• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Master Browser and Domain browsing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> Master Browser and Domain browsing Page: [1]
Login
Message << Older Topic   Newer Topic >>
Master Browser and Domain browsing - 6.Oct.2006 3:43:07 PM   
DanFletcher

 

Posts: 20
Joined: 22.Aug.2006
Status: offline
ISA 2006 on Windows server 2003 R2 fully patched.
ISA server tries to be a master browser since I have routes outside of the subnet. Turned off Computer Browser service and all is fine.
But can not browse the internal network and get login errors. See post...
http://forums.isaserver.org/ISA_Server_2004_thinks_its_the_Master_Browser/m_200266600/tm.htm

""Added the rule at the bottom of the post and all is fine.
This is what finally came out of three DAYS! on the phone with Microsoft support:

Name: Internal to localhost
Action: Allow
Protocols: All Outbound Traffic
From: Internal, Local Host VPN Clients
To: Internal, Local Host, VPN Clients
Condition: All Users

Everyone says I should not have to have this rule. Even the support engineers disagree amongst themselves. However, now the ISA box logs into the domain.""

Is There a Better way than this?????

Dan
Post #: 1
RE: Master Browser and Domain browsing - 8.Oct.2006 11:57:41 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dan,

Is this a social engineering exploit?

EVERYONE -- NEVER NEVER NEVER DEPLOY A RULE LIKE THE ONE THAT DAN DESCRIBES. IT WILL COMPLETELY OPEN UP YOUR ISA FIREWALL TO ATTACK.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to DanFletcher)
Post #: 2
RE: Master Browser and Domain browsing - 10.Oct.2006 11:28:39 AM   
DanFletcher

 

Posts: 20
Joined: 22.Aug.2006
Status: offline
Yes that is the question. I do not like the rule that was given in that post. What rule should I set up so that ISA server can connect with the domain controlers at login so I do not get errors  (Netlogon)
Event ID: 5783
Source: NETLOGON
Description: The session setup to the Windows NT or Windows 2000 domain controller DCName.domain_name.com for the domain Domain is not responsive. The current RPC call from Netlogon on Workstation to DCName has been canceled.

when login in to ISA with a domain account. ( I turned off Computer Browser service since ISA was trying to be a Master Browser) The ISA 2006 is a member server. Would also like to browse shares from the ISA to some servers on the network to get files... I was able to create a map drive and it lets me do that but not browse the network for shares.

I am thinking something as simple as RPC and Kerberos rule to the domain controlers......

< Message edited by DanFletcher -- 10.Oct.2006 1:46:39 PM >

(in reply to tshinder)
Post #: 3
RE: Master Browser and Domain browsing - 11.Oct.2006 10:25:32 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dan,

I ignore the computer browser messages.

However, are you having problems with domain connectivity? Can the ISA Firewall authenticate users?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to DanFletcher)
Post #: 4
RE: Master Browser and Domain browsing - 11.Oct.2006 11:21:41 AM   
DanFletcher

 

Posts: 20
Joined: 22.Aug.2006
Status: offline
Outside Users can authenticate fine. (VPN, OWA, Active Sync). I Turned off Computer Browser service to stop ISA from trying to be a master browser. Since the ISA does not need to be a browser anyway. That solved that issue.
This issue is seperate:
When I log into the ISA server I get the following error.
Event ID: 5783
Source: NETLOGON
Description: The session setup to the Windows NT or Windows 2000 domain controller DCName.domain_name.com for the domain Domain is not responsive. The current RPC call from Netlogon on Workstation to DCName has been canceled.


So I was thinking that there should be a rule from the local host to the domain controlers. That way when I log in I do not get the error. Simalar to what I set up for my WSUS server.

So if I create a rule from Local host to the domain controlers of Allow all Traffic it works. But I would rather just allow what is needed. I have tried RPC and Kerebose traffic but I must be missing something. We are still on a 2000 domain.

Hopes that explains it better.

Dan

(in reply to tshinder)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> Master Browser and Domain browsing Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts