Configuring Virtual Private Networks for Remote Clients and Networks

How to Configure VPN Address Assignment
When VPN clients connect to the VPN server, they must be assigned an IP address configuration
that enables them to access the resources on the internal network or other networks. ISA Server can be configured to assign the IP address configuration directly, or to use a Dynamic Host Configuration Protocol (DHCP) server to assign the addresses.

When you use DHCP, VPN clients are assigned IP addresses that are part of the internal network subnet. The advantage of this addressing scheme is that you do not need to create special routing table entries to support the VPN clients and all VPN clients will automatically be able to access the internal network and the Internet (using the protocols specified in the access rules). In this configuration, ISA Server acts as an Address Resolution Protocol (ARP) proxy for VPN clients. For example, when addresses assigned to the VPN Clients network are part of the internal network segment, computers from the internal network will send ARP queries to VPN clients. ISA Server will
intercept the queries and reply on behalf of the connected VPN client. The network traffic will then be transparently routed to the VPN client.

Assigning IP Addresses to VPN Clients
When VPN clients connect to ISA Server, the client must be assigned an IP address.
There are two ways that ISA Server can assign the addresses:
1- Dynamic address assignment To enable dynamic address assignment, a DHCP server must be accessible from the computer running ISA Server. Any computer running Windows Server 2003 or Windows 2000 Server on the internal network can serve as the DHCP server. If you use a DHCP server for address assignment, ISA Server retrieves a group of available IP addresses from the DHCP server. When a VPN client connects, ISA Server assigns one of these addresses to the VPN client. As
part of the IP address assignment, ISA Server also assigns other TCP/IP properties such as the Domain Name System (DNS) servers and Windows Internet Naming Service (WINS) servers. The IP address assigned to the client is automatically moved from the internal network to the VPN Clients network (or Quarantined VPN Clients network if quarantine is enabled and the client is quarantined).

2- Static address assignment You can also configure ISA Server with a static pool of addresses to assign to VPN clients. In this configuration, you do not need a DHCP server; rather, you configure the IP addresses on the computer running ISA Server. When a client connects, ISA Server assigns one of the IP addresses to the VPN client. If you use a static address pool for address assignment, the addresses that you want to assign to the pool must first be removed from other defined networks,
because overlapping of IP addresses between networks is not allowed. You must also provide one more IP address in the static address pool than the expected number of remote VPN connections because the VPN interface on ISA Server requires an IP address.

Configuring Dial-In Permissions in Active Directory
In addition to configuring ISA Server to enable VPN connections, you must also configure Active Directory user accounts to enable dial-in permissions for those accounts. Until this is configured, users will be unable to connect to ISA Server using a VPN. The default user account configuration in Active Directory varies depending on the domain being used to authenticate users.

1- In Windows 2000 mixed-mode domains, or in Windows Server 2003 domains at the Windows 2000 mixed-functional level, all user accounts have dial-in access disabled by default. You must enable dial-in access on a per-account basis for these Active Directory domains.

2- In Windows 2000 native-mode domains, or in Windows Server 2003 domains at the Windows 2000 native or Windows Server 2003 functional levels, all user accounts, by default, have dial-in access controlled by Remote Access Policy. You can control dial-in access by just modifying the remote-access policy.

3- Windows NT 4.0 domains always have dial-in access controlled on a per-user account basis.

Google