Received: HTTP/1.1 200 OK (Server: Microsoft-IIS/6.0) . Under Construction. Under Construction. The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured. .Please try this site again later. If you still experience the problem, try contacting the Web site administrator. .If you are the Web site administrator and feel you have receiv
Error connecting to HTTP server www.vngateways.us [10.1.1.3] port 80 : timed out waiting for connection If you could point out what did I do wrong and help me with the right configuration, that would be great. I've been struggling with it for a few days now and couldn't figure out the problem.
It looks like your HOST (A) records are misconfigured.
The DNS advertiser should only have the public addresses used to connect to the site, which would be the IP address on the external interface of the ISA firewall that is being used by the Web listener publishing the site.
HTH, Tom
< Message edited by tshinder -- 1.Jul.2006 7:04:20 PM >
Are you saying that I should setup a HOST (A) record, with a public IP address on my public DNS Server even though DNS Server is setup with private IP address? I forgot to mention in my last post that the web server is setup on one of my public DNS Server. When I created the two rules to publish those two DNS Servers, I thought it should take care all the IP mapping for me already. I also created a web server publishing rule to publish the internal web server which is on one of the DNS Server with a web listener that map to the IP address on the external interface of the ISA firewall.
The ISA firewall won't automagically configure your DNS server, although that would be a feature that would make the ISA firewall completely different than any other one in the market
You need to create Host (A) records based on the IP address that the external users will use to connect to the internal sites. These will be the addresses used by the Web and Server Publishing Rule listeners for the rules you create.
Could you let me know what kind of rule should I create to let the internal host to access the web server on the DZM? I created an access rule to allow internal host to access the web server on the DMZ, but it didn't work. When I try to access my web server on the DMZ from the internal host, I got the error below. Please help
Error Code 10061: Connection refused Background: When the gateway or proxy server contacted the upstream (Web) server, the connection was refused. This usually results from trying to connect to a service that is inactive on the upstream server.
It could be that you're looping through the ISA firewall's external interface?
Put the FQDN of the Web server in the Direct Access list on the ISA firewall and see if that helps. Remember not to mix IP addresses and FQDNs in the Direct Access list, or it won't work.
Could you give me a little more detail steps on how to "put the FQDN of the Web server in the Direct Access list on the ISA firewall"? Thank you very much
Not sure if this is covered anywhere else but I recently had a problem with SSL and Exchange Public Folders when implementing split DNS.
To allow the Exchange server to be refered to by it's external name (mail.xyz.com.au) by windows mobile devices or any connection requiring an SSL connection, I had to replace the certificate in IIS with the same one used on the ISA Server (that is for mail.xyz.com.au).
This works great after some tweaking of ISA settings, etc.
The problem seems to be when you go to access Public Folders, if SSL is required for the Exadmin virtual folder in IIS then you will get errors in Outlook and in the Exchange System Manager you will get the following error:
The SSL cerficate server name is incorrect
ID noL c103b404 Exchange System Manager.
Work around is to disable the SSL requirement for Exadmin, however I have yet to find out why this happens exactly and if ther is a better solution. There may also be other related issues that I have yet to discover.
To make managing external resources that need to be accessed in the same namespace, such as externally hosted web servers, easier I have used Stub zones with success. Often web hosting companies make changes to their servers and address space, making it painful to manually update your A record to point to the correct external IP address. Stub records can help get around this.
For example lets say your domain is xyz.com and you have a website at www.xyz.com that is hosted externally by a web hosting provider; I would create a stub zone called www under the xyz.com forward lookup zone in DNS that has the external DNS servers that are responsible for your xyz.com domain name resolution externally (often the web host, your ISP, or a DNS hosting provider). Then whenever an internal client looks up www.xyz.com the DNS server refers the request to the external DNS servers and returns the correct external IP address.
So far this has worked well for me and has required zero maintenance, but perhaps people can see a problem with this or know of a better way?
To make managing external resources that need to be accessed in the same namespace, such as externally hosted web servers, easier I have used Stub zones with success. Often web hosting companies make changes to their servers and address space, making it painful to manually update your A record to point to the correct external IP address. Stub records can help get around this.
For example lets say your domain is xyz.com and you have a website at www.xyz.com that is hosted externally by a web hosting provider; I would create a stub zone called www under the xyz.com forward lookup zone in DNS that has the external DNS servers that are responsible for your xyz.com domain name resolution externally (often the web host, your ISP, or a DNS hosting provider). Then whenever an internal client looks up www.xyz.com the DNS server refers the request to the external DNS servers and returns the correct external IP address.
So far this has worked well for me and has required zero maintenance, but perhaps people can see a problem with this or know of a better way?
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Hi Tom, I guess I have been one of those people that got "hot under the collar" as you said over Split-DNS. Of the possible reasons you gave (below):
Maybe it’s because they believe they need to rename their internal network domains, or that they think there is an adverse security impact, or maybe its just because DNS is so difficult to understand in the first place, that the idea of further complicating the issue puts them over the edge.
That last one is one of the two reasons in my case. I just can't stand overcomplicating something that I already have to work at trying to understand clearly. The second reason would be due to another possible misunderstanding in that I thought it required two DNS servers in addition to the ISP's. However if I'm not mistaken (this time), the ISP's DNS can be the second DNS, meaning that I would only have my internal AD DNS to worry about. This takes away a large part of what I didn't like about (what I percieved about) Split-DNS.
So, I'm starting to come around... I still need to study these articles some more though.
That's right. You don't need to use another external DNS server if you don't want to, your ISP's DNS server will work just fine for the external zone. You don't even need to create another DNS server on the internal network, you can host the parallel internal zone on your existing internal DNS servers.
Thanks all, have been deliberating through all notes provided on Split DNS, and DDNS. I just cannot seem to crack it - any aid will be welcome, this is for a charity therefor the least Costing route would be the best - here is the senario:
[Internal network, 'internal.local', 192.168.1.0/24, SBS box with ISA2004, Exchange, etc - sole server] -connected to- ["DMZ", i.e external NIC of SBS Preimium Server connected to Linxsys ADSL router, thus 192.168.10.0/28] -connected to- ['Public' Internet, 'external.dyndns.org', DDNS updated dynamic IP] Required: - NB all MX rr records to point mail directly to the SBS Exchange (therefore mail redirected from current ISP NS for the company.com domain to the 'external.dyndns.org' url and thus all mail is delivered to the SBS box). - OWA access to this mail (for temp access for roaming users at hotel lobies aquiring funds from overseas) - POP facility for off-shore users to download and manage emial - VPN for boss Done: Created 2nd Primary Zone on internal DNS (on SBS server), entered records as follows: 'external.dyndns.org' = to 192.168.1.1 (SBS server IP). 'owa.external.dyndns.org' = to 192.168.1.1 as it is the same server 'pop.external.dyndns.org' = to 192.168.1.1 as it is the same server 'smtp.external.dyndns.org' = to 192.168.1.1 as it is the same server Created 'free' account with Dyndns.org = 'external.dyndns.org' Linksys router has built-in DDNS client - configured it, & although it updated 'external.dyndns.org' IP address,I could not get onto the server or access those required services. So I disabled this feature on the router, downloaded the DDNS client and installed it on the SBS server - IP updating works fine, but still unable to access anything - Help
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on ISA firewalls protecting illegal TLDs 
RE: Discussion about article on ISA firewalls protectin... - 
Got DNS list for 'vngateways.us' from a.gtld.biz or a.gtld.biz 
Found NS record: NS1.vngateways.us[63.252.121.67], was resolved to IP address by a.gtld.biz 
Domain has 2 DNS server(s) 
Error connecting to HTTP server 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread