Welcome to ISAserver.org

Discussion about article on Configuring Wireless DMZs part 1

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about article on Configuring Wireless DMZs part 1

Page: [1]

Message

<< Older Topic Newer Topic >>

Discussion about article on Configuring Wireless DMZs p... - 9.Apr.2005 8:45:00 PM

tshinder

Posts: 47127
Joined: 10.Jan.2001
From: Texas
Status: offline

This thread is about discussion part 1 of the article series on configuring Wireless DMZs at http://isaserver.org/tutorials/2004wirelessdmzpart1.html

HTH,
Tom

[ April 09, 2005, 08:51 PM: Message edited by: tshinder ]

Post #: 1

Featured Links*

RE: Discussion about article on Configuring Wireless DM... - 21.Apr.2005 4:46:00 PM

janm

Posts: 1
Joined: 21.Apr.2005
Status: offline

I think there is a little error in the text.

Perform the following steps to create the Forward lookup zone:

4. On the Forward or Reverse Lookup Zone page, select the Reverse lookup zone option and click Next.

...select the Reverse lookup zone... must be ...select the Forward lookup zone... i supose.

J.

(in reply to tshinder)

Post #: 2

RE: Discussion about article on Configuring Wireless DM... - 8.Sep.2005 1:44:00 PM

VinceCarrasco

Posts: 1
Joined: 27.Feb.2005
From: California
Status: offline

Another great article, thanks.

My ISA Firewall is already in service. In your article you tell us to install the third NIC before installing ISA. What kind of problems will I run into if I add the third NIC now and work through the configurations you describe? Or, would it be better to start over?

Thanks,
Vince

(in reply to tshinder)

Post #: 3

RE: Discussion about article on Configuring Wireless DM... - 25.Oct.2005 10:17:00 AM

t029248

Posts: 11
Joined: 14.Aug.2003
From: Holanda
Status: offline

I really appreciate these articles in addition to the great ISA 2004 book. They�re teaching me step by step so much more about ISA / firewalls and general networking. (un)fortunately there are always questions not being answered since every environment is different.

I�m applying this setup (untrusted DMZ) to my environment, I also want to use a split DNS infrastructure because we, are publishing internal websites and the OWA server I assume on the isa server resolving the internal IP addresses for these server needs to be done.

I found that:

(This is the only interface that has a DNS server configured on it. The DNS server should be a DNS server on the Default Internal Network, and that DNS server should be configured to resolve Internet host names, either by performing recursion itself, or by using a Forwarder (such as your ISP). This interface does not have a default gateway.)

Doesn�t work in my situation, If I limit the DNS listener to the Wireless DMZ segment external DNS queries fail because clients and the other DNS servers use the LAN NIC on the ISA to resolve external IP addresses. Like this they only can resolve host on the Wireless DMZ segment.

Since the sDSLS router is on another subnet I could make a persistent route on the router or allow the dns server on the ISA to listen on all the LAN Nic to keep resolving working

I�m not yet sure what�s the best solution.

[ October 25, 2005, 10:18 AM: Message edited by: Drallas ]

(in reply to tshinder)

Post #: 4

RE: Discussion about article on Configuring Wireless DM... - 23.Feb.2007 3:35:55 PM

lazyman

Posts: 6
Joined: 4.Dec.2006
Status: offline

We were having similar problem. Followed all the steps in the article minus the internal rule and the exchange / smtp directions (did not need) but could not get internet access from wireless DMZ and also could not get access to wireless router from isa on DMZ. Only change made from directions was to let internal (isa) dns (which serves DMZ and has diff subnet than internal network / dns) listen in internal interface as well as dmz interface. Now all works. Do not know if this means I have a conflict in my exisitng firewall rules (pretty complex - running SurfControl and requiring auth for most traffic, which force custom protocols and special rules for any traffic needed to be passed anonymous) or a problem with my internal (isa) dns but this works. If someone knows of a reason why I should not do this and a better solution please advise. Otherwise, we will continue in our happy little working environment. ...

(in reply to t029248)

Post #: 5

RE: Discussion about article on Configuring Wireless DM... - 1.Dec.2007 5:55:06 PM

Cashmo

Posts: 12
Joined: 28.Jun.2007
Status: offline

Similar problem here also. Trying to create guest wireless access with no local network access.

ISA2006, member of domain
WAN IP = x.x.x.x, has no dns ip
LAN IP = 192.168.3.1, no gateway ip, dns = 192.168.3.12
DMZ IP = 10.10.10.1, no gateway ip, no dns ip

WAP
WAN IP = 10.10.10.2, gw = 10.10.10.1, dns = 10.10.10.1
LAN IP = 10.10.10.3
DHCP server to 10.10.10.11+

Win2003 Domain Controller & DNS server, IP = 192.168.3.12
Forwards to ISP's DNS servers.
Internal network clients browse ok.

Added DNS to ISA box, only listens to 10.10.10.1, forwarders set to ISP DNS servers, created rev/fwd lookup zones and ISA Access Rule to allow DNS from DMZ to local host along with HTTP from DMZ to External.

Logging shows DNS traffic coming from DMZ trying to go to 192.168.3.12 which gets blocked giving wireless browser a timeout error. Shouldn't ISA be forwarding it to the ISP DNS servers?

(in reply to lazyman)

Post #: 6