Address assignment for VPN client access with ISA server 2006


I have come across many scenarios where admins were not sure how to do address assignment for their VPN clients with ISA server 2006 as vpn  server. So I thought of clearing the air about this topic.


Note. For those who are still wondering what address assignment? Then let me answer you that, its the assignment of IP addresses to the vpn clients who would make vpn connections.


We know that we have only two ways to do address assignment for vpn client access.


a. Use internal DHCP server.


b. Use static pool of IP addresses.


DHCP server.


When we use DHCP server option then we are using a slot of subnet of internal network for vpn clients and in such scenarios internal network machines and VPN clients are part of same subnet and you do not have any routing issues. But in that case you have to remove the slot given to vpn clients from internal network address range from the ISA server internal network properties. Best way to do that is to follow my post http://blogs.technet.com/sooraj-sec/archive/2009/12/04/setting-internal-network-address-ranges-as-per-the-routing-table-on-the-isa-server.aspx to create your internal network after using DHCP server for address assignment for vpn client access as it will only use the available addresses for the internal network .


Static pool.


In this scenario lets assume that we have internal network as 192.168.0.0-192.168.0.255 and you want to use static pool option. In that case you have two ways to go about it.


1. Exclude the IP range that you are going to assign to vpn clients from the internal network address range i.e. let us say we are going to use 192.168.0.15-192.168.0.50 for vpn clients then we will have to exclude this range from internal network addresses and then internal network address range would become as 192.168.0.0-192.168.0.14 and 192.168.0.51-192.168.0.255


2. Use altogether a different range for vpn clients e.g. 10.0.0.0-10.0.0.25 .ISA server has a default network rule which provides route relationship between vpn clients and internal network. But this to work internal network clients must use ISA server as route to send traffic back to these vpn clients.


Comments (2)

  1. Anonymous says:

    Hi SW,

    you have to make sure you are following concept given here blogs.technet.com/…/setting-internal-network-address-ranges-as-per-the-routing-table-on-the-isa-server.aspx

    to make this to work. Make accurate maths of routes, subnets and you should not have problem

  2. SW says:

    If you exclude addresses for your VPN clients from the Internal Network as stated above ISA and TMG will generate errors that the excluded addresses are not represented in the range of addresses reachable through the interface and that connections from these addresses will be dropped as spoofed. Your VPN clients will connect ok but the firewall will randomly drop the connections

Skip to main content