RE: IP Address Assignment for VPN clients.
- From: "Joe Pochedley" <joepochedley@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 3 Dec 2004 09:28:59 -0500
William,
Thanks for the follow-up. Glad my long winded explanation helped you
work through the issue.
As general practice, it's always best to deny everything and only allow
the traffic you specifically want to pass through the firewall. If
general clients don't need to access external DNS servers, then don't
let them do it. :)
Joe Pochedley
A computer terminal is not some clunky old television
with a typewriter in front of it. It is an interface
where the mind and body can connect with the universe
and move bits of it about. -Douglas Adams
-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Thursday, December 02, 2004 4:18 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: IP Address Assignment for VPN clients.
http://www.ISAserver.org
Hello,
Unfortunately the DNS server that was originally being used is not
offline.
It is just not cooperating. In this case (and more and more) the ISP
does not allow queries from outside its own subnets to use their DNS
servers. The DNS responds but does not return a query. So Windows keeps
trying to use it. This paralizes the client.
Now I could have my VPN clients use split Routing but that's not really
acceptable from a security standpoint. In addition it creates other
problems with routing due to IP restrictions on our subnets.
However all is not lost. Your explanation has gave me an idea. I
thought if I simply block all DNS access from my VPN clients to external
DNS/Wins servers that it would force them to behave in the manner you
have explained.
In fact this solved the problem.
Bill
-----Original Message-----
From: Joe Pochedley [mailto:joepochedley@xxxxxxxxx]
Sent: Thursday, December 02, 2004 8:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: IP Address Assignment for VPN clients.
http://www.ISAserver.org
The Static pool clients will take the DNS and WINS settings from the
RRAS server itself.
Whatever DNS and WINS servers are configured on the RRAS server will be
passed to the clients. So long as this information is set up properly
on the RRAS server, I've never had an issue with the clients receiving
it.
However... In either case, DHCP or Static Pool, if the VPN client
already has "local" DNS (or I suppose WINS, though I've never had an
issue with WINS) servers, those will not be "overridden"... By local
DNS I mean a DNS server on the same subnet as the client's Ethernet
(802.11,
whatever) interface... This is usually only a problem with users who
have SOHO equipment on broadband connections (Microsoft, dLink, SMC,
Netgear; Linksys does NOT have this issue).
The reason for this issue is due to the way Windows handles DNS servers.
Contrary to popular belief, the DNS server listed as "primary" is not
always the first one contacted. The first DNS request issued will use
the primary dns server. If that server is offline then the next will be
picked. Once a working DNS server is found, Windows will use it to
resolve all DNS requests until it is no longer available. Even if a new
DNS server is inserted higher in the list, the old one will be used so
long as it is available.
That means, so long as the DNS server the client was in contact with
before the VPN connection is established is available, that DNS server
will remain the first one contacted. If the DNS server is "local" than
it is still "available"... It's a bit more complex than this, but
that's the gist of if (I hope I explained it clear enough).
Users who use standard dial-up services and then connect to the VPN
afterwards typically don't experience these issues.
Hope that helps.
Joe Pochedley
A computer terminal is not some clunky old television with a typewriter
in front of it. It is an interface where the mind and body can connect
with the universe and move bits of it about. -Douglas Adams
-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Wednesday, December 01, 2004 9:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: IP Address Assignment for VPN clients.
http://www.ISAserver.org
Hello,
I would like to use a real dhcp server so that the clients get
configured correctly. It has been my experience that when using the
static pool other dhcp options are not correctly configured. In
particular dns and wins servers do not get configured to override the
dhcp and wins servers that were configured prior to the VPN tunnel being
setup.
Bill
-----Original Message-----
From: Joe Pochedley [mailto:joepochedley@xxxxxxxxx]
Sent: Wednesday, December 01, 2004 11:24 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: IP Address Assignment for VPN clients.
http://www.ISAserver.org
William,
If you want to use a separate address pool for the VPN connections, then
why don't you just set it up that way on the RRAS server? The "static
pool"
essentially acts like DHCP just for the VPN/RRAS clients...
Why do you want to complicate it more than necessary?
Joe Pochedley
A computer terminal is not some clunky old television with a typewriter
in front of it. It is an interface where the mind and body can connect
with the universe and move bits of it about. -Douglas Adams
-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Wednesday, December 01, 2004 9:48 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] IP Address Assignment for VPN clients.
http://www.ISAserver.org
Hello,
When configuring a VPN server you are given two choices for address
assignment. The first is DHCP and the second is a static address pool.
When configured to use a static pool you can essentially assign any
subnet to the VPN network. However if you want to use DHCP you are
required to choose a network adapter from which to assign addresses.
If you choose to use the Internal Interface then your VPN clients will
share the address space of the internal network.
I would like to use DHCP for address assignement and still have the VPN
network setup in its own address space. However this does not seem to be
possible. If I enable the DHCP relay agent on the VPN server and point
it at my DHCP server there is no way to tell the VPN interface when you
make your request "use this subnet". Instead it will use the subnet
associated with the adapter chosen on the IP property page.
If I am reading this correctly: Choosing a specific adapter is the only
way to configure the TCP/IP paramters of the VPN pseudo interface. In
otherwords it is the only way to decide on which subnet VPN clients will
use.
Is there another way? The only thing I can think to do is add another
network adapter to my server and use it as the configuration adapter.
However this complicates things quite a bit and will require changing my
ISA server's config quite a bit.
Is there a way to use DHCP and assing the IP subnet to a VPN interface
without using a "Real" Interface?
Thanks
Bill
William Holmes (MCP)
Department of Computer Science
310 Upson Hall
Cornell University
Ithaca, NY 14853
wtholmes@xxxxxxxxxxxxxx
607 255-1757 (o) 607 227-6049 (c)
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wtholmes@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wtholmes@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
