Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Split DNS-ISA-Exchange 2000
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Split DNS-ISA-Exchange 2000 - 10.Jan.2003 6:57:00 PM
|
|
|
jusride
Posts: 57
Joined: 1.Jan.2003
Status: offline
|
I've tried various AD configurations and none work correctly so I'm going back to the original configuration I started with. Here is my setup:
Internal Win2k Server-
Active Directory (AD)installed
1st DC in new forest
Domain name: internal.abc.com
Forward lookup zones:
internal.abc
Also the global catalog
AD integrated DNS
External Win2k Server-
AD installed
2nd DC
Forward lookup zones:
internal.abc (AD integrated)
west.abc.com (secondary DNS- Primary is a remote NT 4 DNS machine)
AD integrated DNS
Exchange 2000
ISA server (I know, I know, to much running on this server tell that to my manager who thought 2 servers was 1 to many!)
The only way a zone transfer works is if I'm the secondary DNS for the "west.abc.com" zone because NT 4 doesn't support SRV records or dynamic updates that Win2k uses in zone transfers (I found this out the hard way). Also we are a sub-domain of "abc.com", the domain is hosted on the NT 4 machine.
All the zone transfer rules are setup correctly.
I thought I had the Mail server publishing setup correctly but I don't think so now.
Here is what happens: internal users can send out SMTP mail to the internet, internal users can send/receive internal e-mail, internal users can't receive incoming internet e-mail.
I see the incoming internet e-mails in the ISA logs as allowed. What I think is happening is that Exchange technically resides on the "internal.abc" side of the house. When e-mail addressed to "@west.abc.com" comes into the external DNS server it doesn't know where to ship it to because the Exchange server "thinks" it's the authority for "internal.abc" zone not "west.abc.com" zone so the e-mails get bounced back to the internet e-mail senders as a "host unknown" or "host not responding" errors.
I've setup the mail publishing rule as Exchange resides on the host computer. Should I be entering the internal IP address instead? Is this why internet e-mail gets bounced?
I really hope you can help with this problem because I have until Wednesday next week to resolve the e-mail problem!
Thanks!
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 11.Jan.2003 8:04:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jusride,
It doesn't matter what your internal domain is named. You just need to configure the Exchange Server to accept mail addressed to the domain that external users use to send mail or your organization, based on the public domain used to forward messages to the IP addresses used on the external interface of the ISA Server for the SMTP Server publishing rule.
HTH,
Tom
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 11.Jan.2003 8:19:00 PM
|
|
|
jusride
Posts: 57
Joined: 1.Jan.2003
Status: offline
|
I'm going to configure my network differently.
Internal Win2k server:
AD
AD integrated DNS
Internal IP 10.10.0.1
Internal Mail server:
AD
AD integrated DNS
Internal IP 10.10.0.2
External Win2k server:
secondary DNS
no AD installed
ISA server
External NIC IP 144.xxx.xxx.xxx
Internal NIC IP 10.10.0.3
Setup mail publishing rule allow SMTP traffic on 144.xxx.xxx.xxx and forward to this internal server 10.10.0.2. Is this correct?
Our current MX record points to the ISA server (west.abc.com).
There is a host (A) record pointing to our external IP, the one ISA is listening to.
Hopefully getting Exchange and AD off the ISA box will help, although I still need to run DNS (as a secondary DNS server) off of it.
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 12.Jan.2003 3:25:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jus,
If you can get the DNS server off the ISA Server, it'll make your life a lot easier. Although, if you check out www.isaserver.org/shinder, I'm sure you'll find some information helpful on running an DNS server on the ISA Server.
Life will definitley be better now that the Exchange Server is off the ISA Server.
If you're MX record is pointing to the right place, then you should be in business in no time.
HTH,
Tom
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 12.Jan.2003 2:58:00 PM
|
|
|
jusride
Posts: 57
Joined: 1.Jan.2003
Status: offline
|
Because I have an AD integrated internal network and a Secondary DNS external network with ISA (without AD installed) should the MX record point to the name of the internal Exchange server (mail.coast.abc.com) or the external secondary DNS server (west.coast.abc.com)? The zone file already points to our correct external IP.
What I don't understand is whether the MX get's routed through ISA using the "DNS server name" and the internal IP or is the "DNS server name" even important?
An example being: MX record points to "west.coast.abc.com" (external DNS server not connected to AD) the internal e-mail server is "mail.coast.abc.com". Exchange 2000 has a recipient policy of "@coast.abc.com". Will e-mail get to the Exchange server? Or does the MX record need to point to the "mail.coast.abc.com" DNS name for this to work? Also, the FQDN setting that Exchange 2000 needs is the one in the MX record correct?
Thanks for any help on this matter!
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 12.Jan.2003 7:29:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jus,
SMTP servers use the MX record for your public domain to determine what server should receive mail for your domain. Actually, it can work the same way for internal and external SMTP servers, but you're probably most concerned about external SMTP servers because you're not using SMTP clients on your internal network.
So, in your PUBLIC DNS, you need to include an MX record that points to your external IP address on the ISA Server that receives SMTP messages and forwards them to the internal network. Public hosts don't care about, and have no knowledge of, your private network naming system.
HTH,
Tom
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 14.Jan.2003 2:38:00 AM
|
|
|
jusride
Posts: 57
Joined: 1.Jan.2003
Status: offline
|
Mail is still not reaching Exchange. I have Exchange configured to have a recipient policy of "@west.abc.com". I have it listening on 10.10.0.2 (the only NIC in the mail server). Authentication is set to anonymous. The FQDN in Exchange is set to "west.abc.com" (which is verified when you click the DNS button). The external DNS server is set to the "Primary" DNS IP. I've created an internal MX record pointing to the internal IP of the ISA server. The default gateway on the Exchange server is set to the internal IP on ISA. I even loaded the firewall client on the Exchange server. I put a packet sniffer between Exchange and ISA and nothing is making it to Exchange. Any ideas?
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 14.Jan.2003 3:01:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jus,
Get that firewall client off the Exchange Server ASAP. It'll never work that way.
OK, time to get into the real world.
What is the actual domain name, the host associated with the MX record, and the A record information for that host?
Your internal DNS doesn't matter to external hosts. I must be able to send mail to your mail server via your SMTP server publishing rule from where I am, not from inside your internal network, in order to make this work.
HTH,
Tom
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 14.Jan.2003 6:01:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jusride,
I'm not getting any response on my telnet session to that IP address. Is the server up? The DNS records appear to be correct.
Remember that Exchange Server does not allow relay by default, but if you're only sending to addresses under your control, then relay isn't an issue.
HTH,
Tom
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 14.Jan.2003 6:06:00 PM
|
|
|
jusride
Posts: 57
Joined: 1.Jan.2003
Status: offline
|
It's up but I noticed in the logs it's starting to block incoming SMTP traffic. I'm getting ready to reboot the server.
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 14.Jan.2003 6:18:00 PM
|
|
|
jusride
Posts: 57
Joined: 1.Jan.2003
Status: offline
|
ISA server is back online.
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 14.Jan.2003 7:32:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jus,
I still don't get any telnet response. Is the SMTP server configured as a SecureNAT client?
Thanks!
Tom
|
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 15.Jan.2003 1:55:00 AM
|
|
|
jusride
Posts: 57
Joined: 1.Jan.2003
Status: offline
|
I believe the Navy is blocking telnetting into port 25. If I telnet internally everything looks good and I can send e-mail out etc via a telnet session. I'm beginning to wonder if somehow the internet SMTP traffic is getting "filtered" outside of our external IP. If you do a tracert to the external IP you will see where that trace will end. They are the regional internet providers for the Navy in the Southwest Region. I've asked them if they are doing anything with incoming SMTP traffic and they said no, but I'm beginning to wonder.
|
|
|
|
RE: Split DNS-ISA-Exchange 2000 - 16.Jan.2003 2:56:00 PM
|
|
|
jusride
Posts: 57
Joined: 1.Jan.2003
Status: offline
|
Okay, I switched to a "Public" internet provider and I'm getting incoming e-mails. I will be standing up ISA in front of Exchange today. Thanks for all the help. I was pulling my hair out thinking it was some configuration problem. Sorry for all the posts! Should be receiving your book "ISA Server and Beyond" today Tom.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
