Hello and thanks in advance for your help: We have a Windows Server network in our main office with addresses in the block 192.168.0.x 255.255.255.0 We have remote delegations connecting to our "main" office trough our VPN (ISA Server) that gives them addresses from the mentioned block. The main (and almost only) reason for connecting to VPN is that after that, they can access our Terminal Server. As they have their local IP addresses in another blocks (for example, 1.92.168.1.x 255.255.255.0) there is no IP CONFLICT. So, we could be happy if all that we expect from our little loved corporate network was all that I mentioned above, don't you think ? But Life is unpredictable, and it always likes to find its own methods, don't you agree ? I'll explain: Some of our employees decided to connect to internet plugging their pcs into a costumer's private LAN some months ago. As a demonstration of love, they did not tell me nothing about it, and one of those happy days, we got into problems. This costumer is located in Argelia, and their IP LAN block is the same as ours, I mean: 192.168.0.x 255.255.255.0 That way, as they have their portables configured to get their tcpip configuration from DHCP, they get a local IP, dns servers and gateway from the Argelia's router when they plug some infamous lan cable into their pcs, and they can surf internet too to wathever they need or like... But when they connect to our VPN, they get another IP , in the same block (192.168.0.x) that our local ip addresses there in argelia. This seems to be a problem, let's write down some examples: 1- let's say our pc in Argelia got the local address 192.168.0.5 But at our main office we have a server with that address ! when he/she connects to VPN we'll have an IP conflict 2- Let's say that in Argelia, the customer have machines (servers and other stuff) whose ips are the same as those located in our central office. When a client connects to vpn, I cannot imagine the range of problems we could have... This is what happens right now in Argelia, but it could happen everywhere (wifi access points from airports, bistros, libraries,...) when the local addresses from those places are the same as in our main office. Is there a way to make them connect to Terminal Server without using a vpn ? I'm almost sure I read something about it long time ago, but as I can recall this is not a safe practice. I'm sure that there is an strategy, an already approved schema to make sure this is not going to happen. But I don't have no idea how to implement it. Could you help me, Gurus ? Thanks, Roger

hi roger,i have went through the architecuture, the first thing i would like to check is why is VPN leasing out ipaddresses similar to that of TS server?, you need to verify whether the TS server is statically configured for ipadress or is that a DHCP server leasing out the ip range ?as you said that ISA server is leasing out the ipaddress for the clients which connects to the network , i would check the isa server configuration as to how the address are configured.Also there is a dedicated forum to assisted with respect to ISA , i would also like you to post the query under ISA server forum.http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeVPN/threadssainath !analyze

Hello an thanks for your answer... I don't think this is an ISA related issue, as this would happen too if the vpn would be generated by another kind of software or machine, for example, a router. Remember also, that the ip addresses come always from our main domain controller, not from the isa vpn services. In fact, this is a network architecture problem, because what I try to avoid is the IP conflict that happens when the LAN from the remote site has the same block addresses as the main site that provides the vpn, and a client pc connects to that vpn from the remote site. I'll try to figure out wich is the best forum to post the problem again. Regarding your comments, you said: > why is VPN leasing out ipaddresses similar to that of TS server? I'm sorry, I didn't mean that. I mean that VPN gives the connection but the ips are from our main domain controller that is also the main dhcp server. Our Terminal server has an static internal lan ip, of course. > as you said that ISA server is leasing out the ipaddress for the clients which connects to the network No, it is not the ISA server, is the main domain controller server as I said. Specifically, from 192.168.0.100 to 192.168.0.190 See you, Roger

Hi Roger, As far as I know, there is no solution or workaround for your problem. Im afraid you have to change the IP arrangement of one office. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hello, thanks for your help. This is hard to believe, really. According to your answer, if an employee tries to connect to our vpn from a network having the same range that we have in our office (192.168.0.x mask 255.255.255.0), he could have problems if the machines on both sides have the same IPs ? This sounds to me strange, as I'm almost sure that this is a common issue around. This network architecture problem should be sooo common to find all around that I find your answer very strange to assume. I will re-explain it for the sake of clarity with an example: In our main office we have range 192.168.0.x mask 255.255.255.0. One of our servers have IP 192.168.0.4 If a client pc is on an hotel, and imagine that its network have the same range, what will happen if that pc connects to our vpn and it gets another IP address from our network (for example, 192.168.0.50) ? ... Case 1: ... if the pc have the hotel's IP 192.168.0.4 (obtained with the hotel's dhcp server: it conflicts with one of our servers) Case 2: ... if the pc have the hotel's ip 192.168.0.3 (no conflict) but some server at the hotel have the IP 192.168.0.4 (conflict) Case 3: ... if the pc have the hotel's ip 192.168.0.3 (no conflict) but some server at the hotel have the IP 192.168.0.50 (conflict: the ip given from our vpn server conflicts with the server's IP at the hotel) What will happen then ? the servers will loose connectivity ? (aarrgh) ... the client pc will not be able to communicate with the server ? Is there an architecture that can avoid this kind of conflicts ? Really, I cannot tell my boss that there's no solution for it as long as it sounds absurd to me 8-/ I really thank you, Roger

That is how IP routing works. Why would a machine send traffic across the VPN link when the target address is a local address? If the target address is local (ie in the same IP subnet as the sender) the traffic is deliverd directly (on the wire) using hardware addressing. It never reaches a router. If the local network and the remote network use the same IP subnet, how is a machine supposed to be able to tell the difference? The client will only send the traffic through the VPN link if it is addressed to some other private IP subnet. You cannot fix this by making changes to your offfice network (apart from changing its whole IP subnet) because that is not where the routing problem is. The routing problem is at the VPN client. Bill