have this setting:
- Windows Server 2012 R2 with 2 Gigabit NIC, one connected via a Gigabit switch to 4 Workstations and the other exposed to the Internet
- server is a Domain Controller and workstations get group policies via ActiveDirectory
- using ICS to provide Internet access to the Workstations by sharing the respective server NIC through the local NIC
- using 192.168.137.1 address for the server at the local NIC
- static addresses 192.168.137.2-5 set to the workstations with gateway set to 192.168.137.1 and no DNS set
- using RRAS on server to provide VPN connectivity to users coming from the internet. VPN clients (using Microsoft Windows VPN connection) use a static address pool (set to use 192.168.137.100+) and seems they see the server at 192.168.137.100 (can RDP ok to it after login via the VPN) and they get addresses above it
Problem is that VPN clients don't see the ICS workstations.
The gateway at VPN clients is shown as empty for the VPN interface when I do ipconfig on them which I guess means they use some VPN gateway at the server.
I know ICS has a simple DHCP service (which one can turn off via the registry), so could I tell RRAS somehow to pass clients to that DHCP? RRAS seems to have a DHCP Relay agent, which doesn't help if I set it to pass DHCP messages on to 192.168.137.1 (where the server also appears apart from .100 if I run advanced port scanner from a VPN client). Not sure if that is the correct way to set the DHCP that VPN clients are to use anyway.
btw, VPN clients lose Internet connectivity when they connect, but since the workstations have Internet access via ICS it is fine if they can access them via RDP (which they currently can't - can only see the server and RDP to it after logging in via the VPN)
have thought of various workarounds like not using ICS but setting up NAT, but not sure if I can setup NAT and VPN on a DC (whereas with ICS it seems to work fine).
Have also tried exposing the RDP ports of workstations at other server ports (ICS has an advanced settings dialog where you can expose services to internet cliens, but probably this is only available to clients connecting via the internet directly, not via VPN)
Just found the solution: I had recently noticed that I could connect to one of the workstations, but not to the others and that from the server I couldn't list the other computers in the local network when using the classic network dialog in software like Time Boss Pro.
So I opened an RDP connection from the server to each of the workstations and visited from Windows Explorer the Network location. In the three problematic workstations it warned me that network discovery was disabled and after closing that dialog it offered to enable it (did it for the local network only - if you're connected directly to the internet recent Windows client OS shows choice to enable for all public networks or make the local network private one)
After that action I could list workstations from the network dialog and I could also connect via RDP to workstations by name, specifying as RDP gateway the server's local address in the VPN
I had already defined RD CAP and RAP policies as explained at https://technet.microsoft.com/en-us/library/cc731544(v=ws.11).aspx and https://technet.microsoft.com/en-us/library/cc730630(v=ws.11).aspx, for Connection Authorization and Resource Authorization respectively, and had setup an RDP gateway using those on the server. At the CAP I had specified a group of AD users that are allowed to connect remotely and at RAP I had specified a group of workstations that are allowed to be accessed. Also I had already setup a GPO (group policy object) at the server to setup on each of the workstations via Active Directory policy propagation/enforcement which AD group of users are allowed to connect remotely.
btw, another change I have done (that shouldn't play a role though) is that I'm now using a separate address space (192.168.0.x) for the local network with ICS and another one (192.137.0.x) for the VPN static address pool. Note that I have the DHCP Relay agent in RAS disabled since I use a static pool by RAS for the VPN.
hope this helps anyone else faced with the same situation