Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: DNS on ISA 2000
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: DNS on ISA 2000 - 12.Sep.2005 2:46:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dana,
did you already have the chance to fix your setup?
Thanks,
Stefaan
|
|
|
|
|
RE: DNS on ISA 2000 - 14.Sep.2005 9:49:00 AM
|
|
|
Guest
|
Yes, sorry, I finally did change the external NIC's settings last night and it certainly seemed to stop the errors. After a long wait, and a couple of restarts on the server, the ISA software began proxying again. Many other Application Event log entries popped up but they were primarily informational.
The only hangup was that e-mail protocols became blocked which were working fine before. I tried taking out and re-establishing IP routing (the one thing that actually started POP transmissions going in the first place after creating the rules) but that didn't do it. Will I need to take out the old POPx rules and recreate them? Is there something deep inside that may still have the old external IP address in it?
Thank you,
Dana
|
|
|
|
|
RE: DNS on ISA 2000 - 14.Sep.2005 3:14:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dana,
check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=006882 how to change the external IP address. Once that done you have to check out and correct each publishing rule manually. Protocols and site&content rule should have no problems.
Which rules do you have in place for the mail?
HTH,
Stefaan
|
|
|
|
|
RE: DNS on ISA 2000 - 14.Sep.2005 4:30:00 PM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
The Web publishing rule is the default rule you get at installation and there are no Server Publishing Rules. If I understand publishing correctly this allows access for external users to certain internal servers which I don't want to do. We have no external users.
As far as what protocols I have in my mail rule it's everything that has anything to do with e-mail: POP2, POP3, POP3S, POP3 Server, POP3S Server, SMTP, SMTP Server, SMTPS, SMTPS Server. The rule is marked to allow but I have applied it to only a few user groups: administrators, teachers and office personnel. It worked fine like that up until I changed the external IP addresses yesterday. I did delete and re-create this rule hoping it would get things going again but no such luck.
What got the e-mail going when I first set it up a month or so ago was enabling the IP routing. Nothing would work until that was enabled. It is still enabled.
One person told me to check the address in the Incomming Web Requests tab in the server's properties in the ISA Management console. It had nothing in it so I put my server's name in it and it put the server and its new external IP address in the window when I clicked OK so ISA is aware of the address change.
|
|
|
|
|
RE: DNS on ISA 2000 - 14.Sep.2005 5:38:00 PM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
Nope, no references to the old external NIC address anywhere.
IPCONFIG /ALL results:
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : fairserv2
Primary DNS Suffix . . . . . . . : fairviewaep.edu
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : fairviewaep.edu
Ethernet adapter Internal:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MTW Network Connec
tion
Physical Address. . . . . . . . . : 00-0B-DB-42-B8-A2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.5
Ethernet adapter External:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DFE-530TX+ PCI Adapter
Physical Address. . . . . . . . . : 00-50-BA-5C-28-E6
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.1.1
DNS Servers . . . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
ROUTE PRINT results:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 50 ba 5c 28 e6 ...... D-Link DFE-530TX+ PCI Adapter
(Microsoft's Packet Scheduler)
0x1000004 ...00 0b db 42 b8 a2 ...... Intel(R) PRO/1000 MTW Network Connection (
Microsoft's Packet Scheduler)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.1.1 10.10.1.2 1
10.10.1.0 255.255.255.0 10.10.1.2 10.10.1.2 1
10.10.1.2 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.10.1.2 10.10.1.2 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.6 192.168.1.6 1
192.168.1.6 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.6 192.168.1.6 1
224.0.0.0 224.0.0.0 10.10.1.2 10.10.1.2 1
224.0.0.0 224.0.0.0 192.168.1.6 192.168.1.6 1
255.255.255.255 255.255.255.255 10.10.1.2 10.10.1.2 1
Default Gateway: 10.10.1.1
===========================================================================
Persistent Routes:
None
LAT CONTENT is the range 192.168.1.0 to ~.255
IPCONFIG /ALL for internal an internal host:
Windows IP Configuration
Host Name . . . . . . . . . . . . : fairserv3
Primary Dns Suffix . . . . . . . : fairviewaep.edu
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : fairviewaep.edu
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Server Ada
pter
Physical Address. . . . . . . . . : 00-04-23-79-92-B4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.6
DNS Servers . . . . . . . . . . . : 192.168.1.5
Ethernet adapter Local Area Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Server Ada
pter #2
Physical Address. . . . . . . . . : 00-04-23-79-92-B5
[ September 14, 2005, 05:41 PM: Message edited by: DanaK ]
|
|
|
|
|
RE: DNS on ISA 2000 - 14.Sep.2005 9:29:00 PM
|
|
|
Lumber1
Posts: 24
Joined: 13.Sep.2005
From: NJ
Status: offline
|
Coming in late but sounds interesting, at least this post is active. DanaK you are using your ISP to host your email? COrrect? No exchange server in your domain? Can you ping your mail server if yes can you telnet to port 25 on it and try some simple tests like a helo or ehlo? Is there a mx record in your dns, or a mail record pointing to a mail.fairview.edu? What results do you get when you do an nslookup for your mail server? Sorry for all the questions I just want to help....
|
|
|
|
|
RE: DNS on ISA 2000 - 14.Sep.2005 11:49:00 PM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
Hi Lumber 1. I had to leave for the office so I'll check some of these out tomorrow when I get back to the school.
Yes, we use our ISP to host our e-mail server. The school just doesn't have the funds for another server. I can ping anything in or outside of the LAN so, again, yes I can ping the ISP's server, too. The mail protocols just quit being passed when I changed the external IP address. When I hit Send/Recieve in Outlook Express it says I'm connected but stops there until it times out and gives me the error message. I get the feeling that it isn't allowing communication back into the LAN for e-mail to confirm and establish connections which is strange because we get web pages just fine from everywhere else.
Thanks,
Dana
|
|
|
|
|
RE: DNS on ISA 2000 - 15.Sep.2005 10:19:00 AM
|
|
|
Lumber1
Posts: 24
Joined: 13.Sep.2005
From: NJ
Status: offline
|
And the credentials being used for the mail server are correct right?
|
|
|
|
|
RE: DNS on ISA 2000 - 15.Sep.2005 10:29:00 AM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
Absolutely. OE WAS working before I changed the external NIC's IP. Something, it seems, is blocking whatever comes next in OE's process once it says it's connected to our ISP's mail server. That's where the process stops until a time out occurs.
I'm beginning to think I ought to just blow the current installation of ISA away and start over again. It happened a couple of weeks ago when I was trying to restart the service and it simply would not come back up. ... Either that or see if I can get the principal to cough up $550 for ISA 2K4. My installation at the office is working even without the out of range IP on the external NIC. Come to think of it, the previous server running ISA 2K was set up the same way and, guess what? - NO 14120 errors! I ought to be totally bald by now, thank G-d I'm not.
|
|
|
|
|
RE: DNS on ISA 2000 - 15.Sep.2005 5:15:00 PM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
Well, I've now tried the "nuclear option": blew away the whole ISA installation and reinstalled it. Re-created the DNS settings for the DC and the rules for mail along with everything else and I'm still not able to get OE to download messages even though I can get full Internet access for IE. I get the same behavior on the ISA when I hit Send/Recieve (OE says it's connected and then nothing happens). The same thing happens on other servers that I use to test e-mail and Internet access on, too.
There's just nothing left to punch, switch or enter to get ISA to behave from what I can tell.
Dana
|
|
|
|
|
RE: DNS on ISA 2000 - 15.Sep.2005 5:37:00 PM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
Yes, I can ping any FQDN in or outside of the LAN. Here's the latest exerpt. I've also installed sp1, fp1 and sp2 after reinstalling ISA.
#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2005-09-15 21:39:27
#Fields: c-ip cs-username c-agent date time s-computername r-host r-ip r-port time-taken cs-bytes sc-bytes cs-protocol cs-transport s-operation sc-status sessionid connectionid
192.168.1.5 - - 2005-09-15 21:39:27 FAIRSERV2 - - - 16 - - 0 UDP Bind 0 2 1
192.168.1.5 - - 2005-09-15 21:39:27 FAIRSERV2 - 208.6.232.10 53 - - - 53 UDP UdpMap 0 2 1
192.168.1.17 - - 2005-09-15 21:39:27 FAIRSERV2 - 64.4.23.157 443 156 - - 443 TCP Connect 0 3 2
192.168.1.17 - - 2005-09-15 21:39:28 FAIRSERV2 - 207.46.157.125 80 31 - - 80 TCP Connect 0 3 3
192.168.1.17 - - 2005-09-15 21:40:29 FAIRSERV2 - 64.4.23.157 443 61031 1907 4815 443 TCP Connect 20001 3 2
192.168.1.5 - - 2005-09-15 21:40:29 FAIRSERV2 - 208.6.232.10 53 61922 82 493 53 UDP UdpMap 20000 2 1
192.168.1.5 - - 2005-09-15 21:40:29 FAIRSERV2 - - - 61953 82 493 0 UDP Bind 20001 2 1
192.168.1.17 - - 2005-09-15 21:40:58 FAIRSERV2 - 207.46.157.125 80 89906 - 3762 80 TCP Connect 20001 3 3
192.168.1.5 - - 2005-09-15 21:41:44 FAIRSERV2 - - - - - - 0 UDP Bind 0 4 4
192.168.1.5 - - 2005-09-15 21:41:44 FAIRSERV2 - 208.6.232.10 53 - - - 53 UDP UdpMap 0 4 4
192.168.1.5 - - 2005-09-15 21:42:45 FAIRSERV2 - 208.6.232.10 53 61547 36 171 53 UDP UdpMap 20000 4 4
192.168.1.5 - - 2005-09-15 21:42:45 FAIRSERV2 - - - 61547 36 171 0 UDP Bind 20001 4 4
192.168.1.5 - - 2005-09-15 21:42:48 FAIRSERV2 - - - - - - 0 UDP Bind 0 4 5
192.168.1.5 - - 2005-09-15 21:42:48 FAIRSERV2 - 208.6.232.10 53 - - - 53 UDP UdpMap 0 4 5
192.168.1.5 - - 2005-09-15 21:43:49 FAIRSERV2 - 208.6.232.10 53 60750 30 171 53 UDP UdpMap 20000 4 5
192.168.1.5 - - 2005-09-15 21:43:49 FAIRSERV2 - - - 60750 30 171 0 UDP Bind 20001 4 5
[ September 15, 2005, 05:39 PM: Message edited by: DanaK ]
|
|
|
|
|
RE: DNS on ISA 2000 - 15.Sep.2005 5:50:00 PM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
From the looks of the packet filter logs transmissions to our mail server are being blocked still. This is from log file IPPEXTD20050915.log
#Version: 1.0
#Date: 2005-09-15 21:41:15
#Fields: date time source-ip destination-ip protocol param#1 param#2 filter-rule interface
2005-09-15 21:41:15 10.10.1.2 207.43.255.10 Tcp 3068 110 BLOCKED 10.10.1.2
2005-09-15 21:41:21 10.10.1.2 207.43.255.10 Tcp 3068 110 BLOCKED 10.10.1.2
2005-09-15 21:55:41 10.10.1.2 207.43.255.10 Tcp 3254 110 BLOCKED 10.10.1.2
2005-09-15 21:55:48 10.10.1.2 207.43.255.10 Tcp 3254 110 BLOCKED 10.10.1.2
|
|
|
|
|
RE: DNS on ISA 2000 - 15.Sep.2005 6:09:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dana,
I don't see any POP3 requests in the Firewall log. However, the Packet Filter log shows blocked packets for POP3 requests.
Are you sure you have posted all firewall log entries for that time period?
HTH,
Stefaan
|
|
|
|
|
RE: DNS on ISA 2000 - 16.Sep.2005 9:15:00 AM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
That was an exerpt from the log after I'd made an attempt to use OE. The 207.43... address is our ISP's mail server, as I guess you already know.
I'll do some more digging in "THE BOOK" and see what I come up with. I'll check to see if the apprpriate protocols are authorized, which I always thought these would be by default. I haven't thought about that.
While watching the NIC icons in the System Tray only the internal NIC lights up when I hit the Send/Recieve button in OE. This is OE on the ISA. OE elswhere, if I remember correctly, also lights up the Internal NIC but not the External. These protocols are definitely being blocked, ignored or something to that effect.
|
|
|
|
|
RE: DNS on ISA 2000 - 16.Sep.2005 11:05:00 AM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
Rules are in place as I mentioned before but probably not Site and Content rules. That's another thing I never read that had to be created for mail protocols. Dr. Schinder's "Quick Start Guide" for OE didn't say anything about S&C for mail.
This is more I have to check out at the school. We had a staff meeting agian today so I'm late getting out there again. I'll look into the other logs when I get there.
Thanks,
Dana
|
|
|
|
|
RE: DNS on ISA 2000 - 16.Sep.2005 11:38:00 AM
|
|
|
DanaK
Posts: 72
Joined: 10.Jan.2003
From: San Angelo, TX
Status: offline
|
Ok, S&C rule along with a destination set has been created. The problem with the destination set is that it doesn't allow for FQDNs. I can put the IP address of a mail server in there but people have a tendency to move servers around and change these addresses. Is there any way to enter a FQDN rather than an IP address?
... and, of course, OE still can't get through from any internal workstation.
In looking through the logs I see the "param1" and param2" headings in the IPPEXTD~.log file. Where do you go to interpret these entries? I'm seeing many entries labeled as blocked for the two mail servers we access. There are a dozen different numbers for both parameter fields going to the two mail servers. Any one number you'd be interested in?
[ September 16, 2005, 12:01 PM: Message edited by: DanaK ]
|
|
|
|
|
RE: DNS on ISA 2000 - 16.Sep.2005 12:07:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Dana,
OK, please post the relevant Firewall log entries unmodified. To get the most information out of the log files, I strongly recommend to enable the logging of all fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All.
To understand what is logged, go to the ISA helpfile. There is a section called 'Firewall and Web Proxy log fields', a must read. Additional information can be found in the following articles:
- http://support.microsoft.com/default.aspx?scid=kb;en-us;284818
- http://support.microsoft.com/default.aspx?scid=kb;en-us;193625
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/windows_sockets_error_codes_2.asp
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
![[Smile]](/image/smiles/smile.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
