I have come across many scenarios where admins were not sure how to do address assignment for their VPN clients with ISA server 2006 as vpn server. So I thought of clearing the air about this topic.
Note. For those who are still wondering what address assignment? Then let me answer you that, its the assignment of IP addresses to the vpn clients who would make vpn connections.
We know that we have only two ways to do address assignment for vpn client access.
a. Use internal DHCP server.
b. Use static pool of IP addresses.
When we use DHCP server option then we are using a slot of subnet of internal network for vpn clients and in such scenarios internal network machines and VPN clients are part of same subnet and you do not have any routing issues. But in that case you have to remove the slot given to vpn clients from internal network address range from the ISA server internal network properties. Best way to do that is to follow my post http://blogs.technet.com/sooraj-sec/archive/2009/12/04/setting-internal-network-address-ranges-as-per-the-routing-table-on-the-isa-server.aspx to create your internal network after using DHCP server for address assignment for vpn client access as it will only use the available addresses for the internal network .
In this scenario lets assume that we have internal network as 192.168.0.0-192.168.0.255 and you want to use static pool option. In that case you have two ways to go about it.
1. Exclude the IP range that you are going to assign to vpn clients from the internal network address range i.e. let us say we are going to use 192.168.0.15-192.168.0.50 for vpn clients then we will have to exclude this range from internal network addresses and then internal network address range would become as 192.168.0.0-192.168.0.14 and 192.168.0.51-192.168.0.255
2. Use altogether a different range for vpn clients e.g. 10.0.0.0-10.0.0.25 .ISA server has a default network rule which provides route relationship between vpn clients and internal network. But this to work internal network clients must use ISA server as route to send traffic back to these vpn clients.