How to get internet access for VPN users with ISA?

[dmandell]

Here's the setup.
ISA2000 server with RRAS running.
The server has two interfaces,
one trusted on internal LAN,
one untrusted with routable address.

Here's what works.
1. all internal PCs can route to internet through ISA server.
2. All external VPN clients can connect through ISA server VPN and access internal PCs.

Here what doesn't work.
1. all external VPN clients cannot route out to the internet through the ISA server while using the VPN.

Here's are several things I have looked into that you all will ask about.

1. In RRAS "Enable this computer as LAN and demand dial router" is ticked.

2. In RRAS both "enable IP Routing" and "Allow IP based remote access and demand dial connections" is ticked.

3. On the VPN client, "Use default Gateway on remote network" is ticked, because we DO want the clients to route through the ISA server for all access while attached to the VPN.

4. Setting the VPN client to be a proxy client to the ISA server internal address for web browsing will not work because we need to route more than just Web traffic through the ISA server. (e.g. DNS for the VPN clients is external.)

Please let me know if you have any ideas how to make this work.
Thanks!
Dana

 

[mattofkt]

Open Network Connections
Right click VPN connection
Properties>Netwoking tab>TCP/IP>Advanced Tab
uncheck "Use default gateway on remote gateway"

 

[dmandell]

Matt,
thanks for the thought.
The whole point WAS to route the internet traffic through the ISA firewall. Unchecking the option you suggested would allow a VPN user to browse from his local internet connection.

The answer, for those that ever want to do this, is to install the ISA client on the remote user's PC.

Although routing without it seemed possible in theory,
the only way the Microsoft techs could get it to work was in this manner.

Consider this thread closed, ya'll!
(can I give myself a star?)

thanks for replying to this issue.

Dana