Is my resolution best practice? (Full Version)

All Forums >> [ISA 2006 Firewall] >> Access Policies



Message

teejayuu -> Is my resolution best practice? (22.Jun.2008 9:03:53 AM)

Hi

First let me give you our setup:
Linux gateserver (externally maintained, but difficult to get hold off) and slowly migrating all server functions to a Windows based network.
Rest are Windows 2k3 R2 SP2 servers
The Linux box acts as a gateway and has 3 ADSL router/modems for external and internal access (VPN).  Also have a BTNet 10meg Leased Line.  Windows Servers handle AD, Exchange, DNS, DHCP and everything else.  Between the Leased Line and the Internal network is ISA 2006 acting as an Edge Firewall.  I have 2 AD controllers AD1 and AD2.  AD1 was using the ISA as a gateway which had a rule allowing all users access to the External network for HTTP/HTTPS traffic.  AD2 had been misconfigured and was using the Linux box for it's gateway.

Once I realised this I changed AD2 to use ISA as it's gateway.  At this point we lost all access to the Internet.  Troubleshooting lead me to believe that we weren't accessing BTNet's DNS servers and that ISA was blocking DNS traffic.  (Previously ISA routed HTTP/S traffic and Linux handled DNS requests).  I created network objects for each of BT's DNS server and a rule to allow DNS traffic through to these network objects.  This solved the problem.

My question, as I am new to ISA and am using ISAServer 2006 Unleashed as my reference guide, is:  Is my resolution best practice?

Thanks
TJ



paulo.oliveira -> RE: Is my resolution best practice? (23.Jun.2008 9:23:37 AM)

Hi,

quote:

I created network objects for each of BT's DNS server and a rule to allow DNS traffic through to these network objects.  This solved the problem.


Are your DNS servers internal or external?

Regards,
Paulo Oliveira.



teejayuu -> RE: Is my resolution best practice? (23.Jun.2008 9:45:43 AM)

Hi Paulo

BT's DNS servers are external to our organisation.  Internally we use W2k3 DHCP/DNS.

TJ



paulo.oliveira -> RE: Is my resolution best practice? (23.Jun.2008 10:05:33 AM)

Hi TJ,

the best practice for ISA is use internal DNS server in the internal NIC and enable the internal DNS the forward function.

Read this: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html
http://www.isaserver.org/tutorials/configuring_isa_server_interface_settings.html

Regards,
Paulo Oliveira.



teejayuu -> RE: Is my resolution best practice? (23.Jun.2008 10:36:00 AM)

Hi Paulo

quote:

  the best practice for ISA is use internal DNS server in the internal NIC and enable the internal DNS the forward function


I have both my internal DNS servers registered on the internal NIC and BTNet's DNS Server registered in the DNS server as forwarders.

quote:

  Read this: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html
http://www.isaserver.org/tutorials/configuring_isa_server_interface_settings.html

Have read both guides and have my cards set up as these suggest.  In fact I used the latter when I first installed ISAServer

TJ



pwindell -> RE: Is my resolution best practice? (23.Jun.2008 11:37:37 AM)

Linux gateserver (externally maintained, but difficult to get hold off) and slowly migrating all server functions to a Windows based network.
Rest are Windows 2k3 R2 SP2 servers
The Linux box acts as a gateway and has 3 ADSL router/modems for external and internal access (VPN).  Also have a BTNet 10meg Leased Line.  Windows Servers handle AD, Exchange, DNS, DHCP and everything else.  Between the Leased Line and the Internal network is ISA 2006 acting as an Edge Firewall.  I have 2 AD controllers AD1 and AD2.  AD1 was using the ISA as a gateway which had a rule allowing all users access to the External network for HTTP/HTTPS traffic.  AD2 had been misconfigured and was using the Linux box for it's gateway.

I have no idea what you are trying to describe there.  Make the description cleaner and more direct to the point.  Just because some DSL Lines exist, a VPN exists, and a Leased Line exists,...doesn't tell us how they relate together, how they are positioned, and how the Topology is laid out.  All your VPNs and Leased lines will no longer have the traffic properly routed to them if the ISA is not entered into the LAN properly.

Once I realised this I changed AD2 to use ISA as it's gateway.  At this point we lost all access to the Internet.  Troubleshooting lead me to believe that we weren't accessing BTNet's DNS servers and that ISA was blocking DNS traffic.  (Previously ISA routed HTTP/S traffic and Linux handled DNS requests).  I created network objects for each of BT's DNS server and a rule to allow DNS traffic through to these network objects.  This solved the problem.

ISA needs and Access Rule that allows the AD/DNS to make anonymous outbound DNS Queries to the DNS Server listed in the Forwarders List.  If that is what you mean by that then you are doing that correctly in the most common way.



Page: [1]