DHCP Inside / Outside

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a Windows 2K ISA server as a gateway. Its set up standard with an
inside and an outside NIC. Inside is on 10.0.x.x range. Outside NIC IP range
is 192.168.1.x. I want to put a wireless access point on the outside range
and have my router serving DHCP to 192.168.1.x ... I would like this to NOT
interfere with the DHCP server I have on the inside range that is serving
DHCP to 10.0.x.x ... I have tried this a couple times, but always find
clients on the inside still receive IP addresses inthe 192 range. I have
tried blocking UDP ports 67 and 68 at the ISA server, but it isnt stopping
the problem. Whats the best solution for this?
 
Scott Ford said:
I have a Windows 2K ISA server as a gateway. Its set up standard with an
inside and an outside NIC. Inside is on 10.0.x.x range. Outside NIC IP
range
is 192.168.1.x. I want to put a wireless access point on the outside
range
and have my router serving DHCP to 192.168.1.x ... I would like this to
NOT
interfere with the DHCP server I have on the inside range that is serving
DHCP to 10.0.x.x ... I have tried this a couple times, but always find
clients on the inside still receive IP addresses inthe 192 range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.

I have
tried blocking UDP ports 67 and 68 at the ISA server, but it isnt stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Thanks for the reply Herb. I do not have a DHCP relay installed in the ISA
config. I do have Routing and Remote access enabled and a VPN client can get
an IP address in teh 10.0.x.x range. Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend who feels like
it could, so during the night i will try shutting down R&RA to see if an
internal client can still get an external address. I cant find anything else
on the ISA server that could be broadcasting bridged DHCP requests.
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
Scott Ford said:
I have a Windows 2K ISA server as a gateway. Its set up standard with an
inside and an outside NIC. Inside is on 10.0.x.x range. Outside NIC IP
range
is 192.168.1.x. I want to put a wireless access point on the outside
range
and have my router serving DHCP to 192.168.1.x ... I would like this to
NOT
interfere with the DHCP server I have on the inside range that is serving
DHCP to 10.0.x.x ... I have tried this a couple times, but always find
clients on the inside still receive IP addresses inthe 192 range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.

I have
tried blocking UDP ports 67 and 68 at the ISA server, but it isnt stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Scott Ford said:
Thanks for the reply Herb. I do not have a DHCP relay installed in the ISA
config. I do have Routing and Remote access enabled and a VPN client can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.
Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend who feels
like
it could, so during the night i will try shutting down R&RA to see if an
internal client can still get an external address. I cant find anything
else
on the ISA server that could be broadcasting bridged DHCP requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
I have a Windows 2K ISA server as a gateway. Its set up standard with an
inside and an outside NIC. Inside is on 10.0.x.x range. Outside NIC IP
range
is 192.168.1.x. I want to put a wireless access point on the outside
range
and have my router serving DHCP to 192.168.1.x ... I would like this
to
NOT
interfere with the DHCP server I have on the inside range that is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but always find
clients on the inside still receive IP addresses inthe 192 range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.

I have
tried blocking UDP ports 67 and 68 at the ISA server, but it isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
OK, Herb, at night I shut down Routing and Remote Access and Microsoft ISA
services on the gateway server. Cients on the "inside" 10.0.x.x network were
still able to pick up a 192.168.6.x IP address from the router through the
gateway server. Any other ideas why they could be getting these addresses.
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
Scott Ford said:
Thanks for the reply Herb. I do not have a DHCP relay installed in the ISA
config. I do have Routing and Remote access enabled and a VPN client can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.
Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend who feels
like
it could, so during the night i will try shutting down R&RA to see if an
internal client can still get an external address. I cant find anything
else
on the ISA server that could be broadcasting bridged DHCP requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
I have a Windows 2K ISA server as a gateway. Its set up standard with an
inside and an outside NIC. Inside is on 10.0.x.x range. Outside NIC IP
range
is 192.168.1.x. I want to put a wireless access point on the outside
range
and have my router serving DHCP to 192.168.1.x ... I would like this
to
NOT
interfere with the DHCP server I have on the inside range that is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but always find
clients on the inside still receive IP addresses inthe 192 range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.


I have
tried blocking UDP ports 67 and 68 at the ISA server, but it isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Scott Ford said:
OK, Herb, at night I shut down Routing and Remote Access and Microsoft ISA
services on the gateway server. Cients on the "inside" 10.0.x.x network
were
still able to pick up a 192.168.6.x IP address from the router through the
gateway server. Any other ideas why they could be getting these addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Scott Ford said:
OK, Herb, at night I shut down Routing and Remote Access and Microsoft ISA
services on the gateway server. Cients on the "inside" 10.0.x.x network
were
still able to pick up a 192.168.6.x IP address from the router through the
gateway server. Any other ideas why they could be getting these addresses.
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
Thanks for the reply Herb. I do not have a DHCP relay installed in the
ISA
config. I do have Routing and Remote access enabled and a VPN client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.
Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend who feels
like
it could, so during the night i will try shutting down R&RA to see if
an
internal client can still get an external address. I cant find anything
else
on the ISA server that could be broadcasting bridged DHCP requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


:

message
I have a Windows 2K ISA server as a gateway. Its set up standard with
an
inside and an outside NIC. Inside is on 10.0.x.x range. Outside NIC
IP
range
is 192.168.1.x. I want to put a wireless access point on the
outside
range
and have my router serving DHCP to 192.168.1.x ... I would like
this
to
NOT
interfere with the DHCP server I have on the inside range that is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but always
find
clients on the inside still receive IP addresses inthe 192 range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.


I have
tried blocking UDP ports 67 and 68 at the ISA server, but it isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
I took ISA offline too. I had both RRA and ISA Services shut off when i did
it last. Still getting IP's though.
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
Scott Ford said:
OK, Herb, at night I shut down Routing and Remote Access and Microsoft ISA
services on the gateway server. Cients on the "inside" 10.0.x.x network
were
still able to pick up a 192.168.6.x IP address from the router through the
gateway server. Any other ideas why they could be getting these addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Scott Ford said:
OK, Herb, at night I shut down Routing and Remote Access and Microsoft ISA
services on the gateway server. Cients on the "inside" 10.0.x.x network
were
still able to pick up a 192.168.6.x IP address from the router through the
gateway server. Any other ideas why they could be getting these addresses.
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
Thanks for the reply Herb. I do not have a DHCP relay installed in the
ISA
config. I do have Routing and Remote access enabled and a VPN client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.

Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend who feels
like
it could, so during the night i will try shutting down R&RA to see if
an
internal client can still get an external address. I cant find anything
else
on the ISA server that could be broadcasting bridged DHCP requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

message
I have a Windows 2K ISA server as a gateway. Its set up standard with
an
inside and an outside NIC. Inside is on 10.0.x.x range. Outside NIC
IP
range
is 192.168.1.x. I want to put a wireless access point on the
outside
range
and have my router serving DHCP to 192.168.1.x ... I would like
this
to
NOT
interfere with the DHCP server I have on the inside range that is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but always
find
clients on the inside still receive IP addresses inthe 192 range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.


I have
tried blocking UDP ports 67 and 68 at the ISA server, but it isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Scott Ford said:
I took ISA offline too. I had both RRA and ISA Services shut off when i did
it last. Still getting IP's though.

Describe your hardware because that (definitely
now) makes no sense.

You cannot get broadcasts across a non-RRAS
Windows server (you could with DHCP relay or
bootp forwardig but even then they should be subnet
specific).

Your DHCP server should ONLY had out addresses
from a scope that matches it's SPECIFIC NIC IP
on that SAME (Specific) NIC.

You haven't created a "Superscope" on DHCP?
(That really shouldn't have this effect and would
definitely be wrong but it's the closest thing I can
think of.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
OK, Herb, at night I shut down Routing and Remote Access and Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x network
were
still able to pick up a 192.168.6.x IP address from the router through
the
gateway server. Any other ideas why they could be getting these
addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

message
OK, Herb, at night I shut down Routing and Remote Access and Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x network
were
still able to pick up a 192.168.6.x IP address from the router through
the
gateway server. Any other ideas why they could be getting these
addresses.
--
Scott Ford
Information Services
Starlite Entertainment


:

message
Thanks for the reply Herb. I do not have a DHCP relay installed in
the
ISA
config. I do have Routing and Remote access enabled and a VPN client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.

Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend who
feels
like
it could, so during the night i will try shutting down R&RA to see
if
an
internal client can still get an external address. I cant find
anything
else
on the ISA server that could be broadcasting bridged DHCP requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

message
I have a Windows 2K ISA server as a gateway. Its set up standard
with
an
inside and an outside NIC. Inside is on 10.0.x.x range. Outside
NIC
IP
range
is 192.168.1.x. I want to put a wireless access point on the
outside
range
and have my router serving DHCP to 192.168.1.x ... I would like
this
to
NOT
interfere with the DHCP server I have on the inside range that is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but always
find
clients on the inside still receive IP addresses inthe 192 range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.


I have
tried blocking UDP ports 67 and 68 at the ISA server, but it isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Server is a Compaq Proliant ML350G with Windows 2000 Server SP 4. It runs
Routing and Remote Access, ISA Server, and functions as a backup DNS server.
It is the gateway server for our LAN. It has 2 NICs. One named INSIDE and one
named OUTSIDE.

The inside NIC is HP NC7760 Gigabit NI Adapter. It is on subnet 10.0.0.x,
subnet mask 255.255.255.0, no gateway is set. DNS Primary is pointed to the
router at 192.168.6.1, and secondary is pointed to itself at 10.0.0.5.

Outside NIC is a 3COM Etherlink XL 10/100 with an IP address of 192.168.6.3.
Subnet mask of 255.255.255.0 ... Its gateway is the router.

The router is a Hotbrick Load Balancer at 192.168.6.1 subnet mask
255.255.255.0 .. This is the router that I need to use to give DHCP in the
192 range. The DHCP on the 10.0.0.0 subnet is handed out by a member server
inside the LAN .. .....NOT by the server that runs ISA and RRA
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
Scott Ford said:
I took ISA offline too. I had both RRA and ISA Services shut off when i did
it last. Still getting IP's though.

Describe your hardware because that (definitely
now) makes no sense.

You cannot get broadcasts across a non-RRAS
Windows server (you could with DHCP relay or
bootp forwardig but even then they should be subnet
specific).

Your DHCP server should ONLY had out addresses
from a scope that matches it's SPECIFIC NIC IP
on that SAME (Specific) NIC.

You haven't created a "Superscope" on DHCP?
(That really shouldn't have this effect and would
definitely be wrong but it's the closest thing I can
think of.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
OK, Herb, at night I shut down Routing and Remote Access and Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x network
were
still able to pick up a 192.168.6.x IP address from the router through
the
gateway server. Any other ideas why they could be getting these
addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

message
OK, Herb, at night I shut down Routing and Remote Access and Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x network
were
still able to pick up a 192.168.6.x IP address from the router through
the
gateway server. Any other ideas why they could be getting these
addresses.
--
Scott Ford
Information Services
Starlite Entertainment


:

message
Thanks for the reply Herb. I do not have a DHCP relay installed in
the
ISA
config. I do have Routing and Remote access enabled and a VPN client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.

Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend who
feels
like
it could, so during the night i will try shutting down R&RA to see
if
an
internal client can still get an external address. I cant find
anything
else
on the ISA server that could be broadcasting bridged DHCP requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

message
I have a Windows 2K ISA server as a gateway. Its set up standard
with
an
inside and an outside NIC. Inside is on 10.0.x.x range. Outside
NIC
IP
range
is 192.168.1.x. I want to put a wireless access point on the
outside
range
and have my router serving DHCP to 192.168.1.x ... I would like
this
to
NOT
interfere with the DHCP server I have on the inside range that is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but always
find
clients on the inside still receive IP addresses inthe 192 range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.


I have
tried blocking UDP ports 67 and 68 at the ISA server, but it isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Scott Ford said:
Server is a Compaq Proliant ML350G with Windows 2000 Server SP 4. It runs
Routing and Remote Access, ISA Server, and functions as a backup DNS
server.
It is the gateway server for our LAN. It has 2 NICs. One named INSIDE and
one
named OUTSIDE.

The inside NIC is HP NC7760 Gigabit NI Adapter. It is on subnet 10.0.0.x,
subnet mask 255.255.255.0, no gateway is set. DNS Primary is pointed to
the
router at 192.168.6.1, and secondary is pointed to itself at 10.0.0.5.

Outside NIC is a 3COM Etherlink XL 10/100 with an IP address of
192.168.6.3.
Subnet mask of 255.255.255.0 ... Its gateway is the router.

The router is a Hotbrick Load Balancer at 192.168.6.1 subnet mask
255.255.255.0 .. This is the router that I need to use to give DHCP in the
192 range. The DHCP on the 10.0.0.0 subnet is handed out by a member
server
inside the LAN .. .....NOT by the server that runs ISA and RRA

You say that the router is the Hotbrick LB, but isn't the
Windows Server a router (NAT/ISA) too?

Or are you plugging both NICs into the same segment
(same VLAN etc) instead?

If you have multiple DHCP servers on the same BROADCAST
segment then they will distribute addresses promiscously,
and the clients will generally accept the first offer.

If the above isn't clear -- then give me a diagram of your net
(text is fine).

e.g.: HotBrickLB---Server--others (whatever is right)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
I took ISA offline too. I had both RRA and ISA Services shut off when i
did
it last. Still getting IP's though.

Describe your hardware because that (definitely
now) makes no sense.

You cannot get broadcasts across a non-RRAS
Windows server (you could with DHCP relay or
bootp forwardig but even then they should be subnet
specific).

Your DHCP server should ONLY had out addresses
from a scope that matches it's SPECIFIC NIC IP
on that SAME (Specific) NIC.

You haven't created a "Superscope" on DHCP?
(That really shouldn't have this effect and would
definitely be wrong but it's the closest thing I can
think of.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


:

message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.
--
Scott Ford
Information Services
Starlite Entertainment


:

message
Thanks for the reply Herb. I do not have a DHCP relay installed
in
the
ISA
config. I do have Routing and Remote access enabled and a VPN
client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.

Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend who
feels
like
it could, so during the night i will try shutting down R&RA to
see
if
an
internal client can still get an external address. I cant find
anything
else
on the ISA server that could be broadcasting bridged DHCP
requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

in
message
I have a Windows 2K ISA server as a gateway. Its set up
standard
with
an
inside and an outside NIC. Inside is on 10.0.x.x range.
Outside
NIC
IP
range
is 192.168.1.x. I want to put a wireless access point on the
outside
range
and have my router serving DHCP to 192.168.1.x ... I would
like
this
to
NOT
interfere with the DHCP server I have on the inside range that
is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but
always
find
clients on the inside still receive IP addresses inthe 192
range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.


I have
tried blocking UDP ports 67 and 68 at the ISA server, but it
isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
ISP 1 and ISP 2
|
Hotbrick Load Balancer Router
|
Gateway Server OUTSIDE NIC (192.168....)
|
Gateway Server INSIDE NIC (10.0....)
|
Main Network Switch
|
DHCP server on LAN 10.0....

--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
Scott Ford said:
Server is a Compaq Proliant ML350G with Windows 2000 Server SP 4. It runs
Routing and Remote Access, ISA Server, and functions as a backup DNS
server.
It is the gateway server for our LAN. It has 2 NICs. One named INSIDE and
one
named OUTSIDE.

The inside NIC is HP NC7760 Gigabit NI Adapter. It is on subnet 10.0.0.x,
subnet mask 255.255.255.0, no gateway is set. DNS Primary is pointed to
the
router at 192.168.6.1, and secondary is pointed to itself at 10.0.0.5.

Outside NIC is a 3COM Etherlink XL 10/100 with an IP address of
192.168.6.3.
Subnet mask of 255.255.255.0 ... Its gateway is the router.

The router is a Hotbrick Load Balancer at 192.168.6.1 subnet mask
255.255.255.0 .. This is the router that I need to use to give DHCP in the
192 range. The DHCP on the 10.0.0.0 subnet is handed out by a member
server
inside the LAN .. .....NOT by the server that runs ISA and RRA

You say that the router is the Hotbrick LB, but isn't the
Windows Server a router (NAT/ISA) too?

Or are you plugging both NICs into the same segment
(same VLAN etc) instead?

If you have multiple DHCP servers on the same BROADCAST
segment then they will distribute addresses promiscously,
and the clients will generally accept the first offer.

If the above isn't clear -- then give me a diagram of your net
(text is fine).

e.g.: HotBrickLB---Server--others (whatever is right)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
I took ISA offline too. I had both RRA and ISA Services shut off when i
did
it last. Still getting IP's though.

Describe your hardware because that (definitely
now) makes no sense.

You cannot get broadcasts across a non-RRAS
Windows server (you could with DHCP relay or
bootp forwardig but even then they should be subnet
specific).

Your DHCP server should ONLY had out addresses
from a scope that matches it's SPECIFIC NIC IP
on that SAME (Specific) NIC.

You haven't created a "Superscope" on DHCP?
(That really shouldn't have this effect and would
definitely be wrong but it's the closest thing I can
think of.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.
--
Scott Ford
Information Services
Starlite Entertainment


:

message
Thanks for the reply Herb. I do not have a DHCP relay installed
in
the
ISA
config. I do have Routing and Remote access enabled and a VPN
client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.

Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend who
feels
like
it could, so during the night i will try shutting down R&RA to
see
if
an
internal client can still get an external address. I cant find
anything
else
on the ISA server that could be broadcasting bridged DHCP
requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

in
message
I have a Windows 2K ISA server as a gateway. Its set up
standard
with
an
inside and an outside NIC. Inside is on 10.0.x.x range.
Outside
NIC
IP
range
is 192.168.1.x. I want to put a wireless access point on the
outside
range
and have my router serving DHCP to 192.168.1.x ... I would
like
this
to
NOT
interfere with the DHCP server I have on the inside range that
is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but
always
find
clients on the inside still receive IP addresses inthe 192
range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.


I have
tried blocking UDP ports 67 and 68 at the ISA server, but it
isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Scott Ford said:
ISP 1 and ISP 2
|
Hotbrick Load Balancer Router
|
Gateway Server OUTSIDE NIC (192.168....)
|
Gateway Server INSIDE NIC (10.0....)
|
Main Network Switch
|
DHCP server on LAN 10.0....

Ok, this jibes with my original expections of our
network. Everything from (and including) the Hotbrick
outwards is pretty much irrelevant.

In general, a Windows box (Gateway server) is NOT
going to be a "bridge" (propagate broadcasts) and if
there is no physical connection that bypasses this server
then the interior DHCP will NEVER see those requests.

So, how can the broacasts be propagated:

1) Some physical connection (unlikely from your diagram)

2) RRAS DHCP relay agent (you said you turned RRAS
off, but perhaps you just mean certain features)

3) RRAS BootP forwarder (ditto #2)

4) Some weird effect of ISA (that I don't understand and
which seems contrary to design -- and you turned that
off as well)

5) Some third party software -- unlikely but theoretically
possible.

6) DHCP is NOT coming from the interior DHCP server
but some external DHCP server (with our without
your knowledge) is offering those 10.net addresses
(Includes the Gateway server, and the Hotbrick as
suspects.)

There aren't any other possibilities.

IF you have the authority, put a network monitor on both
networks, capture the DHCP requests and responses and
figure out precisely how it is happening.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
Server is a Compaq Proliant ML350G with Windows 2000 Server SP 4. It
runs
Routing and Remote Access, ISA Server, and functions as a backup DNS
server.
It is the gateway server for our LAN. It has 2 NICs. One named INSIDE
and
one
named OUTSIDE.

The inside NIC is HP NC7760 Gigabit NI Adapter. It is on subnet
10.0.0.x,
subnet mask 255.255.255.0, no gateway is set. DNS Primary is pointed to
the
router at 192.168.6.1, and secondary is pointed to itself at 10.0.0.5.

Outside NIC is a 3COM Etherlink XL 10/100 with an IP address of
192.168.6.3.
Subnet mask of 255.255.255.0 ... Its gateway is the router.

The router is a Hotbrick Load Balancer at 192.168.6.1 subnet mask
255.255.255.0 .. This is the router that I need to use to give DHCP in
the
192 range. The DHCP on the 10.0.0.0 subnet is handed out by a member
server
inside the LAN .. .....NOT by the server that runs ISA and RRA

You say that the router is the Hotbrick LB, but isn't the
Windows Server a router (NAT/ISA) too?

Or are you plugging both NICs into the same segment
(same VLAN etc) instead?

If you have multiple DHCP servers on the same BROADCAST
segment then they will distribute addresses promiscously,
and the clients will generally accept the first offer.

If the above isn't clear -- then give me a diagram of your net
(text is fine).

e.g.: HotBrickLB---Server--others (whatever is right)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


:

message
I took ISA offline too. I had both RRA and ISA Services shut off when
i
did
it last. Still getting IP's though.

Describe your hardware because that (definitely
now) makes no sense.

You cannot get broadcasts across a non-RRAS
Windows server (you could with DHCP relay or
bootp forwardig but even then they should be subnet
specific).

Your DHCP server should ONLY had out addresses
from a scope that matches it's SPECIFIC NIC IP
on that SAME (Specific) NIC.

You haven't created a "Superscope" on DHCP?
(That really shouldn't have this effect and would
definitely be wrong but it's the closest thing I can
think of.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.
--
Scott Ford
Information Services
Starlite Entertainment


:

in
message
Thanks for the reply Herb. I do not have a DHCP relay
installed
in
the
ISA
config. I do have Routing and Remote access enabled and a VPN
client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.

Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend
who
feels
like
it could, so during the night i will try shutting down R&RA to
see
if
an
internal client can still get an external address. I cant find
anything
else
on the ISA server that could be broadcasting bridged DHCP
requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

"Scott Ford" <[email protected]>
wrote
in
message
I have a Windows 2K ISA server as a gateway. Its set up
standard
with
an
inside and an outside NIC. Inside is on 10.0.x.x range.
Outside
NIC
IP
range
is 192.168.1.x. I want to put a wireless access point on
the
outside
range
and have my router serving DHCP to 192.168.1.x ... I would
like
this
to
NOT
interfere with the DHCP server I have on the inside range
that
is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but
always
find
clients on the inside still receive IP addresses inthe 192
range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the
ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.


I have
tried blocking UDP ports 67 and 68 at the ISA server, but
it
isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Technically there is a seventh possibility which I had
meant to differentiate from those below:

Two NICs can be "bridged" in WinXP or Windows 2003.

If this had been done however, there would then be only
one "NIC" remaining -- the two physical NICs comprising
the new bridged-interface would be effectively masked
by it, and therefore unavailable for routing etc.
1) Some physical connection (unlikely from your diagram)

2) RRAS DHCP relay agent (you said you turned RRAS
off, but perhaps you just mean certain features)

3) RRAS BootP forwarder (ditto #2)

4) Some weird effect of ISA (that I don't understand and
which seems contrary to design -- and you turned that
off as well)

5) Some third party software -- unlikely but theoretically
possible.

6) DHCP is NOT coming from the interior DHCP server
but some external DHCP server (with our without
your knowledge) is offering those 10.net addresses
(Includes the Gateway server, and the Hotbrick as
suspects.)

There aren't any other possibilities.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Herb Martin said:
Scott Ford said:
ISP 1 and ISP 2
|
Hotbrick Load Balancer Router
|
Gateway Server OUTSIDE NIC (192.168....)
|
Gateway Server INSIDE NIC (10.0....)
|
Main Network Switch
|
DHCP server on LAN 10.0....

Ok, this jibes with my original expections of our
network. Everything from (and including) the Hotbrick
outwards is pretty much irrelevant.

In general, a Windows box (Gateway server) is NOT
going to be a "bridge" (propagate broadcasts) and if
there is no physical connection that bypasses this server
then the interior DHCP will NEVER see those requests.

So, how can the broacasts be propagated:

1) Some physical connection (unlikely from your diagram)

2) RRAS DHCP relay agent (you said you turned RRAS
off, but perhaps you just mean certain features)

3) RRAS BootP forwarder (ditto #2)

4) Some weird effect of ISA (that I don't understand and
which seems contrary to design -- and you turned that
off as well)

5) Some third party software -- unlikely but theoretically
possible.

6) DHCP is NOT coming from the interior DHCP server
but some external DHCP server (with our without
your knowledge) is offering those 10.net addresses
(Includes the Gateway server, and the Hotbrick as
suspects.)

There aren't any other possibilities.

IF you have the authority, put a network monitor on both
networks, capture the DHCP requests and responses and
figure out precisely how it is happening.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
message
Server is a Compaq Proliant ML350G with Windows 2000 Server SP 4. It
runs
Routing and Remote Access, ISA Server, and functions as a backup DNS
server.
It is the gateway server for our LAN. It has 2 NICs. One named INSIDE
and
one
named OUTSIDE.

The inside NIC is HP NC7760 Gigabit NI Adapter. It is on subnet
10.0.0.x,
subnet mask 255.255.255.0, no gateway is set. DNS Primary is pointed
to
the
router at 192.168.6.1, and secondary is pointed to itself at 10.0.0.5.

Outside NIC is a 3COM Etherlink XL 10/100 with an IP address of
192.168.6.3.
Subnet mask of 255.255.255.0 ... Its gateway is the router.

The router is a Hotbrick Load Balancer at 192.168.6.1 subnet mask
255.255.255.0 .. This is the router that I need to use to give DHCP in
the
192 range. The DHCP on the 10.0.0.0 subnet is handed out by a member
server
inside the LAN .. .....NOT by the server that runs ISA and RRA

You say that the router is the Hotbrick LB, but isn't the
Windows Server a router (NAT/ISA) too?

Or are you plugging both NICs into the same segment
(same VLAN etc) instead?

If you have multiple DHCP servers on the same BROADCAST
segment then they will distribute addresses promiscously,
and the clients will generally accept the first offer.

If the above isn't clear -- then give me a diagram of your net
(text is fine).

e.g.: HotBrickLB---Server--others (whatever is right)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

message
I took ISA offline too. I had both RRA and ISA Services shut off
when i
did
it last. Still getting IP's though.

Describe your hardware because that (definitely
now) makes no sense.

You cannot get broadcasts across a non-RRAS
Windows server (you could with DHCP relay or
bootp forwardig but even then they should be subnet
specific).

Your DHCP server should ONLY had out addresses
from a scope that matches it's SPECIFIC NIC IP
on that SAME (Specific) NIC.

You haven't created a "Superscope" on DHCP?
(That really shouldn't have this effect and would
definitely be wrong but it's the closest thing I can
think of.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

in
message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

in
message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.
--
Scott Ford
Information Services
Starlite Entertainment


:

"Scott Ford" <[email protected]>
wrote in
message
Thanks for the reply Herb. I do not have a DHCP relay
installed
in
the
ISA
config. I do have Routing and Remote access enabled and a VPN
client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.

Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend
who
feels
like
it could, so during the night i will try shutting down R&RA
to
see
if
an
internal client can still get an external address. I cant
find
anything
else
on the ISA server that could be broadcasting bridged DHCP
requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
to make me comfortable -- I do run it on some machines
but have a lot of trouble recommending it whole
heartedly and find it problematic to troubleshoot due
to it's erractice and unpredicatable behavior at times.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

"Scott Ford" <[email protected]>
wrote
in
message
I have a Windows 2K ISA server as a gateway. Its set up
standard
with
an
inside and an outside NIC. Inside is on 10.0.x.x range.
Outside
NIC
IP
range
is 192.168.1.x. I want to put a wireless access point on
the
outside
range
and have my router serving DHCP to 192.168.1.x ... I
would
like
this
to
NOT
interfere with the DHCP server I have on the inside range
that
is
serving
DHCP to 10.0.x.x ... I have tried this a couple times, but
always
find
clients on the inside still receive IP addresses inthe 192
range.

That should never happen in DHCP (it could be some weird
issue with ISA but I doubt it; you can ask about that on the
ISA
newsgroup.)

A DHCP server should ONLY hand out IP addresses for the
scope(s) which match it's NICs (if directly connected to the
requesting clients) AND to the scopes which match remote
subnets if forwarded by a DHCP relay or Bootp forwarder.

There is no reason a basic DHCP server would ever hand
out 192.x scope addresses on it's 10.net NIC or vice versa.


I have
tried blocking UDP ports 67 and 68 at the ISA server, but
it
isnt
stopping
the problem. Whats the best solution for this?

Make sure the ISA is not acting as a DHCP relay or
BootP forwarder but it should NOT be doing that
as a DHCP server cannot also be a forwarder (in the
docs that I have read, but of course I have never
tried it since it makes no sense.)

Does ISA think that 192.168 machines are INTERNAL or
EXTERNAL? (As described it sounds like they should
NOT be internally defined.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 
Herb! Haha, you might kill me. I decided to go back to basics and check the
physical connections. I un-patched (and tested, since I was there) every cat5
cable in the main switch. Guess what I found? One took a bit of a roundabout
pathway and ended up YES .. you guessed it... in the router. No idea why, I
certainly didnt make that connection, which is why it never occurred to me
that it was a possibility. Your list made me go back and check it. Thanks for
all your succinct replies.
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
Technically there is a seventh possibility which I had
meant to differentiate from those below:

Two NICs can be "bridged" in WinXP or Windows 2003.

If this had been done however, there would then be only
one "NIC" remaining -- the two physical NICs comprising
the new bridged-interface would be effectively masked
by it, and therefore unavailable for routing etc.
1) Some physical connection (unlikely from your diagram)

2) RRAS DHCP relay agent (you said you turned RRAS
off, but perhaps you just mean certain features)

3) RRAS BootP forwarder (ditto #2)

4) Some weird effect of ISA (that I don't understand and
which seems contrary to design -- and you turned that
off as well)

5) Some third party software -- unlikely but theoretically
possible.

6) DHCP is NOT coming from the interior DHCP server
but some external DHCP server (with our without
your knowledge) is offering those 10.net addresses
(Includes the Gateway server, and the Hotbrick as
suspects.)

There aren't any other possibilities.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Herb Martin said:
Scott Ford said:
ISP 1 and ISP 2
|
Hotbrick Load Balancer Router
|
Gateway Server OUTSIDE NIC (192.168....)
|
Gateway Server INSIDE NIC (10.0....)
|
Main Network Switch
|
DHCP server on LAN 10.0....

Ok, this jibes with my original expections of our
network. Everything from (and including) the Hotbrick
outwards is pretty much irrelevant.

In general, a Windows box (Gateway server) is NOT
going to be a "bridge" (propagate broadcasts) and if
there is no physical connection that bypasses this server
then the interior DHCP will NEVER see those requests.

So, how can the broacasts be propagated:

1) Some physical connection (unlikely from your diagram)

2) RRAS DHCP relay agent (you said you turned RRAS
off, but perhaps you just mean certain features)

3) RRAS BootP forwarder (ditto #2)

4) Some weird effect of ISA (that I don't understand and
which seems contrary to design -- and you turned that
off as well)

5) Some third party software -- unlikely but theoretically
possible.

6) DHCP is NOT coming from the interior DHCP server
but some external DHCP server (with our without
your knowledge) is offering those 10.net addresses
(Includes the Gateway server, and the Hotbrick as
suspects.)

There aren't any other possibilities.

IF you have the authority, put a network monitor on both
networks, capture the DHCP requests and responses and
figure out precisely how it is happening.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
--
Scott Ford
Information Services
Starlite Entertainment


:

message
Server is a Compaq Proliant ML350G with Windows 2000 Server SP 4. It
runs
Routing and Remote Access, ISA Server, and functions as a backup DNS
server.
It is the gateway server for our LAN. It has 2 NICs. One named INSIDE
and
one
named OUTSIDE.

The inside NIC is HP NC7760 Gigabit NI Adapter. It is on subnet
10.0.0.x,
subnet mask 255.255.255.0, no gateway is set. DNS Primary is pointed
to
the
router at 192.168.6.1, and secondary is pointed to itself at 10.0.0.5.

Outside NIC is a 3COM Etherlink XL 10/100 with an IP address of
192.168.6.3.
Subnet mask of 255.255.255.0 ... Its gateway is the router.

The router is a Hotbrick Load Balancer at 192.168.6.1 subnet mask
255.255.255.0 .. This is the router that I need to use to give DHCP in
the
192 range. The DHCP on the 10.0.0.0 subnet is handed out by a member
server
inside the LAN .. .....NOT by the server that runs ISA and RRA

You say that the router is the Hotbrick LB, but isn't the
Windows Server a router (NAT/ISA) too?

Or are you plugging both NICs into the same segment
(same VLAN etc) instead?

If you have multiple DHCP servers on the same BROADCAST
segment then they will distribute addresses promiscously,
and the clients will generally accept the first offer.

If the above isn't clear -- then give me a diagram of your net
(text is fine).

e.g.: HotBrickLB---Server--others (whatever is right)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

message
I took ISA offline too. I had both RRA and ISA Services shut off
when i
did
it last. Still getting IP's though.

Describe your hardware because that (definitely
now) makes no sense.

You cannot get broadcasts across a non-RRAS
Windows server (you could with DHCP relay or
bootp forwardig but even then they should be subnet
specific).

Your DHCP server should ONLY had out addresses
from a scope that matches it's SPECIFIC NIC IP
on that SAME (Specific) NIC.

You haven't created a "Superscope" on DHCP?
(That really shouldn't have this effect and would
definitely be wrong but it's the closest thing I can
think of.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

in
message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

in
message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside" 10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the router
through
the
gateway server. Any other ideas why they could be getting these
addresses.
--
Scott Ford
Information Services
Starlite Entertainment


:

"Scott Ford" <[email protected]>
wrote in
message
Thanks for the reply Herb. I do not have a DHCP relay
installed
in
the
ISA
config. I do have Routing and Remote access enabled and a VPN
client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.

Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a friend
who
feels
like
it could, so during the night i will try shutting down R&RA
to
see
if
an
internal client can still get an external address. I cant
find
anything
else
on the ISA server that could be broadcasting bridged DHCP
requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
 
Scott Ford said:
Herb! Haha, you might kill me. I decided to go back to basics and check
the
physical connections. I un-patched (and tested, since I was there) every
cat5
cable in the main switch. Guess what I found? One took a bit of a
roundabout
pathway and ended up YES .. you guessed it... in the router. No idea why,
I
certainly didnt make that connection, which is why it never occurred to me
that it was a possibility. Your list made me go back and check it. Thanks
for
all your succinct replies.

You are welcome. I have certainly found (or even
done) sillier things myself.

Sometimes when you just stop and list every possible
item no matter how unlikely, then force yourself to
prove (reasonably) which ones cannot be true, you
find that the assumptions are wrong -- at worst you
end up with a smaller list.

Glad we solved it.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Scott Ford said:
Herb! Haha, you might kill me. I decided to go back to basics and check
the
physical connections. I un-patched (and tested, since I was there) every
cat5
cable in the main switch. Guess what I found? One took a bit of a
roundabout
pathway and ended up YES .. you guessed it... in the router. No idea why,
I
certainly didnt make that connection, which is why it never occurred to me
that it was a possibility. Your list made me go back and check it. Thanks
for
all your succinct replies.
--
Scott Ford
Information Services
Starlite Entertainment


Herb Martin said:
Technically there is a seventh possibility which I had
meant to differentiate from those below:

Two NICs can be "bridged" in WinXP or Windows 2003.

If this had been done however, there would then be only
one "NIC" remaining -- the two physical NICs comprising
the new bridged-interface would be effectively masked
by it, and therefore unavailable for routing etc.
1) Some physical connection (unlikely from your diagram)

2) RRAS DHCP relay agent (you said you turned RRAS
off, but perhaps you just mean certain features)

3) RRAS BootP forwarder (ditto #2)

4) Some weird effect of ISA (that I don't understand and
which seems contrary to design -- and you turned that
off as well)

5) Some third party software -- unlikely but theoretically
possible.

6) DHCP is NOT coming from the interior DHCP server
but some external DHCP server (with our without
your knowledge) is offering those 10.net addresses
(Includes the Gateway server, and the Hotbrick as
suspects.)

There aren't any other possibilities.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Herb Martin said:
message ISP 1 and ISP 2
|
Hotbrick Load Balancer Router
|
Gateway Server OUTSIDE NIC (192.168....)
|
Gateway Server INSIDE NIC (10.0....)
|
Main Network Switch
|
DHCP server on LAN 10.0....


Ok, this jibes with my original expections of our
network. Everything from (and including) the Hotbrick
outwards is pretty much irrelevant.

In general, a Windows box (Gateway server) is NOT
going to be a "bridge" (propagate broadcasts) and if
there is no physical connection that bypasses this server
then the interior DHCP will NEVER see those requests.

So, how can the broacasts be propagated:

1) Some physical connection (unlikely from your diagram)

2) RRAS DHCP relay agent (you said you turned RRAS
off, but perhaps you just mean certain features)

3) RRAS BootP forwarder (ditto #2)

4) Some weird effect of ISA (that I don't understand and
which seems contrary to design -- and you turned that
off as well)

5) Some third party software -- unlikely but theoretically
possible.

6) DHCP is NOT coming from the interior DHCP server
but some external DHCP server (with our without
your knowledge) is offering those 10.net addresses
(Includes the Gateway server, and the Hotbrick as
suspects.)

There aren't any other possibilities.

IF you have the authority, put a network monitor on both
networks, capture the DHCP requests and responses and
figure out precisely how it is happening.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

message
Server is a Compaq Proliant ML350G with Windows 2000 Server SP 4.
It
runs
Routing and Remote Access, ISA Server, and functions as a backup
DNS
server.
It is the gateway server for our LAN. It has 2 NICs. One named
INSIDE
and
one
named OUTSIDE.

The inside NIC is HP NC7760 Gigabit NI Adapter. It is on subnet
10.0.0.x,
subnet mask 255.255.255.0, no gateway is set. DNS Primary is
pointed
to
the
router at 192.168.6.1, and secondary is pointed to itself at
10.0.0.5.

Outside NIC is a 3COM Etherlink XL 10/100 with an IP address of
192.168.6.3.
Subnet mask of 255.255.255.0 ... Its gateway is the router.

The router is a Hotbrick Load Balancer at 192.168.6.1 subnet mask
255.255.255.0 .. This is the router that I need to use to give DHCP
in
the
192 range. The DHCP on the 10.0.0.0 subnet is handed out by a
member
server
inside the LAN .. .....NOT by the server that runs ISA and RRA

You say that the router is the Hotbrick LB, but isn't the
Windows Server a router (NAT/ISA) too?

Or are you plugging both NICs into the same segment
(same VLAN etc) instead?

If you have multiple DHCP servers on the same BROADCAST
segment then they will distribute addresses promiscously,
and the clients will generally accept the first offer.

If the above isn't clear -- then give me a diagram of your net
(text is fine).

e.g.: HotBrickLB---Server--others (whatever is right)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

in
message
I took ISA offline too. I had both RRA and ISA Services shut off
when i
did
it last. Still getting IP's though.

Describe your hardware because that (definitely
now) makes no sense.

You cannot get broadcasts across a non-RRAS
Windows server (you could with DHCP relay or
bootp forwardig but even then they should be subnet
specific).

Your DHCP server should ONLY had out addresses
from a scope that matches it's SPECIFIC NIC IP
on that SAME (Specific) NIC.

You haven't created a "Superscope" on DHCP?
(That really shouldn't have this effect and would
definitely be wrong but it's the closest thing I can
think of.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

--
Scott Ford
Information Services
Starlite Entertainment


:

"Scott Ford" <[email protected]>
wrote
in
message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside"
10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the
router
through
the
gateway server. Any other ideas why they could be getting
these
addresses.

If RRAS is not running it seems to be an ISA
problem and posting on the ISA list SHOULD
get you some truly expert help.

I would just be hacking.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Scott Ford" <[email protected]>
wrote
in
message
OK, Herb, at night I shut down Routing and Remote Access and
Microsoft
ISA
services on the gateway server. Cients on the "inside"
10.0.x.x
network
were
still able to pick up a 192.168.6.x IP address from the
router
through
the
gateway server. Any other ideas why they could be getting
these
addresses.
--
Scott Ford
Information Services
Starlite Entertainment


:

"Scott Ford" <[email protected]>
wrote in
message
Thanks for the reply Herb. I do not have a DHCP relay
installed
in
the
ISA
config. I do have Routing and Remote access enabled and a
VPN
client
can
get
an IP address in teh 10.0.x.x range.

Relay Agent is an element (only one of many) of RRAS.

RRAS and ISA are antagonistic to each other in many
ways and having them both enabled MAY (not always,
depends on the specific features) cause interference
which includes strange behavior.

Could this be allowing ISA to broadcast
DHCP requests back to the external interface? I have a
friend
who
feels
like
it could, so during the night i will try shutting down
R&RA
to
see
if
an
internal client can still get an external address. I cant
find
anything
else
on the ISA server that could be broadcasting bridged DHCP
requests.

I personally have a love/hate relationship with ISA,
otherwise I would probably be an ISA MVP too.

ISA is a fantastic product in theory, but has shown
too many inconsistencies and strange dependencies
 
Back
Top