• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Does the W2K FWC proxy DNS?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Does the W2K FWC proxy DNS? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Does the W2K FWC proxy DNS? - 19.Nov.2005 1:48:48 AM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
First off, while I do have ISA 2K4 in limited deployment, the bulk of my users are still on my old MSP2 with the W2K FWC.  Today I changed the IP address on an internal member server but quite a few of my clients had the old IP stuck in their cache and could not access it.  I made sure the DNS server had the records updated and was surprised that the old IP was stuck in cache.

I could not clear the cache with IPCONFIG /FlushDNS and even adding a host file entry would not mitigate it.  The only thing I can surmise is that the ISA2K FWC was proxying the DNS query.  Is this expected ISA2K FWC behavior?  None of us on the 2K4 FWC had any problems.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
Post #: 1
RE: Does the W2K FWC proxy DNS? - 19.Nov.2005 2:15:58 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Les,

By default ISA server caches DNS entries for 6 hours, regardless of the actual TTL associated with the record. To prevent this behaviour, apply the following registry changes: 
  • Web Proxy:
    HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{Array GUID}\ArrayPolicy\WebProxy
    "msFPCDnsCacheSize"=dword:00000000 
  • Firewall:
    HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{Array GUID}\ArrayPolicy\Proxy-WSP
    "msFPCDnsCacheSize"=dword:00000000

    Note: for Enterprise Arrays, you have to use Active Directory Users and Computers in Advanced view mode, and drill down to System, Microsoft, FPC, Arrays, {Array GUID}, Array policy, etc... 


For full details, check out the article ISA Clients - Part 1 : General ISA Server Configuration

Also, check out the article ISA Clients - Part 3: The Firewall Client.
quote:


You may have noticed while reading carefully in this section of the ISA help, that [Common Configuration] is stated as one of the places the FWC looks to for information. If you’re even more observant, you’ll also notice that it doesn’t exist in mspclnt.ini by default. When you enter an application name and that application is unknown to ISA, a new section is created in the ISA version of mspclnt.ini as [AppName]. This is also how you would create the [Common Configuration] section; by entering “Common Configuration” in the Application Name as shown below:

 

You may have noticed that I’ve used the NameResolution=L entry here. Why would he do that, you may ask? ..it’s OK; you can, I don’t mind… What this setting will do is cause the FWC to refer to the LAT host DNS client service for any and all FQDN resolution requests except where specified differently for a particular app or service in the mspclnt.ini file. If you have a solid DNS-based name resolution structure (NetBIOS broadcasts don’t count), then this setting will help you avoid the FWC DNS cache of death as mentioned in part one of these articles. I highly recommend using this setting (hint-hint). It can also mean the difference between an ISA event log full of 14120 errors and a peaceful ISA server (another article, RSN).


HTH,
Stefaan

(in reply to LLigetfa)
Post #: 2
RE: Does the W2K FWC proxy DNS? - 19.Nov.2005 3:26:06 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Thanks for that.  I did eventually find some of that explanation in MS KB301695 but was unsure how much of it applies because I run a hybrid of ISA2K FWC and MSP2 server.  I guess there is more of the MSP2 wolf in the ISA2K sheep than MS would like to admit.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to spouseele)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Does the W2K FWC proxy DNS? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts