Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Split-Brain DNS with a 3-Leg Perimeter
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Split-Brain DNS with a 3-Leg Perimeter - 4.Apr.2004 4:53:00 AM
|
|
|
orchidman
Posts: 16
Joined: 4.Apr.2004
Status: offline
|
I am currently stuck with a DNS problem.
I am trying to configure a lab setup that will hopefully transition some day into a real word setup. It is a 3-Leg Perimeter setup where the DMZ will have an IIS server hosting multiple web sites. The traffic from Intranet to DMZ will be minimal. The final site will have to do the primary Internet DNS hosting.
With these requirements and what I have read, I believe I need to setup a Split DNS configuration.
I come from a Programmer background and not an SE so DNS is not my 'primary language'.
My problem is that I can not find any real good documentation and hopefully a step by step to split my DNS. Right now the DNS is working with no ISA in the system.
My question is can someone direct me to any good documentation on how to split my DNS? !["[Confused]"](/image/smiles/confused.gif "\"\"")
Gary
|
|
|
|
|
RE: Split-Brain DNS with a 3-Leg Perimeter - 4.Apr.2004 2:04:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Gary,
Did you enter "split DNS" into the site search box?
There are also good discussions of split DNS in the ISA Exchange Deployment Kit and in articles on secure Exchange RPC publishing.
IMHO, all organizations that want to support remote access to internal resources require a split DNS infrastructure.
HTH,
Tom
|
|
|
|
|
RE: Split-Brain DNS with a 3-Leg Perimeter - 14.Apr.2004 5:49:00 AM
|
|
|
orchidman
Posts: 16
Joined: 4.Apr.2004
Status: offline
|
Tom,
Thank you for your help. I found your article and believe I have the split DNS working. From the ISA 2004 server I can ping a web site in the DMZ using a DNS server located on the IIS server in the DMS. I can also pull up a web page from the ISA server that is located on the IIS server in the DMS.
My problem now is that I have spend the last several nights trying to get from an External PC to be able to reference either the DNS server or IIS that is located in the DMZ.
Currently I have:
My Network rules has External to Perimeter NAT
Firewall Policy:
Access Rule External to Perimeter, DNS All users
Publishing External to the Permieter DNS IP, listening on the External IP, DNS Server
Can you give me any hints as to where to go from here?
Gary
|
|
|
|
|
RE: Split-Brain DNS with a 3-Leg Perimeter - 14.Apr.2004 11:18:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Gary,
The key to the split DNS is that external hosts resolve the IP address to a public address on the ISA firewall, and Internal hosts access the host via its private address (the published host's actual address).
So, do you have a public zone and a private zone in place?
Thanks!
Tom
|
|
|
|
|
RE: Split-Brain DNS with a 3-Leg Perimeter - 14.Apr.2004 4:07:00 PM
|
|
|
orchidman
Posts: 16
Joined: 4.Apr.2004
Status: offline
|
quote:
So, do you have a public zone and a private zone in place?
Yes.
Let me give some more specifics. I am changing the data a little.
I have a xxx.org zone defined in my external looking split DNS that is located on my IIS box in my DMZ.
xxx.org A record is defined as 1.1.1.133
On the IIS box the DNS listens on 172.16.0.150. The xxx.org zone is not defined on my internal split DNS (at this time. It was earlier and I could access the xxx.org web site from the Internal network).
For the ISA box, the 'WAN' nic has 1.1.1.150 as one of its IPs. On my outside PC, it only has this address is its only DNS loopup address.
So when I try to resolve the IP address from the out side PC, it should try to connect to 1.1.1.150 (on the ISA WAN nic) which should then forward it to the DMZ nic (172.16.0.98) which should then pass it on to the IIS computer at 172.16.0.150
From the ISA, I can ping the PC, but from the PC I get nothing back, pinging etc.
I have tried to read everything ISA 2004 related but can not figure out this problem. It almost sounds like I have missed a setting/rule allowing the outside to communicate with/through ISA. Right now I am trying to configure the External interface publish the external DNS so I can work on the WEB site publishing. Any hints/thougts?
Gary
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
