Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: All user vs Internet group...?!?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: All user vs Internet group...?!? - 20.Sep.2005 2:33:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
please post the following information *unmodified*:
- ipconfig /all on ISA
- route print on ISA
- ipconfig /all on the internal DNS server
- ipconfig /all on an internal workstation
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 22.Sep.2005 4:01:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
Here are the most important data requested:
- ipconfig /all on ISA
Windows IP Configuration
Host Name . . . . . . . . . . . . : gci-isa-01
Primary Dns Suffix . . . . . . . : GCI.GOV.IQ
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : GCI.GOV.IQ
GOV.IQ
Ethernet adapter Internal Network:
Gigabit Server Adapter #2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.127.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.127.1.2
Ethernet adapter Internet VSAT:
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 80.146.156.82
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 80.146.156.81
- route print on ISA
Active Routes:
Network Destination Netmask Gateway Interface
0.0.0.0 0.0.0.0 80.146.156.81 80.146.156.82
10.127.1.0 255.255.255.0 10.127.1.1 10.127.1.1
10.127.1.1 255.255.255.255 127.0.0.1 127.0.0.1
10.255.255.255 255.255.255.255 10.127.1.1 10.127.1.1
80.146.156.80 255.255.255.240 80.146.156.82 80.146.156.82
80.146.156.82 255.255.255.255 127.0.0.1 127.0.0.1
80.255.255.255 255.255.255.255 80.146.156.82 80.146.156.82
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
224.0.0.0 240.0.0.0 10.127.1.1 10.127.1.1
224.0.0.0 240.0.0.0 80.146.156.82 80.146.156.82
255.255.255.255 255.255.255.255 10.127.1.1 10.127.1.1
255.255.255.255 255.255.255.255 80.146.156.82 80.146.156.82
Default Gateway: 80.146.156.81
- ipconfig /all on the internal DNS server
Windows IP Configuration
Host Name . . . . . . . . . . . . : GCI-DC-01
Primary Dns Suffix . . . . . . . : GCI.GOV.IQ
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : GCI.GOV.IQ
GOV.IQ
Ethernet adapter Local Area Connection:
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.127.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.127.1.1
DNS Servers . . . . . . . . . . . : 10.127.1.2
- ipconfig /all on an internal workstation
Host Name . . . . . . . . . . . . : GCI-001
Primary Dns Suffix . . . . . . . : GCI.GOV.IQ
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : GCI.GOV.IQ
GOV.IQ
Ethernet adapter Internet ISA:
Connection-specific DNS Suffix . : GCI.GOV.IQ
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.127.1.107
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.127.1.1
DHCP Server . . . . . . . . . . . : 10.127.1.2
DNS Servers . . . . . . . . . . . : 10.127.1.2
Lease Obtained. . . . . . . . . . : Thursday, September 22, 2005 9:44:34 A
Lease Expires . . . . . . . . . . : Friday, September 30, 2005 9:44:34 AM
By the way, i still able to use Internet without DNS Forwarders and iam able to use the new version of yahoo IM even i have proxy cleints, all you have to do is to change the proxy settings to Firewall with no Proxy! Any comments?
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 22.Sep.2005 6:05:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
the IP settings seems all correct to me. That's good!
According to the given info, the only host who could directly resolve external FQDN's is your internal DNS server. All other hosts, including the ISA, are depending on that.
Now, if you have no longer forwarders you shouldn't be able to resolve external FQDN's except if they are still in the cache of the DNS server or the ISA server. So, try some external FQDN's you never tried before.
About the Yahoo IM, I can't comment on that because I don't know the product.
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 23.Sep.2005 9:18:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
Now, if you have no longer forwarders you shouldn't be able to resolve external FQDN's except if they are still in the cache of the DNS server or the ISA server. So, try some external FQDN's you never tried before.
Exactly i agree with you and i cleared the DNS cache many times and also the Client DNS cache and still i can access the Internet. I tried also to use new websites but i can access it. I read some articles in MS. and it seems the DNS recursion is the default option for DNS process and it use root hint if coudnt find the DNS IPs forwarder so any way to know which DNS proess the client use?
About the Yahoo IM, I can't comment on that because I don't know the product.
The yahoo IM means Yahoo Internet messenger and the new version of it is now working with the ISA 2004 and its was not before!
Thanks,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 23.Sep.2005 3:55:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Al-Taee,
if no forwarders are configured then the DNS server will use the root hint file for the resolver process. That means he will contact the Internet DNS root servers and do the whole recursion process by itself. However, if you have configured forwarders then the DNS server will first contact the forwarders and let them do the heavy work.
Now, what will happen if the forwarders are not reachable? That depends on the check box ôDo not use recursionö in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting), DNS resolving will no longer work.
So, you'll have to find out first how the DNS resolving is working. In any case, if it goes through the ISA server you should see that in the ISA logging. Otherwise it sounds that your ISA server is not the only exitpoint of your network.
PS: don't forget that a netmon trace on the DNS server can also be very useful.
HTH,
Stefaan
|
|
|
|
|
RE: All user vs Internet group...?!? - 25.Sep.2005 3:06:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
B]Now, what will happen if the forwarders are not reachable? That depends on the check box ôDo not use recursionö in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting.[/B]
I create a filter to my ISP DNS IP and it was working but i remove the DNS IPs forwarder along with allow using recursion and i got results with slow Internet service and with the following IPs for Destination IP for DNS rule.
210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163
Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder. Also, i remove the forwarder and remain disable recursion and i still got results Hi Stefaan,
B]Now, what will happen if the forwarders are not reachable? That depends on the check box ôDo not use recursionö in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting.[/B]
I create a filter to my ISP DNS IP and it was working but i remove the DNS IPs forwarder along with allow using recursion and i got results with slow Internet service and with the following IPs for Destination IP for DNS rule.
210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163
Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder so what do you think, is it ok?
PS: don't forget that a netmon trace on the DNS server can also be very useful.
Can you send me the link to that tool?
Regards,
Al-Taee
so what do you think, is it ok?
PS: don't forget that a netmon trace on the DNS server can also be very useful.
Can you send me the link to this tool?
Regards,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 25.Sep.2005 3:09:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
[/B]Now, what will happen if the forwarders are not reachable? That depends on the check box ôDo not use recursionö in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting.[/B]
I create a filter to my ISP DNS IP and it was working but i remove the DNS IPs forwarder along with allow using recursion and i got results with slow Internet service and with the following IPs for Destination IP for DNS rule.
210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163
Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder.
210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163
Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder. Also, i remove the forwarder and remain disable recursion and i still got results so what do you think, is it ok?
PS: don't forget that a netmon trace on the DNS server can also be very useful.
Can you send me the link to that tool?
Regards,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 25.Sep.2005 3:15:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
Now, what will happen if the forwarders are not reachable? That depends on the check box ôDo not use recursionö in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting).
I create a filter to my ISP DNS IP and it was working but i remove the DNS IPs forwarder along with allow using recursion and i got results with slow Internet service and with the following IPs for Destination IP for DNS rule.
210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163
Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder. Also, i remove the forwarder and remain disable recursion and i still got results so what do you think, is it ok?
PS: don't forget that a netmon trace on the DNS server can also be very useful.
Can you send me the link to that tool?
Regards,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 28.Sep.2005 4:25:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
why did you remove the forwarders in the first place? I highly recommend to use your ISP DNS servers as forwarders to do the heavy work.
I didnt remove it, i just said that even if i remove the forwarder the Internet will still continue working.
The Network Monitor tool is a Windows Component included with Windows 2003 (Control Panel -> Add or Remove Programs).
This tool doesnt give a details regarding DNS port and requests.
If you are running on Windows 2000, check out my favorite free and excellent tool Ethereal. For more info, check out http://www.ethereal.com.
I think this tool is better.
Regards,
Al-Taee
|
|
|
|
|
RE: All user vs Internet group...?!? - 10.Oct.2005 9:07:00 AM
|
|
|
iraq it
Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
|
Hi Stefaan,
I have more than 50 workgroup computers (Win. 98, Win. ME and Win. XP) distributed in the building. Now, we plan to update Windows, Office, Antivirus program but as you know I have ISA2004 that allow only the Internet group (WP clients) so what's the best solution to do this assuming it will take 2 weeks and I don't want to allow un-authenticated users (All Users).
1 - Join the computers to the domain and use one user to update all the issues above and then they can use the computer using their user. When I update the windows or office with users1 (Domain Admin. User = authenticated) will the users2 (Domain user = un-authenticated to ISA) have the updated things when he login the PC?
2 - Tell me if there is a way to create a rule to allow only a computer administrator to update these issues in the workgroup computers?
Thanks,
Al-Taee
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Eek!]](/image/smiles/eek.gif)
![[Confused]](/image/smiles/confused.gif)
![[Razz]](/image/smiles/tongue.gif)
