• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

split dns + remote hosted servers + proxy

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> split dns + remote hosted servers + proxy Page: [1]
Login
Message << Older Topic   Newer Topic >>
split dns + remote hosted servers + proxy - 10.Nov.2006 5:09:05 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
Hi,

At the company i am working now we have internet resources in the dmz, but no split dns.
I am currently designing a split dns and reconfigure the isa 2004 servers.

The problem is that there are servers that are hosted outside our dmz.
For split dns this shouldn't be a problem, however for proxy config etc. this is a problem.

If all clients (firewall and webproxy) are configured with an execption list that says
dot not use proxy for *.example.com and there is remote hosted webserver call webshop.example.com not on the dmz, it will go wrong.
I can exclude do not use proxy for the iprangen of the dmz server.

What is the best way to solve this problem.
At the moment the firewall rules at the internet side (cisco pix) are ugly, because client go throught the isa server(s) (1 nic in dmz  and 1 nic in intranet) and throught the pix to the internet and back to the dmz.
Post #: 1
RE: split dns + remote hosted servers + proxy - 10.Nov.2006 1:43:26 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

If you have external servers that need to be accessed by internal users, using the internal zone of the split DNS, then you'll need to configure the internal zone with DNS records that map to the external addresses, then the ISA Firewall will forward those requests outbound.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 2
RE: split dns + remote hosted servers + proxy - 10.Nov.2006 2:08:43 PM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
Hi Tom,

If i configure the internal zone of the dns server with ip adresses of the internet side, what is the use of having a  split dns??
I want to configure the interal zone of the dns server with ip adresses of the dmz.
So no unessary traffic will go through the isa server.

The isa server is not directly connected to the internet side, its sits behide a pix.
The only problem will be that there are external hosted sites not in the dmz.

Or should i skip the exclusions on the clients??

(in reply to tshinder)
Post #: 3
RE: split dns + remote hosted servers + proxy - 11.Nov.2006 11:56:59 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I assume that you have internally located services that you're publishing to the Internet. If so, that's the value of the split DNS.

Keep in mind what the goal of the split DNS is, and everything will be OK.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 4
RE: split dns + remote hosted servers + proxy - 11.Nov.2006 12:48:49 PM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
Tom,

The value of split dns is that no traffic ment for internet servers that belong our companies dmz.
But what to do in my case i am getting a little bit confused here.

What should i do??

Regards,

Rob

(in reply to tshinder)
Post #: 5
RE: split dns + remote hosted servers + proxy - 12.Nov.2006 12:53:05 PM   
H4ppyGilmore

 

Posts: 199
Joined: 8.Apr.2006
Status: offline
quote:

If all clients (firewall and webproxy) are configured with an execption list that says
dot not use proxy for *.example.com and there is remote hosted webserver call webshop.example.com not on the dmz, it will go wrong.


Can you elobrate?

So, let's  assume webshop.example.com is 1.1.1.1 and hosted by someone in the internet.  Then there is the blah.example.com with the IP number 192.168.100.10. in  the DMZ (behind PIX).  You have a www.example.com in the LAN with the IP number of 10.1.1.10 (behind ISA).

Your split DNS server in the LAN will have the following zone and records.

example.com zone
:
www.example.com   IN    A     10.1.1.10
blah.example.com     IN    A     192.168.100.10
webshop.example.com  IN   A   1.1.1.1

What would go wrong with this setup?

Just selectively add FQDNs and IP numbers to the proxy exception list.


< Message edited by H4ppyGilmore -- 12.Nov.2006 1:07:37 PM >

(in reply to theRob)
Post #: 6
RE: split dns + remote hosted servers + proxy - 13.Nov.2006 2:20:47 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
H4ppyGilmore,
 
Thanks for your response.
I wasn't thinking right.
 
Regards,
 
Rob

(in reply to H4ppyGilmore)
Post #: 7
RE: split dns + remote hosted servers + proxy - 13.Nov.2006 3:40:11 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Just remember that you must not enter both IP addresses and FQDNs in the Direct Access list. The ability to do that was removed in ISA 2004 SP2 and continues with ISA 2006.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 8
RE: split dns + remote hosted servers + proxy - 13.Nov.2006 4:04:58 PM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
oke thanks.
I will keep that in mind.
I will list the ipadresses of DMZ for direct access and the do not use the fqdn of alle hosts that are in the DMZ.

But first i will test it in the test enviroment.

(in reply to tshinder)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> split dns + remote hosted servers + proxy Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts