• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DNS Query & DNS Zone Transfer through ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> DNS Query & DNS Zone Transfer through ISA Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
DNS Query & DNS Zone Transfer through ISA - 6.Jun.2001 10:43:00 PM   
ace

 

Posts: 25
Joined: 1.Jun.2001
From: Allentown, PA, USA
Status: offline
I am publishing Exchange through ISA and I can't get Exchange to resolve names. I put Exchnage outside the firewall and all is well, so I know the problem is within ISA. I created a protocol rule that allows DNS Query and Zone Transfers for the Exchange computer via a client address set. It doesn't work. What should I do or look for in order to solve this problem?

------------------

Ace

Post #: 1
RE: DNS Query & DNS Zone Transfer through ISA - 6.Jun.2001 11:17:00 PM   
madmax

 

Posts: 15
Joined: 6.Jun.2001
From: belper, derbyshire, england
Status: offline
not sure if this will help, i heard that not only does exchange need dns query being allowed (TCP 53, not the UDP 53) but it also needed whois lookup??

give it a go.. worth a shot plus it might get me to retry stuff =]


(in reply to ace)
Post #: 2
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 5:44:00 PM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
ACE, I think we have the same exact problem.
http://www.isaserver.org/ubb/Forum6/HTML/000046.html

When I get mine to work, I will surely let you know how I did it.

------------------
Ryan

[This message has been edited by Digitalcandy (edited 07 June 2001).]


(in reply to ace)
Post #: 3
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 5:50:00 PM   
ace

 

Posts: 25
Joined: 1.Jun.2001
From: Allentown, PA, USA
Status: offline
just an update - I have tried everything I can think of. I put exchange on outside of firewall for a test and mail goes out fine. I sent mail to a hotmail account on the first try. I just can't seem to get it to go through ISA. It seems to be a resolving (DNS) issue. When it was outside I could do "nslookup - xxx.xxx.xxx.xxx" of my ISP's DNS and it returned the name as it should. When I placed it back inside with the same command I get a server timeout. i will keep you posted. Thanks Digitalcandy

------------------

Ace


(in reply to ace)
Post #: 4
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 7:46:00 PM   
jmunyan

 

Posts: 803
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline
Use nslookup to test host name resolution through the firewall. By default there should be a dns query filter defined allowing this type of traffic out.

Additionally, make sure that isa is the default gateway of the exchange box (or follows a default gate out).

John


(in reply to ace)
Post #: 5
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 7:50:00 PM   
ace

 

Posts: 25
Joined: 1.Jun.2001
From: Allentown, PA, USA
Status: offline
nslookup works great on ISA itself. It cannot resolve names from exchange however. And the default gateway for exchange in the internal NIC of ISA. I just don't understand.

------------------

Ace


(in reply to ace)
Post #: 6
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 8:25:00 PM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
quote:
Originally posted by ace:
And the default gateway for exchange in the internal NIC of ISA. I just don't understand.


That sets up clients to the ISA as NATclients. I tried this to no avail.


(in reply to ace)
Post #: 7
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 8:38:00 PM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
What in the heck can we be doing wrong. My SBS4.5 works with no problems. I configure my new ISA server's "external" NIC with the exact same properties as the SBS4.5. I unplug the SBS from the router/hub so not to cause IP conflicts and it still doesn't work.

Major frustration is setting in right about now! There has to be many companys out there that have Exchange 2000 behind an ISA firewall.

There is one difference I notice from our current SBS network to the one I am trying to implement. On our current network if I ping yahoo.com from a client computer it resolves the IP address but let's me know "destination host unreachable." That is fine and I understand. On my new network with ISA, if I ping yahoo from my mail server it doesn't even resolve the IP address. I get the message "Unknown Host." I agree, it has something to do with DNS. But why can I freakin' connect to internet sites with I.E. yet can't send damn internet mail!

For testing purposes I disabled Packet Filtering on ISA. I also made a Protocol rule to allow every protocol through the server. So in a sense I made anything get through right now to see if it would work. NOPE!


(in reply to ace)
Post #: 8
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 8:44:00 PM   
ace

 

Posts: 25
Joined: 1.Jun.2001
From: Allentown, PA, USA
Status: offline
have you tried any other sort of activity with ISA other than Web proxy. I have people browsing through ISA and they are all wonderful. Other than that, ISA isn't doing anything. What I am asking is, Is it possible that we have ISA set up incorrectly some how. Other than browsing, this is the first time I am "punching holes" in the firewall for anything. But then again, I had the evaluation editions running and everything was so easy. I had Exchange sending internet email in a few hours. Now that I am ready to implement them in a production environment, I have spent days and am getting no where.

------------------

Ace


(in reply to ace)
Post #: 9
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 8:50:00 PM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
I don't see how we could be doing anything wrong. I am hoping Mr. Shinder will have some input on this thread. I never used the evaluation edition. I have been using sorry ass SBS4.5 for the past two years with no problems. It comes with Proxy 2.0.

Are you running ISA on a Domain Controller that is also a DNS server? That is what I am doing.

The only thing I need to get working is internet mail and web proxy. Web proxy works fine just like you. Internet mail is not doing crap!


(in reply to ace)
Post #: 10
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 9:06:00 PM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
Check out the last post on this thread. It applies to me. What about you. I am going to unistall SP2 to see if this works.
http://www.isaserver.org/ubb/Forum6/HTML/000021.html

(in reply to ace)
Post #: 11
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 10:19:00 PM   
ace

 

Posts: 25
Joined: 1.Jun.2001
From: Allentown, PA, USA
Status: offline
I really hope that isn't it. When I installed SP2, I didn't check the box to be able to uninstall it. Let me know how it goes. I am just going to keep digging...

(in reply to ace)
Post #: 12
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 10:36:00 PM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
Well after going through Microsoft's knowledge base, I couldn't find anything that would help our issue. I have not yet unistalled SP2. It is the last thing I want to do. I did however check the box for backup, so I am good there.

The whole time I have been testing Internet mail I have been doing it on the mail server itself through OWA interface. I am going to try a laptop just to see what happens. I will let you know.


(in reply to ace)
Post #: 13
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 10:58:00 PM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
same undeliverable message on laptop with Outlook 2000.

(in reply to ace)
Post #: 14
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 11:02:00 PM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
Well now...this could be interesting. I authenticated to my DC with a win98 laptop. I tried to browse Network Neighborhood and I couldn't. I did a winipcfg /all to see what's up and all parameters are correct from the DHCP service on the DC. Then I tried to browse the network with my mail server and same thing happened. Something funky is going on with DNS giving up the "booty" to clients. I am going to check out some DNS services on the DC.

(in reply to ace)
Post #: 15
RE: DNS Query & DNS Zone Transfer through ISA - 7.Jun.2001 11:19:00 PM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
ACE, if you want you can email me your phone number. I think I have found something interesting and this posting is getting to be a pain in the arse!

digitalcandy@hotmail.com

------------------
Ryan


(in reply to ace)
Post #: 16
RE: DNS Query & DNS Zone Transfer through ISA - 9.Jun.2001 1:16:00 AM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
I finally got my new network to email to the Internet.

Well I reformatted my Domain Controller and Mail server. I reinstalled W2K but I did not make my Internal Domain name the same as our Internet Domain Name. I left my servers at Service Pack 1 for now. For testing purposes I grabbed a fairly powerful PIII desktop to load W2K and ISA. I gave the "external" NIC the same properties and our current SBS4.5 external NIC. I then published the Mail server. On the Mail server I configured the Gateway TCP properties to point to the "internal" NIC of my ISA server, (this makes the Mail server a SecureNAT client). I then went into the Virtual SMTP properties and used DNS from the ISA server and added the DNS entries of the internet DNS servers on the "configure" tab.

I tested from a laptop computer and mail didn't go through. I got frustrated really quick. Then I went to ISA again and allowed all protocols to pass and disabled IP Pakcet filtering. Now internet mail works! I am just happy it is working. I now have to spend time on ISA to figure out why "Secure Mail Pulish" doesn't let you send internet mail.


(in reply to ace)
Post #: 17
RE: DNS Query & DNS Zone Transfer through ISA - 11.Jun.2001 2:47:00 PM   
ace

 

Posts: 25
Joined: 1.Jun.2001
From: Allentown, PA, USA
Status: offline
That's great, I'm really glad one of us at least has mail going through. I do want to mention that I have read in these message boards that Tom Shinder said it is not advisable to disable packet filtering. It creates a security hole. (I am not claiming to be an expert, I am just repeating what I have read.) At least your working now. I am going to keep trying. Talk to ya soon.

------------------

Ace


(in reply to ace)
Post #: 18
RE: DNS Query & DNS Zone Transfer through ISA - 11.Jun.2001 5:43:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Ace,

You are correct. You should always have packet filtering enabled on the ISA Server when one of the interfaces is connected to the Internet. Otherwise, you're just putting a big "hack me" sign on your server.

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here


(in reply to ace)
Post #: 19
RE: DNS Query & DNS Zone Transfer through ISA - 12.Jun.2001 12:16:00 AM   
Digitalcandy

 

Posts: 77
Joined: 7.Jun.2001
From: Orange County, CA
Status: offline
I have disabled packet filtering to figure out why internet mail is working or isn't working. I bought ISA for a reason and intend on using it the way it is intended. Disabling the packet filtering is a temporary test to see if internet mail would go through and it is now. I now need to figure out what is causing it not to go through when it is enabled.

Ace, if you have your ISA server on your DC go into the DNS snapin and check the properties of your organization. Make sure DNS services querries on your internal NIC and not external, (if ISA is on your DNS server).

I now have my DC, Mail and ISA server on seperate physical servers. Everything is working smoothly but I need to figure out ISA a bit more.

I really don't know what I could have done to get things working. My assumption would be that since I now have ISA on a seperate server, the DC can't query DNS requests on the "external" NIC. I had my internal DNS name the same as our internet DNS name and since ISA was on the DC I think this was causing the problem. However if you disable DNS querry requests on your DC's "external" NIC, (if ISA is on it), then maybe this will work too.

If you have any other questions about what I did, email me.

------------------
Ryan

[This message has been edited by Digitalcandy (edited 12 June 2001).]


(in reply to ace)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Server Publishing >> DNS Query & DNS Zone Transfer through ISA Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts