message
Server is a Compaq Proliant ML350G with Windows 2000 Server SP 4. It
runs
Routing and Remote Access, ISA Server, and functions as a backup DNS
server.
It is the gateway server for our LAN. It has 2 NICs. One named INSIDE
and
one
named OUTSIDE.
The inside NIC is HP NC7760 Gigabit NI Adapter. It is on subnet
10.0.0.x,
subnet mask 255.255.255.0, no gateway is set. DNS Primary is pointed
to
the
router at 192.168.6.1, and secondary is pointed to itself at 10.0.0.5.
Outside NIC is a 3COM Etherlink XL 10/100 with an IP address of
192.168.6.3.
Subnet mask of 255.255.255.0 ... Its gateway is the router.
The router is a Hotbrick Load Balancer at 192.168.6.1 subnet mask
255.255.255.0 .. This is the router that I need to use to give DHCP in
the
192 range. The DHCP on the 10.0.0.0 subnet is handed out by a member
server
inside the LAN .. .....NOT by the server that runs ISA and RRA
You say that the router is the Hotbrick LB, but isn't the
Windows Server a router (NAT/ISA) too?
Or are you plugging both NICs into the same segment
(same VLAN etc) instead?
If you have multiple DHCP servers on the same BROADCAST
segment then they will distribute addresses promiscously,
and the clients will generally accept the first offer.
If the above isn't clear -- then give me a diagram of your net
(text is fine).
e.g.: HotBrickLB---Server--others (whatever is right)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment
:
message
I took ISA offline too. I had both RRA and ISA Services shut off
when i
did
it last. Still getting IP's though.
Describe your hardware because that (definitely
now) makes no sense.
You cannot get broadcasts across a non-RRAS
Windows server (you could with DHCP relay or
bootp forwardig but even then they should be subnet
specific).
Your DHCP server should ONLY had out addresses
from a scope that matches it's SPECIFIC NIC IP
on that SAME (Specific) NIC.
You haven't created a "Superscope" on DHCP?
(That really shouldn't have this effect and would
definitely be wrong but it's the closest thing I can
think of.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment
:
in
message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.
If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.
I would just be hacking.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
in
message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.
--
Scott Ford
Information Services
Starlite Entertainment
:
"Scott Ford" <
[email protected]>
wrote in
message
Thanks for the reply Herb. I do not have a DHCP relay
installed
in
the
ISA
config. I do have Routing and Remote access enabled and a VPN
client
can
get
an IP address in teh 10.0.x.x range.
Relay Agent is an element (only one of many) of RRAS.
RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.
Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend
who
feels
like
it could, so during the night i will try shutting down R&RA
to
see
if
an
internal client can still get an external address. I cant
find
anything
else
on the ISA server that could be broadcasting bridged DHCP
requests.
I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.
ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment
:
"Scott Ford" <
[email protected]>
wrote
in
message
I have a Windows 2K ISA server as a gateway. Its set up
standard
with
an
inside and an outside NIC. Inside is on 10.0.x.x range.
Outside
NIC
IP
range
is 192.168.1.x. I want to put a wireless access point on
the
outside
range
and have my router serving DHCP to 192.168.1.x ... I
would
like
this
to
NOT
interfere with the DHCP server I have on the inside range
that
is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but
always
find
clients on the inside still receive IP addresses inthe 192
range.
That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the
ISA
newsgroup.)
A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.
There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.
I have
tried blocking UDP ports 67 and 68 at the ISA server, but
it
isnt
stopping
the problem. Whats the best solution for this?
Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)
Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]