Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Name Resolution problem with Firewall clients
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Name Resolution problem with Firewall clients - 25.Jul.2004 11:54:00 AM
|
|
|
cbarneaud
Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline
|
I'm very closer now to get in production my Back to Back configuration with ISA 2004 but I got some problem with Name Resolution when using Firewall Client.
My Intern ISA server (member server in domain) is configuring with 4 Externals networks (DMZ, Teachers, Students, Admin), all resources (DC, Exchange, Sharepoint, DNS) reside on the Internal network.
When using secure Nat on my studentsÆ network (they get IP address, and DNS address from a DHCP server on Intern ISA server) everything works normally, but cannot get Name Resolution from my DNS server when using Firewall clients.
I use DHCP to automatically detect Firewall client configuration, the detection works but only when I put the ISA Server IP address and name on my client Hosts file, Is this a normal configuration?
Did I miss something?
Thanks
|
|
|
|
RE: Name Resolution problem with Firewall clients - 26.Jul.2004 12:03:00 PM
|
|
|
cbarneaud
Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline
|
Name resolution seems to work now, but I cannot map network drive that is on the Internal network, I get error messages in Event Viewer like this one:
'Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.'
How could it be possible if I can resolve my DC IPaddress from my Firewall client?
Everything works perfectly when using Secure Nat client. I would prefer to not use a Wins server.
Is there a special configuration that I have to make on the Firewall Client Application Settings?
Thanks
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 26.Jul.2004 2:38:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi C,
You don't need to use a WINS server, but the Firewall client machine does need access to a DNS server that has knowledge of the Internal network domain and the intradomain communications protocols should be enabled.
HTH,
Tom
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 26.Jul.2004 3:39:00 PM
|
|
|
cbarneaud
Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline
|
They have access to the Intern DNS on the Domain Controller, I could resolve my Domain controller's IPAddress and DNS name through NSLookup on the Firewall client.
An access rule allow all intradomain communications protocols(DNS,LDAP,Kerberos,CIFS,RPC...)from my Student external Network to Internal Network.)
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 27.Jul.2004 2:11:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi C,
So, with that access rule and name resolution being OK, you still see that error? Are the clients domain members? Are the users successfully logging into the domain? Is group policy applies to the domain member machines on the student network?
Thanks!
Tom
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 29.Jul.2004 2:14:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi C,
So, it sounds like the firewall clients on the student network are not communicating with the DCs on the other network. Do you see any denied connections from the firewall client computers in the log viewer?
IIRC, group policy is applied before the user logs on. If so, you may need to identify the protocols that are being blocked because there is no logged on user and allow those protocols to the IP addresses of the domain members on the student network.
Its an interesting problem and I'll see if I can work out the details.
Thanks!
Tom
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 29.Jul.2004 2:10:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Lex,
When you enable the Firewall client for the student's network interface, it will automatically allow outbound 1745 to that interface.
Is that what you did?
Thanks!
Tom
|
|
|
|
RE: Name Resolution problem with Firewall clients - 29.Jul.2004 2:29:00 PM
|
|
|
cbarneaud
Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline
|
Hi,
I don't see any denied connctions from the Firewall client. The only traffic from my Firewall client I can see in the log is on port 1745 to the localhost (allowed).
I tested with an access rule that allow all outbound traffic from the Student Network to the localhost and the Internal Network. I get the same problem.
Tell me if I'm wrong:
the Firewall Client only support UDP and TCP based protocols.
My client domain member need to use ICMP messages to communicate with DC.
the Firewall Client doesn't support ICMP messages.
I tested to configure a default gateway on the Firewall client (Could it be a possible configuration??)
It looks like my Firewall client can communicate with the Internal Network now!
I still see the firewall session in the monitoring console.
I thouhgt that you should never configure a Firewall Client with a gateway!
Could you tell me what is wrong and what is right?
Thanks for help
Chris
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 29.Jul.2004 3:12:00 PM
|
|
|
cbarneaud
Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline
|
It sounds like you need PING to allow the DC to apply Group policy on Clients.
I made my client a SecureNAT again. If I block PING between the STUDENT network and the Internal Network no GP could applied on the client, I get this event:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
Date: 2004-07-27
Time: 16:27:19
User: NT AUTHORITY\SYSTEM
Computer: FS999
Description:
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 29.Jul.2004 3:16:00 PM
|
|
|
cbarneaud
Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline
|
Sorry this event:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1054
Date: 2004-07-29
Time: 15:00:45
User: NT AUTHORITY\SYSTEM
Computer: FS999
Description:
Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 29.Jul.2004 9:27:00 PM
|
|
|
cbarneaud
Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline
|
From Microsoft Documentation:
Because Group Policy works with fully qualified domain names, you must have DNS running in your forest in order to correctly process Group Policy; you cannot use NETBIOS only. Also, because client or destination computers must be able to contact your networkÆs domain controllers, do not turn off the ICMP protocol. If destination computers cannot ping the domain controllers, Group Policy processing will fail.
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 30.Jul.2004 2:00:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi C,
Bingo! Great work. But I thought I saw an article that said there was a method to turn off the ping requirement on the DCs. I think I saw this when researching the FE Exchange Server in the DMZ scneario.
Thanks!
Tom
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 30.Jul.2004 10:29:00 AM
|
|
|
cbarneaud
Posts: 44
Joined: 10.Mar.2003
From: Sweden
Status: offline
|
Hi Tom,
I will try to find this article, If you find again this article please tell me.
The question now is could I implement user- or group- based access control with both my clients configured as SecureNat and Firewall clients?
If no, well all my Network Design is falling down!. User and group based access control was an important feature to control Students Internet Access, and I really like the possibility to have all my resource in a different segment. I should start thinking to move one DC on the Student Network (something I really don't like).
Thanks
Chris
|
|
|
|
|
RE: Name Resolution problem with Firewall clients - 30.Jul.2004 3:46:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by cbarneaud:
Hi Tom,
I will try to find this article, If you find again this article please tell me.
The question now is could I implement user- or group- based access control with both my clients configured as SecureNat and Firewall clients?
If no, well all my Network Design is falling down!. User and group based access control was an important feature to control Students Internet Access, and I really like the possibility to have all my resource in a different segment. I should start thinking to move one DC on the Student Network (something I really don't like).
Thanks
Chris
Hi Chris,
You can still do user/group based access control. You can create a rule that allows PING to the address range of your SecureNAT clients, but require authentication for the other protocols using the Firewall client.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Embarrassed]](/image/smiles/redface.gif)
![[Smile]](/image/smiles/smile.gif)
> to have the new RTM release version of the firewall client , otherwise you get strange errors.