I have 2 windows 2000 native domains (I'll just call then DomainA and DomainB). Each domain is in a separate forest. I have a 2 way external trust between the 2 domains. I installed ISA 2006 standard on a windows 2003 r2 server. The server is a member of DomainA. When I try to specify Windows Users for VPN access I can select the group I want from DomainA. But when I try to select a group from DomainB I get error "The specified domain either does not exist or could not be contacted."
Also from my PC (laptop1.domainA) I can use Windows Explorer and drill down from My Network Places to DomainB and server.DomainB. When I try to do the same with the server where ISA 2006 is installed, I get an error (DomainB is not accessable. The list of servers for this workgroupt is not available). But I can connect to the server in DomainB by entering \\server.DomainB Both my PC and the ISA 2006 server are on the same subnet but DomainB servers are on a different subnet.
I have ISA 2000 currently running and it has no problem accessing DomainB security groups. Any ideas on how to fix this? Thanks in advance.
AD and DNS are working fine. The problem is with ISA2006. It seems to be much different from 2000. Anyway this looks like a routing problem with ISA. I have 2 NICs with one connected via T1 to the internet and the other to my internal network. The NIC on the internal network has IP address 22.214.171.124/24. I can connect to all devices on this subnet with no problem. What I cannot do is connect to other subnets on my internet network. Since the NIC on my internal network doesn't have a default gateway, I created static routes in RRAS to map the other internal subnets. This worked with ISA2000 but not with ISA2006. What am I doing wrong???
OK I used the route command for all my internal networks and added them to the ISA internal network and now I can ping all the subnets from the ISA server. But I stll have the same problem when I try to access domainB. There must be something in ISA that is blocking access to domainB. I do not have this problem with ISA2000. Any ideas on how to fix this? Thanks.
Ok I ran diag logging and found the reason why I am not connecting to DomainB. The diag shows "Log source: Firewall Engine ISA Server is evaluating the rule [System] Allow NetBIOS from ISA Server to trusted servers." Followed by "Log source: Firewall Engine source does not match the packet." So it looks like the domain controllers in DomainB are not included in the "trusted servers" group. So now the question is: "How do I get the DomainB controllers into the ISA "trusted servers" group?
I assume you mean ISA system policy? Inside the System Policy editor I see Configuration Groups on the left. Down the list I see Authentication Services and under that is Active Directory. There I see the enable config and enforce strict RPC are both checked. On the To tab I see Internal in the destination list and nothing in the Exceptions list. I would think that Internal would include all the DomainB controllers since their IPs are part of the internal network. Regardless I added the 2 DomainB DC computers to the destination list hit OK and then Apply. I then go to specify windows users on the VPN section, click the groups tab, click add, change location to DomainB, click Ok, click advanced, click find now and wait while it searches for about 10 seconds to see message that domain cannot be contacted.
I also tried an access rule but got the same result. I have a couple other win2k3 member servers in DomainA. On both of those servers I can go to computer management, local users and groups, select a group, add to group, change location to DomainB, click advanced, click find now and after a second or 2 I see a list of all DomainB users and groups. Do the same thing on ISA2006 and I get the domain cannot be contacted message. WHY????
I bet ever Shinder can't answer this one!!! Just kidding.
1.Internal IpRangeSet 10.0.0.0-10.255.255.255 126.96.36.199-188.8.131.52 192.0.0.0-184.108.40.206 2. WIN/DNS settings identical to ISA2000 server. 3. All are win2k3 r2 4. DomainB is windows 2000 native. One DC is win2k the other win2k3. 5. Log out put: ISA is 220.127.116.11 DomainB DCs are 18.104.22.168-92 Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 22.214.171.124 ISA2K3 - UDP - - 10/11/2007 8:00:45 PM 138 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall - 10/11/2007 4:00:45 PM 126.96.36.199 138 NetBios Datagram Initiated Connection [System] Allow NetBIOS from ISA Server to trusted servers 188.8.131.52 Local Host Internal - - 184.108.40.206 ISA2K3 - UDP - - 10/11/2007 8:00:45 PM 138 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall - 10/11/2007 4:00:45 PM 220.127.116.11 138 NetBios Datagram Initiated Connection [System] Allow NetBIOS from ISA Server to trusted servers 18.104.22.168 Local Host Internal - - 22.214.171.124 ISA2K3 - UDP - - 10/11/2007 8:01:54 PM 138 69000 522 0 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall - 10/11/2007 4:01:54 PM 126.96.36.199 138 NetBios Datagram Closed Connection [System] Allow NetBIOS from ISA Server to trusted servers 188.8.131.52 Local Host Internal - - 184.108.40.206 ISA2K3 - UDP - - 10/11/2007 8:01:54 PM 138 69000 522 0 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall - 10/11/2007 4:01:54 PM 220.127.116.11 138 NetBios Datagram Closed Connection [System] Allow NetBIOS from ISA Server to trusted servers 18.104.22.168 Local Host Internal - -
Can you get Shinder to take a look at this problem? I took some additional steps to try to determine the cause of this problem. Here is what I did:
1. Wiped the disk and installed win2k3 r2 standard edition. 2. Joined new server to DomainA. 2. Installed SP2 and all MS updates. 3. At this point I can add both DomainA and DomainB users/groups to ISA server local groups. 4. Installed ISA 2006. 5. Can now access DomainA users/groups but get error message when trying to access DomainB. 6. Removed ISA server from DomainA and then joined to DomainB. 7. Can now access DomainB users/groups but get error message when trying to access DomainA.
This problem is specific to ISA 2006 as I don't have this problem with my production ISA 2000 server. Not sure if this problem also exists in ISA 2004. Would really like to get Shinders input on this. Thanks.
Ok, I finally got it to work. Had to create an access rule: All outbound traffic; From: internal, local host; To: internal, local host. Maybe not the best way to do it but this way everyone is happy! Thanks for your help!!!!
From: United Kingdom
THIS IS NOT A GOOD IDEA!!!!!!!!!!!!!!!!!!!
The idea of the temp rule was to track down the problems and allow you to report on the protocols in use. You could then define a specific rule, as required, once you had determined what was required to solve your problem.
The rules you have created has essentially opened up your entire internal network to ISA. You also need to consider that if ISA is compromised, it now has full access to you internal network...not an ideal configuration