Welcome to ISAserver.org

Is my resolution best practice?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> Access Policies >> Is my resolution best practice?

Page: [1]

Message

<< Older Topic Newer Topic >>

Is my resolution best practice? - 22.Jun.2008 9:03:53 AM

teejayuu

Posts: 32
Joined: 7.May2008
Status: offline

Hi

First let me give you our setup:
Linux gateserver (externally maintained, but difficult to get hold off) and slowly migrating all server functions to a Windows based network.
Rest are Windows 2k3 R2 SP2 servers
The Linux box acts as a gateway and has 3 ADSL router/modems for external and internal access (VPN). Also have a BTNet 10meg Leased Line. Windows Servers handle AD, Exchange, DNS, DHCP and everything else. Between the Leased Line and the Internal network is ISA 2006 acting as an Edge Firewall. I have 2 AD controllers AD1 and AD2. AD1 was using the ISA as a gateway which had a rule allowing all users access to the External network for HTTP/HTTPS traffic. AD2 had been misconfigured and was using the Linux box for it's gateway.

Once I realised this I changed AD2 to use ISA as it's gateway. At this point we lost all access to the Internet. Troubleshooting lead me to believe that we weren't accessing BTNet's DNS servers and that ISA was blocking DNS traffic. (Previously ISA routed HTTP/S traffic and Linux handled DNS requests). I created network objects for each of BT's DNS server and a rule to allow DNS traffic through to these network objects. This solved the problem.

My question, as I am new to ISA and am using ISAServer 2006 Unleashed as my reference guide, is: Is my resolution best practice?

Thanks
TJ

Post #: 1

Featured Links*

RE: Is my resolution best practice? - 23.Jun.2008 9:23:37 AM

paulo.oliveira

Posts: 727
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online

Hi,

quote:

I created network objects for each of BT's DNS server and a rule to allow DNS traffic through to these network objects. This solved the problem.

Are your DNS servers internal or external?

Regards,
Paulo Oliveira.

(in reply to teejayuu)

Post #: 2

RE: Is my resolution best practice? - 23.Jun.2008 9:45:43 AM

teejayuu

Posts: 32
Joined: 7.May2008
Status: offline

Hi Paulo

BT's DNS servers are external to our organisation. Internally we use W2k3 DHCP/DNS.

TJ

(in reply to paulo.oliveira)

Post #: 3

RE: Is my resolution best practice? - 23.Jun.2008 10:05:33 AM

paulo.oliveira

Posts: 727
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online

Hi TJ,

the best practice for ISA is use internal DNS server in the internal NIC and enable the internal DNS the forward function.

Read this: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html
http://www.isaserver.org/tutorials/configuring_isa_server_interface_settings.html

Regards,
Paulo Oliveira.

(in reply to teejayuu)

Post #: 4

RE: Is my resolution best practice? - 23.Jun.2008 10:36:00 AM

teejayuu

Posts: 32
Joined: 7.May2008
Status: offline

Hi Paulo

quote:

the best practice for ISA is use internal DNS server in the internal NIC and enable the internal DNS the forward function

I have both my internal DNS servers registered on the internal NIC and BTNet's DNS Server registered in the DNS server as forwarders.

quote:

Read this: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html
http://www.isaserver.org/tutorials/configuring_isa_server_interface_settings.html

Have read both guides and have my cards set up as these suggest. In fact I used the latter when I first installed ISAServer

TJ

(in reply to teejayuu)

Post #: 5

RE: Is my resolution best practice? - 23.Jun.2008 11:37:37 AM

pwindell

Posts: 744
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Linux gateserver (externally maintained, but difficult to get hold off) and slowly migrating all server functions to a Windows based network.
Rest are Windows 2k3 R2 SP2 servers
The Linux box acts as a gateway and has 3 ADSL router/modems for external and internal access (VPN). Also have a BTNet 10meg Leased Line. Windows Servers handle AD, Exchange, DNS, DHCP and everything else. Between the Leased Line and the Internal network is ISA 2006 acting as an Edge Firewall. I have 2 AD controllers AD1 and AD2. AD1 was using the ISA as a gateway which had a rule allowing all users access to the External network for HTTP/HTTPS traffic. AD2 had been misconfigured and was using the Linux box for it's gateway.

I have no idea what you are trying to describe there. Make the description cleaner and more direct to the point. Just because some DSL Lines exist, a VPN exists, and a Leased Line exists,...doesn't tell us how they relate together, how they are positioned, and how the Topology is laid out. All your VPNs and Leased lines will no longer have the traffic properly routed to them if the ISA is not entered into the LAN properly.

Once I realised this I changed AD2 to use ISA as it's gateway. At this point we lost all access to the Internet. Troubleshooting lead me to believe that we weren't accessing BTNet's DNS servers and that ISA was blocking DNS traffic. (Previously ISA routed HTTP/S traffic and Linux handled DNS requests). I created network objects for each of BT's DNS server and a rule to allow DNS traffic through to these network objects. This solved the problem.

ISA needs and Access Rule that allows the AD/DNS to make anonymous outbound DNS Queries to the DNS Server listed in the Forwarders List. If that is what you mean by that then you are doing that correctly in the most common way.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to teejayuu)

Post #: 6