I am interested in knowing what the best practice is for dynamically issuing addresses to clients on a VPN.

I have a Windows 2003 AD network where a DHCP server has already been configured with a POOL of addresses (we're a small company so only ONE subnet). I was just going to let DCHP issue addresses to the VPN clients from the pool that's already set up. However in another post a comment was made that a separate address pool should be set up for VPN clients.

So - if it is best to set up a different address pool, why? I don't mind reading if you have an article to reference - I just can't seem to FIND any on my own.

Is it better to let the DHCP server on the network issue the addresses or should I let my firewall (which has it's own DHCP server and is where the client VPN connection terminates) issue the addresses?

Thanks for the help.On the numerous Small Business Server 2000 and 2003 boxes I've set up with Routing and Remote Access, I usually just let DHCP hand out the IP addresses.  It makes life a lot easier.

However, I can see why others would suggest a static pool--makes it easier when you assign certain IP ranges to certain things.

Like if you use 10.0.0.x (x being 1-254):

1-20 could be routers, MANAGED switches, etc (which are static ANYWAY)
21-40 could be servers (static)
41-60 could be printers (usually static)
61-80 could be miscellaneous devices (wi-fi cameras, miscellaneous IP-based equipment) (probably a good idea to be static)
81-100 could be your VPN pool (put these in RRAS)
101-200 could be your workstations (DHCP--make this your scope)