Hi all i am new to ISA Server so bare with me ok. First, i am using VMWare to set up a test network and i have installed ISA 2000 on a 2003 Server and installed the Firewall client software on a workstation. I have then created a protocal rule on the ISA, but still my workstation will not connect to the internet. Can anyone help please.
if you are new to ISA server I highly recommend you drop ISA 2000 and go with at least ISA 2004 or even better ISA 2006. The point is that ISA 2000 is getting "very old" and ISA 2004/2006 is conceptual quite different than ISA 2000. So, go for ISA 2006 if possible.
Nevertheless, do you have a site&control rule in place to allow the destination and the content?
HTH, Stefaan
< Message edited by spouseele -- 8.Sep.2006 8:37:45 PM >
I would love to ISA 2004 but unfortunately i dont have a copy. As for the site & control rule in place, umm no i dont, could you explain to me please. Thanks for the reply by the way.
Yeah i have looked at this but it`s only for so many days!! The way i study i really need a full copy.
By the way i have sorted out my workstations, they now can connect to the internet, thanks for the link. My only concern is it takes ages for them to connect!! Any ideas on this??
assuming you have no adapter problems (driver, speed & duplex setting) it is likely a routing and/or name resolving problem. Please post some more info about your exact configuration. To start with, an 'ipconfig /all' and a 'route print' on the ISA and the workstation could be helpfull. Also, are you running an internal DNS server?
Ok i would like to upload the info you asked for but i dont know how!! I have used the FAQ section that clearly states to tick the box "Click here to upload". Or to insert a bmp image that i have to check the box "Embed picture in post”. BUT i cannot find it anywhere???
aha... I need some more info: - what is the content of the LAT (Local Address Table) on ISA? - what is the host 192.168.229.2 used as default gateway and DNS server on the ISA LAN2 nic? - what is the host 192.168.0.1 used as default gateway, DNS and DHCP server on the Workstations LAN nic? - do you have an Active Directory server on the ISA internal LAN?
Hi Spouseele, umm your getting technical now, lol, What do you mean by :
- what is the host 192.168.229.2 used as default gateway and DNS server on the ISA LAN2 nic? - what is the host 192.168.0.1 used as default gateway, DNS and DHCP server on the Workstations LAN nic?
The Contents od the LAT Table are as follows: 10.0.0.0 10.255.255.255 169.254.0.0 169.254.255.255 172.16.0.0 172.31.255.255 192.168.0.0 192.168.0.255 192.168.0.0 192.168.255.255
OK, let's draw a little diagram to help explain how the general network setup should be:
quote:
192.168.0.0/24 vvv [ PC ] --------- [ ISA ] --------- Internet/External ^^^ 192.168.229.0/24
In the above diagram, I assume that the ISA internal interface is a member of the Network ID 192.168.0.0/24 and that the ISA External interface is a member of the Network ID 192.168.229.0/24. So the default gateway on ISA should *only* be set on the ISA external interface and that looks OK in your case. However, the LAT on ISA should *only* contain the Network ID's used on the internal network. In your case I think this is the Network ID 192.168.0.0/24 only and therefore the LAT should only have the single entry 192.168.0.0 - 192.168.0.255.
Question: what type of device is the host 192.168.229.2? It seems to be used as default gateway *and* as DNS server and that is a little bit strange.
Now, on the internal network you said you have a DC. So, may I assume it has the IP address 192.168.0.1 and is used as internal DHCP *and* DNS server?
Question: why is on the internal workstation the default gateway 192.168.0.1 and not the ISA internal interface?
About the optimum DNS configuration: ----------------------------------------
Assuming you have an internal DNS server, do *not* specify any ISP/External DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .
Next, perform the following configuration steps:
1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.
2) enable forwarders on your internal DNS server and specify there your ISP/External DNS servers. Also, make sure you check the "Do not use recursion" box.
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *separate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *separate* site&content rule allowing access to any destination or better to a destination set containing your ISP/External DNS servers, and apply it to the above created client address set.
Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.
Ok i have followed your advise but i must be missing something as its still very slow.Below is a print of when i ran nslookup on the DC. Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\>nslookup jaguar DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 192.168.0.1: Timed out Server: UnKnown Address: 192.168.0.1 Name: jaguar.Contoso.local Address: 192.168.0.12
you seems to have a problem with the configuration of the DNS server itself. Check out if you have a reverse zone so that IP addresses can be translated to FQDN's!
Oh... and please, do NOT autoregister the ISA interfaces in the DNS server (Interface properties -> DNS tab, uncheck the box 'Register this connection's addresses in DNS'). Instead you should define them statically in the DNS server.
do NOT autoregister the ISA interfaces in the DNS server (Interface properties -> DNS tab, uncheck the box 'Register this connection's addresses in DNS').
Yes the check box is unchecked. But what would happen if this box was left ticked.?
you seems to have a problem with the configuration of the DNS server itself. Check out if you have a reverse zone so that IP addresses can be translated to FQDN's!
When a new reverse zone is created do i add the Internal IP address? 192.168.0?
Yes the check box is unchecked. But what would happen if this box was left ticked.?
Whenever ISA server acquire a new IP address (i.e. by enabling VPN client access), you would get a wrong registration for the ISA internal interface which breaks Auto Configuration, Web Proxy and Firewall client access.
quote:
When a new reverse zone is created do i add the Internal IP address? 192.168.0?
Yes, if the internal Network ID is 192.168.0.0/24, the reverse zone is '192.168.0'.