have this setting:
- Windows Server 2012 R2 with 2 Gigabit NIC, one connected via a Gigabit switch to 4 Workstations and the other exposed to the Internet
- server is a Domain Controller and workstations get group policies via ActiveDirectory
- using ICS to provide Internet access to the Workstations by sharing the respective server NIC through the local NIC
- using 192.168.137.1 address for the server at the local NIC
- static addresses 192.168.137.2-5 set to the workstations with gateway set to 192.168.137.1 and no DNS set
- using RRAS on server to provide VPN connectivity to users coming from the internet. VPN clients (using Microsoft Windows VPN connection) use a static address pool (set to use 192.168.137.100+) and seems they see the server at 192.168.137.100 (can RDP ok to it after login via the VPN) and they get addresses above it
Problem is that VPN clients don't see the ICS workstations.
The gateway at VPN clients is shown as empty for the VPN interface when I do ipconfig on them which I guess means they use some VPN gateway at the server.
I know ICS has a simple DHCP service (which one can turn off via the registry), so could I tell RRAS somehow to pass clients to that DHCP? RRAS seems to have a DHCP Relay agent, which doesn't help if I set it to pass DHCP messages on to 192.168.137.1 (where the server also appears apart from .100 if I run advanced port scanner from a VPN client). Not sure if that is the correct way to set the DHCP that VPN clients are to use anyway.
btw, VPN clients lose Internet connectivity when they connect, but since the workstations have Internet access via ICS it is fine if they can access them via RDP (which they currently can't - can only see the server and RDP to it after logging in via the VPN)
have thought of various workarounds like not using ICS but setting up NAT, but not sure if I can setup NAT and VPN on a DC (whereas with ICS it seems to work fine).
Have also tried exposing the RDP ports of workstations at other server ports (ICS has an advanced settings dialog where you can expose services to internet cliens, but probably this is only available to clients connecting via the internet directly, not via VPN)