• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: All user vs Internet group...?!?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> RE: All user vs Internet group...?!? Page: <<   < prev  1 2 3 4 [5]
Login
Message << Older Topic   Newer Topic >>
RE: All user vs Internet group...?!? - 20.Sep.2005 4:51:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Stefaan,

Another hint is that I can access the Internet even if I remove the Automatically Detect Settings from IE.

Anyway, during post writting i solve the problem by Rename my Internet Group in the access rule not in the Active Direc. Users & Computers [Eek!]

I mean i create new definition for my group and add it then i remove the All user and it works, do you have explanation for that?

Another thing that i have access to the Internet even if i remove the DNS IPs from DNS Forwarder [Confused]

Thanks,
Al-Taee

(in reply to iraq it)
Post #: 81
RE: All user vs Internet group...?!? - 20.Sep.2005 2:33:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Al-Taee,

please post the following information *unmodified*:
- ipconfig /all on ISA
- route print on ISA
- ipconfig /all on the internal DNS server
- ipconfig /all on an internal workstation

HTH,
Stefaan

(in reply to iraq it)
Post #: 82
RE: All user vs Internet group...?!? - 22.Sep.2005 4:01:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Stefaan,

Here are the most important data requested:

- ipconfig /all on ISA

Windows IP Configuration

Host Name . . . . . . . . . . . . : gci-isa-01
Primary Dns Suffix . . . . . . . : GCI.GOV.IQ
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : GCI.GOV.IQ
GOV.IQ

Ethernet adapter Internal Network:

Gigabit Server Adapter #2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.127.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.127.1.2

Ethernet adapter Internet VSAT:

DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 80.146.156.82
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 80.146.156.81

- route print on ISA
Active Routes:
Network Destination Netmask Gateway Interface
0.0.0.0 0.0.0.0 80.146.156.81 80.146.156.82
10.127.1.0 255.255.255.0 10.127.1.1 10.127.1.1
10.127.1.1 255.255.255.255 127.0.0.1 127.0.0.1
10.255.255.255 255.255.255.255 10.127.1.1 10.127.1.1
80.146.156.80 255.255.255.240 80.146.156.82 80.146.156.82
80.146.156.82 255.255.255.255 127.0.0.1 127.0.0.1
80.255.255.255 255.255.255.255 80.146.156.82 80.146.156.82
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
224.0.0.0 240.0.0.0 10.127.1.1 10.127.1.1
224.0.0.0 240.0.0.0 80.146.156.82 80.146.156.82
255.255.255.255 255.255.255.255 10.127.1.1 10.127.1.1
255.255.255.255 255.255.255.255 80.146.156.82 80.146.156.82
Default Gateway: 80.146.156.81

- ipconfig /all on the internal DNS server

Windows IP Configuration

Host Name . . . . . . . . . . . . : GCI-DC-01
Primary Dns Suffix . . . . . . . : GCI.GOV.IQ
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : GCI.GOV.IQ
GOV.IQ

Ethernet adapter Local Area Connection:

DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.127.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.127.1.1
DNS Servers . . . . . . . . . . . : 10.127.1.2

- ipconfig /all on an internal workstation
Host Name . . . . . . . . . . . . : GCI-001
Primary Dns Suffix . . . . . . . : GCI.GOV.IQ
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : GCI.GOV.IQ
GOV.IQ

Ethernet adapter Internet ISA:

Connection-specific DNS Suffix . : GCI.GOV.IQ
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.127.1.107
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.127.1.1
DHCP Server . . . . . . . . . . . : 10.127.1.2
DNS Servers . . . . . . . . . . . : 10.127.1.2
Lease Obtained. . . . . . . . . . : Thursday, September 22, 2005 9:44:34 A
Lease Expires . . . . . . . . . . : Friday, September 30, 2005 9:44:34 AM

By the way, i still able to use Internet without DNS Forwarders and iam able to use the new version of yahoo IM even i have proxy cleints, all you have to do is to change the proxy settings to Firewall with no Proxy! Any comments?

Thanks,
Al-Taee

(in reply to iraq it)
Post #: 83
RE: All user vs Internet group...?!? - 22.Sep.2005 6:05:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Al-Taee,

the IP settings seems all correct to me. That's good!

According to the given info, the only host who could directly resolve external FQDN's is your internal DNS server. All other hosts, including the ISA, are depending on that.

Now, if you have no longer forwarders you shouldn't be able to resolve external FQDN's except if they are still in the cache of the DNS server or the ISA server. So, try some external FQDN's you never tried before.

About the Yahoo IM, I can't comment on that because I don't know the product.

HTH,
Stefaan

(in reply to iraq it)
Post #: 84
RE: All user vs Internet group...?!? - 23.Sep.2005 9:18:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Stefaan,

Now, if you have no longer forwarders you shouldn't be able to resolve external FQDN's except if they are still in the cache of the DNS server or the ISA server. So, try some external FQDN's you never tried before.

Exactly i agree with you and i cleared the DNS cache many times and also the Client DNS cache and still i can access the Internet. I tried also to use new websites but i can access it. I read some articles in MS. and it seems the DNS recursion is the default option for DNS process and it use root hint if coudnt find the DNS IPs forwarder so any way to know which DNS proess the client use?

About the Yahoo IM, I can't comment on that because I don't know the product.

The yahoo IM means Yahoo Internet messenger and the new version of it is now working with the ISA 2004 and its was not before!

Thanks,
Al-Taee

(in reply to iraq it)
Post #: 85
RE: All user vs Internet group...?!? - 23.Sep.2005 3:55:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Al-Taee,

if no forwarders are configured then the DNS server will use the root hint file for the resolver process. That means he will contact the Internet DNS root servers and do the whole recursion process by itself. However, if you have configured forwarders then the DNS server will first contact the forwarders and let them do the heavy work.

Now, what will happen if the forwarders are not reachable? That depends on the check box ˘Do not use recursion÷ in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting), DNS resolving will no longer work.

So, you'll have to find out first how the DNS resolving is working. In any case, if it goes through the ISA server you should see that in the ISA logging. Otherwise it sounds that your ISA server is not the only exitpoint of your network.

PS: don't forget that a netmon trace on the DNS server can also be very useful.

HTH,
Stefaan

(in reply to iraq it)
Post #: 86
RE: All user vs Internet group...?!? - 25.Sep.2005 3:06:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Stefaan,

B]Now, what will happen if the forwarders are not reachable? That depends on the check box ˘Do not use recursion÷ in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting.[/B]

I create a filter to my ISP DNS IP and it was working but i remove the DNS IPs forwarder along with allow using recursion and i got results with slow Internet service and with the following IPs for Destination IP for DNS rule.

210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163

Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder. Also, i remove the forwarder and remain disable recursion and i still got results Hi Stefaan,

B]Now, what will happen if the forwarders are not reachable? That depends on the check box ˘Do not use recursion÷ in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting.[/B]

I create a filter to my ISP DNS IP and it was working but i remove the DNS IPs forwarder along with allow using recursion and i got results with slow Internet service and with the following IPs for Destination IP for DNS rule.

210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163

Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder so what do you think, is it ok?

PS: don't forget that a netmon trace on the DNS server can also be very useful.

Can you send me the link to that tool?

Regards,
Al-Taee

so what do you think, is it ok?

PS: don't forget that a netmon trace on the DNS server can also be very useful.

Can you send me the link to this tool?

Regards,
Al-Taee

(in reply to iraq it)
Post #: 87
RE: All user vs Internet group...?!? - 25.Sep.2005 3:09:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Stefaan,

[/B]Now, what will happen if the forwarders are not reachable? That depends on the check box ˘Do not use recursion÷ in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting.[/B]

I create a filter to my ISP DNS IP and it was working but i remove the DNS IPs forwarder along with allow using recursion and i got results with slow Internet service and with the following IPs for Destination IP for DNS rule.

210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163

Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder.

210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163

Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder. Also, i remove the forwarder and remain disable recursion and i still got results so what do you think, is it ok?

PS: don't forget that a netmon trace on the DNS server can also be very useful.

Can you send me the link to that tool?

Regards,
Al-Taee

(in reply to iraq it)
Post #: 88
RE: All user vs Internet group...?!? - 25.Sep.2005 3:15:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Stefaan,

Now, what will happen if the forwarders are not reachable? That depends on the check box ˘Do not use recursion÷ in the forwarders tab. If that box is *not* checked then the DNS server will switch to the root hint file and regulary check if the forwarders are reachable again. If that box is checked (recommended setting).

I create a filter to my ISP DNS IP and it was working but i remove the DNS IPs forwarder along with allow using recursion and i got results with slow Internet service and with the following IPs for Destination IP for DNS rule.

210.9.72.173
192.115.106.10
193.0.0.195
128.242.107.5
168.143.179.5
209.1.222.247
202.160.241.153
209.1.222.244
62.148.192.154
204.0.99.15
193.210.18.13
62.42.230.163

Then i re-assign the ISP DNS IPs for Forwarder and i didnt get anything in logging regarding DNS untill i clear the cache and i got only some IP requests for DNS forwarder. Also, i remove the forwarder and remain disable recursion and i still got results so what do you think, is it ok?

PS: don't forget that a netmon trace on the DNS server can also be very useful.

Can you send me the link to that tool?

Regards,
Al-Taee

(in reply to iraq it)
Post #: 89
RE: All user vs Internet group...?!? - 27.Sep.2005 2:39:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Al-Taee,

why did you remove the forwarders in the first place? I highly recommend to use your ISP DNS servers as forwarders to do the heavy work. Moreover, they should be very stable and already have a very rich DNS cache. That's good for performance. [Razz]

The Network Monitor tool is a Windows Component included with Windows 2003 (Control Panel -> Add or Remove Programs). If you are running on Windows 2000, check out my favorite free and excellent tool Ethereal. For more info, check out http://www.ethereal.com .

HTH,
Stefaan

(in reply to iraq it)
Post #: 90
RE: All user vs Internet group...?!? - 28.Sep.2005 4:25:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Stefaan,

why did you remove the forwarders in the first place? I highly recommend to use your ISP DNS servers as forwarders to do the heavy work.

I didnt remove it, i just said that even if i remove the forwarder the Internet will still continue working.

The Network Monitor tool is a Windows Component included with Windows 2003 (Control Panel -> Add or Remove Programs).

This tool doesnt give a details regarding DNS port and requests.

If you are running on Windows 2000, check out my favorite free and excellent tool Ethereal. For more info, check out http://www.ethereal.com.

I think this tool is better.

Regards,
Al-Taee

(in reply to iraq it)
Post #: 91
RE: All user vs Internet group...?!? - 10.Oct.2005 9:07:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Stefaan,

I have more than 50 workgroup computers (Win. 98, Win. ME and Win. XP) distributed in the building. Now, we plan to update Windows, Office, Antivirus program but as you know I have ISA2004 that allow only the Internet group (WP clients) so what's the best solution to do this assuming it will take 2 weeks and I don't want to allow un-authenticated users (All Users).

1 - Join the computers to the domain and use one user to update all the issues above and then they can use the computer using their user. When I update the windows or office with users1 (Domain Admin. User = authenticated) will the users2 (Domain user = un-authenticated to ISA) have the updated things when he login the PC?

2 - Tell me if there is a way to create a rule to allow only a computer administrator to update these issues in the workgroup computers?

Thanks,
Al-Taee

(in reply to iraq it)
Post #: 92

Page:   <<   < prev  1 2 3 4 [5] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> RE: All user vs Internet group...?!? Page: <<   < prev  1 2 3 4 [5]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts