Isa Server Dns Error
around the block with ISA Server now for almost a year. During that time, I’ve had the chance to get to know some of the most common issues people have with ISA Server. Relentless review of the ISAserver.org message boards, ISAserver.org mailing list and the msnews newsgroups shows that some problems keep coming over and over again. What I’d like to do here is cover some of the most common and help with some answers. We've been around the block with ISA Server now for almost a year. During that time, I've had the chance to get to know some of the most common issues people have with ISA Server. Relentless review of the ISAserver.org message boards, ISAserver.org mailing list and the msnews newsgroups shows that some problems keep coming over and over again. What I'd like to do here is cover some of the most common and help with some answers. The common problems can be broken down into seven general groups: Access Policy Issues Authentication Issues Caching Issues Connectivity Issues Logging Problems Publishing Problems DMZ Issues I'll do a series of articles on problems in each of these groups. As we all gain more experience with ISA Server, I'll update these articles to reflect the current state of the art. Configuring ISA Server 2000 : Building Firewalls for Windows 2000By Deb and Tom ShinderAmazon.com Access Policy Issues Access Policy issues relate to problems with outbound access. When you look in the ISA Management console, you'll see the nodes: Site and Content Rules Protocol Rules IP Packet Filters While each of these is primarily related to outbound access issues, they are not necessarily limited to them. For example, Site and Content rules can be configured to control content for inbound access (i.e., accessing published sites), and IP Packet Filters are used to control inbound access as well as outbound. Nevertheless, its more convenient to
the more common questions that come up on the www.isaserver.org message boards and mailing list pertains to ISA firewall performance. The common compliant is that the "Internet was fast" before the ISA firewall was installed and then after placing the ISA firewall inline, the "Internet" became "slow". While "fast" and "slow" are relative terms, the point is that it appears to the ISA firewall admin that performance has been adversely affected by the addition of the ISA firewall. Probably the most common reason for poor ISA firewall performance is a DNS related misconfiguration. http://www.isaserver.org/articles-tutorials/articles/Common_Issues_with_ISA_Server_Access_Policy_Issues.html The best DNS configuration on the ISA firewall is to configure DNS settings on a single interface on the ISA firewall, and that should be an interface closest to an internal DNS server that can resolve Internet host names (typically the internal interface, but it doesn’t have to be). Then you move that interface to the top of your interface list in the Advanced settings in http://www.isaserver.org/blogs/shinder/isa-central/dns-related-performance-problems-for-the-isa-firewall-189.html the Network Connections window. Note that this is a simplification, but it will work for 90%+ ISA firewall admins who have an internal DNS server. One thing you should never do is include an IP address of an external DNS server. Because of how the Windows DNS client system works, it is possible that the internal DNS server will be dropped from the DNS list and then you’ll be stuck with only an external DNS server for name resolution and then the ISA firewall won’t be able to resolve internal host names and lose connectivity to the internal AD/DCs. DNS is critical for proper functioning of the ISA firewall. The ISA firewall uses DNS to find the Internal domain controller. It also uses DNS to confirm that an IP address doesn’t match a FQDN that is listed in a URL Set or Domain Name Set that you’ve set in a Deny rule. In addition, ISA Enterprise Edition needs to use DNS to find its own name and if the ISA firewall array can’t resolve its own name, errors will occur in the Firewall service. Poor performance could be due to a DNS attack, or you might have compro
to external servers, a common scenario to your ISP's DNS servers. Configurations are done on the Internal DNS server and also on ISA Server. Configuration on DNS Server Click Start, point to Administrative Tools, and then click DNS. Right-click DNS-SRV ( ServerName ), where ServerName is the http://www.elmajdal.net/isaserver/Internal_DNS_Forwarding.aspx name of the server, and then click the Forwarders tab. Click a DNS domain in the DNS domain list. Or, click New, type the name of the DNS domain for which you want to forward queries in the DNS domain box, and then click http://www.microsoftnow.com/2009/05/top-12-mistakes-while-configuring-isa.html OK. In the Selected domain's forwarder IP address box, type the IP address of the first DNS server to which you want to forward, and then click Add. Repeat step 4 to add the DNS servers to which you want to forward, isa server usually you might have two ISP's DNS server, enter them both. Click OK The last thing you should do on your DNS Server is to set it as a Secure Nat Client, this is done by setting its Default Gateway to be ISA Server Internal IP This is all what you have to do on your Internal DNS Server, now lets see what we need to do with ISA Server. Configuration on ISA Server Open ISA Management Console Create a new Access rule, Right click Firewall Policy isa server dns , then click on New then choose Access Rule The New Access Rule Wizard will be launched, give a name to your new rule , in this example we will name it Forward DNS To ISP, then click Next In the Rule Action page, choose Allow, then click Next In the Protocols page, From the drop down list of This Rule Applies To, choose Selected Protocols click on Add button, the Add Protocol page will open, expand the Infrastructure container, choose the DNS protocol and click on Add , then click Close The selected protocol will be displayed in the Protocols page, click Next On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, from the Menu Bar, click on New and choose Computer . The New Computer Rule Element page will open, click on the Browse button, then write your Internal DNS server name in the first textbox under Name, and click on Find, the IP address of the DNS server will be listed. Click ok OK You will return back to the New Computer Rule Element page, click on OK click on the Computers folder. Double click on the DNS-SRV, then click the Close button in the Add Network Entities dialog box. Click Next in the Access Rule Sources dialog box. Click the Add button on the Access Rule Destinations page. In the Add Network Entities dialog box, click the Networks folder. Double click the External entry and click Close in the Add Network Entities dialog box. Click Next on
2009. Originally published in August 2007. This article lists some of the common configuration mistakes and gives information on how to avoid them. There is no such thing as a single interface firewall A firewall has a minimum of two network interfaces. This means you need at least *two* NIC cards in your ISA box if you want it to work as a firewall. Theoretically you can run ISA on a box with a single NIC, but that will do little to secure your network. You might just use it as a proxy that your users can connect to the Internet with. Tom Shinder of isaserver.org says: “Deploying a single-NIC ISA Firewall is like giving a soldier a Desert Eagle .50 and no ammo.” In short, you’re not using ISA as a real firewall if you don’t have two interfaces on it! Specify the default gateway on that published server! You need to specify the internal IP address of the ISA server as the default gateway on the server that you want to publish on ISA. Or, make sure that there are appropriate static routes in place. Rules that contradict each other As can be seen from the diagram below, ISA processes your access rules in the order that you specify them, i.e. rule #1 processed first, then 2, 3, etc. If ISA finds that rule #1 is satisfying the conditions required for the access requested by the user, it skips all remaining rules and grants (or denies) access. However, if the condition is not matching for the current rule, it moves on to the next rule and so on. If you happen to place a rule that ‘allows internet access to all users’ BEFORE a rule that ‘denies internet access to Peter’, then Peter will still have internet access. It might look simple but these mistakes happen all the time. IP Addresses The external interface and internal interfaces on the ISA firewall must belong to separate IP ranges. You cannot have internal and external interface IP addresses from the same IP range. IP Spoofing: In case there is an internal router that splits the internal network into two (see diagram above), and ISA Server is in one of these networks, make sure that ranges on either side of the internal router are entered in the Internal network address range on ISA. For example, if you have two internal (protected) networks 192.168.2.0/24 and 10.10.0.0/16 separated by a router, and the ISA is at (say) 10.10.0.4, the Internal range on ISA should ideally include 192.168.2.1-192.168.2.254 as well as 10.10.0.1 to 10.10.255.254. Installing a