spouseele -> RE: Client cannot connect? (9.Sep.2006 6:48:09 PM)
OK, let's draw a little diagram to help explain how the general network setup should be:
[ PC ] --------- [ ISA ] --------- Internet/External
In the above diagram, I assume that the ISA internal interface is a member of the Network ID 192.168.0.0/24 and that the ISA External interface is a member of the Network ID 192.168.229.0/24. So the default gateway on ISA should *only* be set on the ISA external interface and that looks OK in your case. However, the LAT on ISA should *only* contain the Network ID's used on the internal network. In your case I think this is the Network ID 192.168.0.0/24 only and therefore the LAT should only have the single entry 192.168.0.0 - 192.168.0.255.
Question: what type of device is the host 192.168.229.2? It seems to be used as default gateway *and* as DNS server and that is a little bit strange.
Now, on the internal network you said you have a DC. So, may I assume it has the IP address 192.168.0.1 and is used as internal DHCP *and* DNS server?
Question: why is on the internal workstation the default gateway 192.168.0.1 and not the ISA internal interface?
About the optimum DNS configuration:
Assuming you have an internal DNS server, do *not* specify any ISP/External DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .
Next, perform the following configuration steps:
1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.
2) enable forwarders on your internal DNS server and specify there your ISP/External DNS servers. Also, make sure you check the "Do not use recursion" box.
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *separate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *separate* site&content rule allowing access to any destination or better to a destination set containing your ISP/External DNS servers, and apply it to the above created client address set.
Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.