Here is what I want:

1 DNS (this is one physical machine) with same domain name internal and external, hosting the (A) records for the published web site and mail.

1 exchange 2000 mail server (this is another physical machine) - needs to allow mail from internal and external sources. ie. people can get there mail from home and in the office from the same domain name.

1 ISA Server (yet another physical machine).

Here is what I have:

5 static IPs from ISP.

ISA Server has got 2 NIC cards one configured to 1 external IP and one configured for SecureNAT.

DNS server configured as internal SecureNAT DNS with 1 NIC. (I think this needs to be external but I read here in the boards that you need 2 external DNS or cheat and put 2 IPs -How is this done?)

Exchange Server-also configured as SecureNAT mail with 1 NIC

What do I need to do in order to get my web site and email published? (Remember I need the same name internally and externally. Same mail external and internal.)

Please be specific as to what needs to be done. For example if I need to setup my DNS as a external DNS, please tell the steps involved. If I need to make an extra dns zone for internal use then how is this done?
I need examples or you to be detailed.

Please dont ask why I want it, the way I want it. I just do.

Thanks for taking the time to help. I'll pay you back some how.

Thanks
Robert

Thanks
Robert

Here are the general steps:

1. Publish the DNS Server on your internal network

2. Go to whereever you need to and register to of the IP addresses on the external interface of the ISA Server as authoritative for your domain

3. Create the appropriate Resource Records A, MX etc. on your DNS server

4. Publish your mail server on the IP address your included in the MX record (the Host IP address that the MX record points to)

5. Have fun!

Its actually not that difficult. I set up an office just like this a couple of days ago and it works great. Same domain name for internal and external resources. The only draw is that they have to go through the ISA Server to use their domain name to access resources. But the server is a quad proc with 2 GB of RAM, so they're not have too many problems (also using GB NICs and switches).

HTH,
Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

I have done most of what you said. The part I dont get is :

Go to whereever you need to and register to of the IP addresses on the external interface of the ISA Server as authoritative for your domain

Do you mean register my FQDN with the internet? I have done this. The name is an "*.*.edu.*" FQDN. They require that my DNS host the (A) records.

When I publish the name from an internal DNS, no one from an external source can even "reconize" there is a site called "www.*.*.edu.*". What I mean by "reconize" is that there is no "Page can not be displayed" error. The browser will just take them to the Microsoft search engine. When I publish without the ISA server, I have no problems hosting the site. Please explain the deal as I am lost.

Thanks
Robert

It might be a problem with your Destination Set. If the name resolves correctly without the ISA Server and you can confirm with nslookp, check the Destination Set and that it contains the FQDN that external users use to access the site.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!

quote:

---

Originally posted by Dominion:

Go to whereever you need to and register to of the IP addresses on the external interface of the ISA Server as authoritative for your domain

Do you mean register my FQDN with the internet? I have done this. The name is an "*.*.edu.*" FQDN. They require that my DNS host the (A) records.

---

If your provider requires you to be authoritative for your domain (you host A records) you will either need to set up an external DNS or publish your DNS through the ISA box.

Jim H. has a good article about it here: http://www.isaserver.org/pages/tutorials/dns-4-isa.htm

quote:

---

When I publish the name from an internal DNS, no one from an external source can even "reconize" there is a site called "www.*.*.edu.*". What I mean by "reconize" is that there is no "Page can not be displayed" error. The browser will just take them to the Microsoft search engine. When I publish without the ISA server, I have no problems hosting the site. Please explain the deal as I am lost.

---

Your exterior users are getting the MS search page because no DNS server is available to resolve www.*.*.edu.* for the client. When you publish a DNS server to resolve the FQDN the problem should go away.

Jay

Thanks,
Robert

I have checked the destination set and it points to my FQDN at the internal DNS. That is the "www.*.*.edu.*". That is OK.

Then I checked my settings for the published DNS on ISA using the server publishing and the DNS querry.

I then did an nslookup from the ISA machine and it gave me the name for my ISP DNS, not my internal DNS. Is this the problem? How do I correct it?

FIY....I just got Toms books and its great. Full of good info. Everyone BUY IT!

Thanks,
Robert

quote:

---

One point I should make though, I am using the ISA DEMO version. Could this be why I am having so much trouble?

---

*Shouldn't* be, but I bow to the experts on this one.

Tom, are there any marked differences in the demo vs full version?

quote:

---

I then did an nslookup from the ISA machine and it gave me the name for my ISP DNS, not my internal DNS. Is this the problem? How do I correct it?

---

Check the DNS server tabs for your internal and external nics. I'd bet the exterior one is pointing to your ISPs DNS. Change it to your interior DNS Ip and you should be fine.

Jay

You are right. The external NIC points to my ISP DNS. I have changed it, but have not checked the from an external source yet. I will do it now.

By the way, why is it, that the external NIC needs to point to the internal DNS?

Thanks,
Robert

I have checked from an external source and can not reach the web page -I get the "this page can not be displayed" message, however, when I ping "www.*.*.edu.*", I get a the resolved IP with request time out message. I have enabled IP routing so the ping should get thru.

Also, I have tried to access the page with the DNS packet filter on and off. Still no luck. But I think I am getting closer to my goal.

Thanks for all the help.
Robert

The full and demo versions are the same except that you can't apply services packets or hotfixes to the demos.

HTH,
Tom

quote:

---

Originally posted by Dominicon:
Check the DNS server tabs for your internal and external nics. I'd bet the exterior one is pointing to your ISPs DNS. Change it to your interior DNS Ip and you should be fine.

Jay

---

------------------
http://www.isaserver.org/shinder/

Get It Here!

The external NIC can point to the ISP or you can leave it empty and configure the internal NIC to use your internal DNS server.

HTH,
Tom

quote:

---

Originally posted by Dominion:
Thanks,

You are right. The external NIC points to my ISP DNS. I have changed it, but have not checked the from an external source yet. I will do it now.

By the way, why is it, that the external NIC needs to point to the internal DNS?

Thanks,
Robert

---

------------------
http://www.isaserver.org/shinder/

Get It Here!

First, make sure your name resolution is working correctly.

From an internal network host (or external) do this:

nslookup [ENTER]
server <isa_dns_server> [ENTER] www.yourdomain.com [ENTER]

Does it resolve correctly? If you have name resolution working correctly, you can get to the next step which is making the publishing rule work.

HTH,
Tom

quote:

---

Originally posted by Dominion:
Okies,

I have checked from an external source and can not reach the web page -I get the "this page can not be displayed" message, however, when I ping "www.*.*.edu.*", I get a the resolved IP with request time out message. I have enabled IP routing so the ping should get thru.

Also, I have tried to access the page with the DNS packet filter on and off. Still no luck. But I think I am getting closer to my goal.

Thanks for all the help.
Robert

---

------------------
http://www.isaserver.org/shinder/

Get It Here!

I have found the problem! (II think
) My name resolution is not coming out of the ISA BOX. I switch over to the ISA server with nslookup and bang, it hit me in the face. Isa proxy gives the maessage "(ISA proxy) can't find "www.*.*.edu.*": NO response from server."

I am pretty sure this is the cause of my headaches.

Now the question is how do I fix it?

I dont think I need to install DNS on the ISA as I see that as a possible security risk. (could I be wrong?). That means the internal DNS needs something. But What? I will do some reading/studying on this problem. I'll be back.

THANKS ALOT GUYS,
I LOVE YA ALL.
Robert.

I set these things up all the time for small and medium sized biz that wnat to run their own web services after getting burned by hosting services.

I'll write an article on how this is done over the weekend and get it put up next week. Its really easy once you figure out how ISA Server does its thing

HTH,
Tom

------------------
http://www.isaserver.org/shinder/

Get It Here!

Here are some things that I have done to try to make my DNS functional thru the ISA proxy.

1. Turned on IP routing
2. Published DNS Server on ISA using DNS querry protocol.
3. Entered a DNS service location resource record. Service name : Q931 Protocol :_TCP Port Number: 1720 Host: ISA PROXY FQDN

(This is suposedly for the H.323 GATE Keeper which controls the VPN aspect of things, like netmeeting ect....not really sure how it works, but I added it anyway.)

4. CNAMES for my WWW. FTP. and internal pages.

I know there is something else to be done but I have no idea as to what it is. Any Ideas?

Thanks
Robert

And I forgot...I also published the DNS using the DNS tranfer rule. I still got no luck in getting the ISA server to resolve my FQDN.

Still Looking,
Robert