 11:00pm. But, I was playing with this off and on all day today....but no entries for today? By the way, I'm doing all this remotely, thru a VPN, so should have entries for today.
Do your VPN Clients receive the IP address from a static pool or from DHCP?
If they are receiving the IP from a static pool, are these addresses different from your Internal Network range?
As for the date, <apologies for dumb question>, but you're scrolling all the way to the top of the results right? The logging shows the most recent at the top of the results when you view the history. Again, sorry to be daft...
It used to be static, but about 3 months ago the company finally put in some new servers, and uses DHCP now. I did change to DHCP for VPN in ISA (ISASERVER of course, has static). The DHCP server has several leases for Name=ISASERVER, Unique ID=RAS, non-contiguous IP's.
As far as time goes, I removed the protocol = DHCP request, and changed back to 'live', the vpn connections are showing 'activity' in 'live' time now.
The most activity (other than 'common' activity)I see is: 0xc004000d FWX_E_POLICY_RULES_DENIED NetBios Name Service
with the occasional 0xc004000d FWX_E_POLICY_RULES_DENIED NetBios datagram
(yes, I was looking at topmost records for the most recent)
I'm behind a ISA here at my home lab also, however, I also tried from a dial-up computer, same thing.
by the way, as an aside, I intended to ask this sometime in a another post, but I mentioned that we changed server's, IP ranges, DHCP a few months ago. I've noticed that the logs show a lot of 'destinations' to be the old IP of ISASERVER before we changed. Old IP was 192.0.0.1, new IP 192.168.2.1 with netmask of 255.255.255.254.0
I've looked at a couple of computers that show that destination IP, firewall client settings show new IP, gateway, IE settings all show the new, proper IP address. So, I'm not sure why they are trying to connect to the old IP. I suppose there must be a program I missed that still has the old IP for the proxy.....
Posts: 25
Joined: 6.Aug.2004
From: At My Desk
Status: offline
Well I moved my DHCP off onto another server because I thought this was causing a problem with getting this to work correctly. No dice!
When I connect with the VPN client I notice that I dont have a DNS suffix. I have two domains behind the ISA2004 server. domainONE.local and domainTWO.local. The ISA2004 server is joined to the first domain and i have a two way trust established between them.
It can take up to 30 seonds (in my experience) to get the suffix.
Now assuming, you've waited this long, what does ISA show in the logs for the request? You can use the Monitoring\Logging to look for DHCP Request from VPN Clients and then look for DHCP Reply from the DHCP Server.
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi all,
First of all, the article is very good. One thing that I need to point out, though, is that it's not required to use DHCP for client addressing to send DHCP options to VPN clients. You can use a static address pool as long as you exclude the pool's addresses from the Internal network. VPN clients can still receive DHCP options if you follow the rest of the configuration. I've tested and verified this with ISA Server 2004 SP1 and Windows Server 2003 SP1.
My second point is actually a question. I'm trying to send certain DHCP options only to VPN clients. Here's a short write-up of what I'm talking about:
If I place the VPN-specific options in the General DHCP scope, it works fine. If I change it to the Default Routing and Remote Access Class, it doesn't work. I have tried using DHCP to assign addresses to VPN clients, but that doesn't fix this specific problem.
I would welcome any input or ideas on this problem. I think my configuration is correct.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Discussion about article on enabling DHCP Relay Agent on the ISA Firewall 
Discussion about article on enabling DHCP Relay Agent o... - 
![[Smile]](/image/smiles/smile.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread