We have ISA 2004 installed in our environment. But we do not have a direct internet-access. We're using the internet-access from a different company, thus our ISA-configuration is functioning as an upstream to those servers. The problem i have is as follows: we have a server2003 which has the Firewall Client installed to get data from outside for reporting purposes. After these downloads, another program will analyse the data, but needs to resolve ip-numbers into FQDN. We've tried some methods but the only one which is working is disabling the FC, starting nslookup in the command prompt, connecting to a different (outside our own network, but not on the internet) DNS server. If we enable the FC, we would are not able to connect to the other DNS server, we wil get a time out. My question therefor is: what should I do (if it's possible at all) to allow nslookup resolve FQDN outside our own network.
< Message edited by snsittard -- 23.Jun.2006 5:07:55 PM >
The problem i have is as follows: we have a server2003 which has the Firewall Client installed to get data from outside for reporting purposes.
You should never, I repeat never install the Firewall client on a server except on a Terminal or Citrix server acting as multiple clients. So, was there a particular reason why you did that?
How does your DNS infrastructure looks like? Please give us some details. Do you have an internal DNS server? If so, is it configured with forwarders to resolve external FQDN's? What are the TCP/IP parameters on the servers and the clients (ipconfig /all can tell you all of them). ....
The reason to install the FC on the server, which was done by a collegae of mine, without informing me, was to use an ftp-client application for scheduled download from various sites on the internet. That information can only downloaded with ftp because of the security. They've tried first to do it without the ftp-client, but that didn't work. Even with an ftp-client (without FC) they didn't get the information. Just after installing the FC they were able to download the files.
We have internal DNS-servers which have information about our own AD and a few sites outside our domain, on the broader network, not for the internet. We do not have a internetconnection ourself, we are just using the connection of the (lets call it) the main office. That is a different network, of which we only use the internetconnection. The dns entries on the outside nic's of our ISA-servers are servers of the main office. Because of security reasons they do not tell us what kind of servers those are. We do not use forwarders in our domain.
The parameters of this (and all other) server(s) and clients that the gateway is the switch of the lansegment and the dns-servers are the internal dns servers.
< Message edited by snsittard -- 26.Jun.2006 9:40:03 AM >
aha... you should definitely change your DNS infrastructure. I suggest the following:
1. configure the internal DNS server on the internal interface of the ISA server.
2. remove all other DNS servers from all other ISA interfaces.
3. configure your internal DNS server with forwarders. You can use there the same servers you used on the DNS external interface.
4. make sure you have an access rule so that the internal DNS server can use the forwarders anonymously.
The result should be that any internal host should be able to resolve external FQDN's. Test it out with the nslookup command. Once that is working, remove the Firewall client from the internal server, make sure the internal server is configured as a SecureNAT client and that there is an access rule allowing FTP access for that internal server.
< Message edited by spouseele -- 26.Jun.2006 8:24:14 PM >