Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
First off, while I do have ISA 2K4 in limited deployment, the bulk of my users are still on my old MSP2 with the W2K FWC. Today I changed the IP address on an internal member server but quite a few of my clients had the old IP stuck in their cache and could not access it. I made sure the DNS server had the records updated and was surprised that the old IP was stuck in cache.
I could not clear the cache with IPCONFIG /FlushDNS and even adding a host file entry would not mitigate it. The only thing I can surmise is that the ISA2K FWC was proxying the DNS query. Is this expected ISA2K FWC behavior? None of us on the 2K4 FWC had any problems.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
By default ISA server caches DNS entries for 6 hours, regardless of the actual TTL associated with the record. To prevent this behaviour, apply the following registry changes:
Web Proxy: HKLM\SOFTWARE\Microsoft\Fpc\Arrays\{Array GUID}\ArrayPolicy\WebProxy "msFPCDnsCacheSize"=dword:00000000
Note: for Enterprise Arrays, you have to use Active Directory Users and Computers in Advanced view mode, and drill down to System, Microsoft, FPC, Arrays, {Array GUID}, Array policy, etc...
You may have noticed while reading carefully in this section of the ISA help, that [Common Configuration] is stated as one of the places the FWC looks to for information. If you’re even more observant, you’ll also notice that it doesn’t exist in mspclnt.ini by default. When you enter an application name and that application is unknown to ISA, a new section is created in the ISA version of mspclnt.ini as [AppName]. This is also how you would create the [Common Configuration] section; by entering “Common Configuration” in the Application Name as shown below:
You may have noticed that I’ve used the NameResolution=L entry here. Why would he do that, you may ask? ..it’s OK; you can, I don’t mind… What this setting will do is cause the FWC to refer to the LAT host DNS client service for any and all FQDN resolution requests except where specified differently for a particular app or service in the mspclnt.ini file. If you have a solid DNS-based name resolution structure (NetBIOS broadcasts don’t count), then this setting will help you avoid the FWC DNS cache of death as mentioned in part one of these articles. I highly recommend using this setting (hint-hint). It can also mean the difference between an ISA event log full of 14120 errors and a peaceful ISA server (another article, RSN).
Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Thanks for that. I did eventually find some of that explanation in MS KB301695 but was unsure how much of it applies because I run a hybrid of ISA2K FWC and MSP2 server. I guess there is more of the MSP2 wolf in the ISA2K sheep than MS would like to admit.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Does the W2K FWC proxy DNS? 
Does the W2K FWC proxy DNS? - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread