• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

LAT problems

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> LAT problems Page: [1]
Login
Message << Older Topic   Newer Topic >>
LAT problems - 12.Nov.2004 9:09:00 AM   
TomHubbard4321

 

Posts: 1
Joined: 12.Nov.2004
Status: offline
ISA Server 2000 with SP2

External
IP: 192.168.10.10 (Behind a router)
Gateway: 192.168.10.1
DNS: Using ISP

Internal
IP: 10.0.x.x
Gateway: None
DNS: Using local DNS server

Lat Table:
10.0.x.0 - 10.0.x.255

All clients can access the internet using WebProxy.

For some strange reason, I need to add the external IP in to the LAT to access internet from ISA server.

[ November 12, 2004, 09:12 AM: Message edited by: TomHubbard4321 ]
Post #: 1
RE: LAT problems - 12.Nov.2004 11:02:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi TomHubbard4321,

never, I repeat NEVER put an external IP address in the LAT! You are breaking the whole security ISA can offer you by doing that!

If you want to give IE on ISA server itself outbound access, configure IE as a Web Proxy client by using ISA internal IP address TCP port 8080 as proxy settings.

Also, I see your DNS configuration on ISA is far from optimal. If you have an internal DNS server, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .

Next, perform the following configuration steps:

1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.

2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ˘Do not use recursion÷ box.

3) create on ISA a client address set containing your internal DNS server.

4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.

5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.

Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.

Another very good option is to install on ISA itself a caching-only DNS server. Check out Tom's article http://www.isaserver.org/articles/snatdns.html for more info.

HTH,
Stefaan

(in reply to TomHubbard4321)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> LAT problems Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts