Using DHCP with ISA/VPN Server Clients
By Thomas W. Shinder, M.D.
One thing that happens when you talk (or write) too much is that you’re going to say something that isn’t entirely right. In fact, the beloved American President Teddy Roosevelt said that we would consider himself a genius if he were right half the time. While I think I do be a bit better than a .500 average, sometimes I miss the mark.
That certainly has been the case with my writings on using DHCP to assign IP addressing information to VPN clients. I was under the impression (based on my testing) that you could not assign DHCP options to VPN clients that connect to an ISA/VPN server. Guess what? That is not correct, and the problem was related to my lab environment. What’s really crummy about having an error show up based on lab testing means that I won’t even try to implement something in a production network if it doesn’t work in the lab, so I never took the time to see what would happen in production.
Fortunately, a good friend and Microsoft ISA Server MVP, Kai Wilke, informed me that DHCP options worked just fine for ISA/VPN clients. I told him that a very smart ISA Server guru told me why its doesn’t work, and that I had confirmed it in my own test lab. Kai said "Tom, test it again, because its does work".
I did test it again and Kai was right! You can use a DHCP server to assign DHCP options to ISA/VPN clients. The problem was related to the fact that I used VMware to construct my lab network and I configured all network segments to use VMware’s bridged networking. The problem with bridged networking is that any broadcast based protocols won’t be confined to a virtual network segment; the broadcasts will reach the physical network. In the case of my DHCP server testing, the ISA/VPN server was able to contact the physical DHCP server on the production network. This made it appear that DHCP options were not being obtained from the DHCP server.
There are some other details that explain the unholy confluence of factors that prevented things from working correctly, but the "take home lesson" is that you should take advantage of VMware’s "virtual networking" to virtually segment your subnets. This prevents problems with misinterpreting issues related to broadcast based protocols such as ARP, DHCP and NetBIOS. (The VMware virtual networks go from VMNet2 to VMNet7.)
Now let’s get to today’s mission. In this article we’ll go over:
Throughout this article we’ll be using the lab network configuration as noted in the graphic below. Note that the ISA Server’s internal interface and the DHCP server’s interface are on VMNet2 and the VPN client and external interface of the ISA Server are on a bridged network. This allows the ISA Server to connect to the Internet via an upstream ISA Server.
How the Windows 2000 RRAS Obtains IP Addressing Information for RAS clients
When the Windows 2000 RAS server is configured to use DHCP to assign IP addressing information to RAS clients (which includes VPN clients), the RAS server sends a request to the DHCP server and obtains a block of IP addresses. Any options the DHCP server sends to the RAS server are ignored and the RAS server caches the addresses it obtains. By default, the Windows 2000 RRAS service requests blocks of 10 addresses. You can change the default settings by changing the following Registry entry:
Value Name: InitialAddressPoolSize
Data Type: REG_DWORD
If a DHCP server isn’t available when RRAS starts up, the server will assign DHCP clients addresses from the APIPA network (169.254.0.0/16). If this happens, VPN clients won’t be able to access the internal network unless your routers are configured to support VPN clients on this "autonet" network ID. I would advise against such as configuration.
While the RAS server’s default behavior is to grab blocks of 10 IP addresses, it will obtain fewer addresses if you configure fewer than 10 RAS ports. If the RAS server only requires 5 addresses, such as when you have 2 PPTP and 2 L2TP/IPSec ports (the server takes an address for itself), then it will only obtain 5 addresses from the DHCP server.
Once the RAS server obtains the addresses, it keeps track of the leases; when the lease was obtained, when the lease expires, and the TTL on the lease. The VPN client never directly communicates with the DHCP server. VPN clients can’t communicate with the DHCP server because DHCP is a broadcast based protocol and broadcasts aren’t passed from VPN clients to the remote network.
Then how do the VPN clients obtain name server addresses, such as WINS and DNS? The default setting is to configure the VPN clients with the WINS and DNS server addresses that are set on one of the interfaces of the RRAS server. If the RRAS server has multiple DNS or WINS server addresses on one of its interfaces, then the VPN client will be assigned all the addresses contained in the list.
Depending on what you want to accomplish, this might represent a major limitation. You might want to assign a custom set of DNS and WINS server addresses to the VPN clients. More importantly, you might want to assign a domain name to the VPN clients. The domain name is critically important, because the VPN clients append this name to unqualified DNS name resolution requests. Since most VPN clients aren’t members of the internal network domain (and therefore don’t have a primary domain name assigned to them), name resolution problems often arise.
The solution is to configure the DHCP Relay Agent on the ISA/VPN Server. When VPN clients running Windows 2000 and above connect to the ISA/VPN server, the client will send a DHCPInform message to the VPN server. The DHCP Relay Agent will forward the DHCPInform message to the DHCP server and the DHCP server will reply with DHCP options. The DHCP Relay Agent on the ISA/VPN server forwards the options to the VPN clients.
Install the DCHP Server and Configure the Scope
Now that you understand how DHCP clients get DHCP options from the DHCP server, let’s get down to business. The first step is to install the DHCP Server. We’ll configure a scope for the VPN clients to use after the DHCP server service is installed.
Perform the following steps on the DHCP Server:
- Click Start, point to Settings and click Control Panel.
- In the Control Panel, open the Add/Remove Programs applet.
- Click the Add/Remove Windows Components button on the left side of the Add/Remove Programs window.
- In the Windows Components dialog box, click on the Networking Services entry and click the Details button.
- In the Networking Details dialog box, put a checkmark in the Dynamic Host Configuration Protocol (DHCP) checkbox. Click OK.
- Click Next in the Windows Components dialog box. Click Finish on the Completing the Windows Components Wizard page.
You can create a DHCP scope for the VPN clients after the DHCP server service is installed. The DHCP clients must be configured with an "on subnet" address. You won’t be able to use DHCP to provide an off-subnet address because of how DHCP works. There’s no way you can direct the DHCP Relay Agent to "point" to a particular scope. Your scope should contain enough IP addresses to support all DHCP clients who will require an address from that scope.
- Click Start and point to Programs. Point to Administrative Tools and click DHCP.
- In the left pane of the DHCP console, right click on your server name and click the New Scope command.
- Click Next on the first page of the New Scope Wizard.
- Type a Name and Description for the scope on the Scope Name page. In this example we’ll call it VPN Clients and provide no description. Click Next.
- You put in the range of IP addresses used by the scope on the IP Address Range page. Type the first IP address in the range in the Start IP address text box and the last IP address in the range in the End IP address text box. Note that the subnet mask is already entered for you. You can change the subnet mask to meet your own subnetting requirements. Note that it won’t matter for VPN clients, because VPN clients always use a classfull address. Click Next.
- In this example we entered a subset of addresses, rather than the entire range. Therefore, we won’t enter any exclusions. Click Next on the Add Exclusions page.
- You can set a lease duration on the Lease Duration page. The lease for the VPN clients isn’t important, since the clients will keep their IP address for the duration of the call. Click Next.
- Select the Yes, I want to configure these options now on the Configure DHCP Options page. Click Next.
- You can enter a default gateway on the Router (Default Gateway) page. VPN clients don’t recognize this option because the default route is determined by how you configure the VPN client. Click Next.
- You can enter a Parent domain and a DNS server address on the Domain Name and DNS Servers page. The parent domain entry is very important, since this is the name used to qualify unqualified requests the VPN clients might send when resolving names on your private network. Always enter a parent domain. Enter the IP address(es) of your DNS server(s) in the IP address text box and click OK after entering each one. Click Next.
- Type the IP address of your WINS server in the IP address text box on the WINS Server page. Click Add and then click Next.
- On the Activate Scope page, select the Yes, I want to activiate the scope now option and click Next.
- Click Finish on the Completing the New Scope Wizard page.
Install ISA Server
Installing ISA Server is very straightforward. There are no specific configuration requirements to the ISA/VPN server during ISA Server software installation.
- Run the ISAAutorun.exe file on the ISA Server CD. Click the Install ISA Server link on the splash page.
- Click Continue on the Welcome page.
- Enter your CD Key on the CD Key page. Click OK. Click OK on the Product ID page.
- Click the I Agree button on the EULA page.
- Click the Full Installation button on the installation type page. You can always remove the components you don’t want later.
- In this example we are not working with an array, so we’ll select the Yes button on the array warning dialog box.
- On the mode page, select the Integrated mode option and click Continue.
- Click OK on the dialog box warning you that it must stop the W3SVC. Note that when you restart the computer, the W3SVC will restart.
- On the cache settings page, type in a size for your Web cache and click Set. Click OK.
- On the LAT page, click on the Construct Table button. Remove the checkmark from the Add the following private ranges checkbox. Put a checkmark in the checkbox that matches your internal interface. Click OK. Click OK on the dialog box informing you of how the LAT was configured. Click OK.
- Click OK in the Launch ISA Management Tools dialog box. Click OK on the dialog box that says everything worked out OK.
- Install ISA Server Service Pack 1 immediately. After Service Pack 1 is installed, I recommend that you install Feature Pack 1, although its not required.
Run the VPN Server Wizard
ISA Server has a VPN Server Wizard that makes it very easy to configure the machine as a VPN server. Since we have a DHCP server, the Wizard will take care of almost everything. However, you’ll see that there is a little bit of tweaking we need to do so that everything works correctly.
- Open the ISA Management console, expand your server name and right click on the Network Configuration node. Click on the Allow VPN client connections command.
- Click Next on the Welcome to the ISA Virtual Private Network Configuration Wizard page.
- Click Finish on the Completing the ISA VPN Server Configuration Wizard page. Click Yes to start the Routing and Remote Access Service.
The Routing and Remote Access service is started, but we have a couple things we need to do before connecting the VPN clients to the network.
- Click Start, point to Programs, point to Administrative Tools and click on Routing and Remote Access.
- In the Routing and Remote Access console, right click on the server name in the left pane of the console. Point to All Tasks and click on Restart. These will cause the RRAS server to obtain IP addresses, as seen in the packet trace below.
- If you open the DHCP console, you’ll be able to see the leases assigned to the RRAS server.
- In the Routing and Remote Access console, expand the IP Routing node in the left pane of the console and right click on the General node. Click on the New Routing Protocol command.
- In the New Routing Protocol dialog box, click on the DHCP Relay Agent entry and click OK. In the DHCP Relay Agent Properties dialog box, leave the default entries and click OK.
- Right click on the DHCP Relay Agent node in the left pane of the console and click the New Interface command. Select the Internal interface (this is an internal interface used by the RRAS server; its not the LAN interface of the ISA Server). Click OK.
- Right click on the DHCP Relay Agent node in the left pane of the console and click the Properties command. In the DHCP Relay Agent Properties dialog box, type in the IP address of the DHCP server in the Server address text box. Click Add. Click Apply and then click OK.
Configure the VPN Client and Connect
VPN client configuration varies with the version of Windows. In this example, we’re using Windows 2000 SP3. You can configure the VPN client by right clicking on the My Network Places icon on the desktop and clicking on the Properties command. In the Network and Dial-up Connections window, double click on the Make New Connection icon and follow the Wizard.
If you want things to work straight out of the box, you’ll use PPTP. If you want more information on L2TP/IPSec connections, check out ISA Server and Beyond and my articles on VPN connectivity over at www.isaserver.org/shinder.
Once you establish the VPN link, open a command prompt, type ipconfig /all and press ENTER. You’ll see a print out like what appears in the figure below. Notice that PPP adapter Virtual Private Connection is assigned a DNS suffix, a WINS address, a DNS address and a default gateway. The name servers and DNS suffix match the DHCP options created for the scope.
The network monitor trace below shows the DHCP Inform and DHCP ACK messages. You can see in the details pane the DHCP options delivered by the DHCP server to the VPN server. It’s the DHCP Relay Agent that makes it possible for the VPN client to get these DHCP options.
If you go to the RRAS console and click on the DHCP Relay Agent node, you’ll see Relay mode column change to Enabled after a VPN client makes a connection. You’ll also see the values change in the Requests received column. Notice that only a single request was received, but the response from the DHCP server is interpreted as a request by the console.
In this article we went over how you can use DHCP to assign IP addressing information to your VPN clients that connect to your ISA/VPN server. The advantage of using DHCP over a static address pool is that you can assign DHCP options to your VPN clients.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001377 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom