Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on ISA firewalls protecting illegal TLDs
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on ISA firewalls protectin... - 1.Jul.2006 7:02:42 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jle,
It looks like your HOST (A) records are misconfigured.
The DNS advertiser should only have the public addresses used to connect to the site, which would be the IP address on the external interface of the ISA firewall that is being used by the Web listener publishing the site.
HTH,
Tom
< Message edited by tshinder -- 1.Jul.2006 7:04:20 PM >
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 5.Jul.2006 5:33:04 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hello Tom,
Are you saying that I should setup a HOST (A) record, with a public IP address on my public DNS Server even though DNS Server is setup with private IP address? I forgot to mention in my last post that the web server is setup on one of my public DNS Server. When I created the two rules to publish those two DNS Servers, I thought it should take care all the IP mapping for me already. I also created a web server publishing rule to publish the internal web server which is on one of the DNS Server with a web listener that map to the IP address on the external interface of the ISA firewall.
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 8.Jul.2006 1:07:21 AM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hello Tom,
Thank you for replying. Could you show me how to configure my DNS Server to with ISA Server? If you don't mind. Thank you
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 9.Jul.2006 6:57:24 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jle,
You need to create Host (A) records based on the IP address that the external users will use to connect to the internal sites. These will be the addresses used by the Web and Server Publishing Rule listeners for the rules you create.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 11.Jul.2006 10:06:17 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hello Tom,
You are the man and thank you for pointing that out. I finally get my DNS and Web server up and running in my test lab.
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 12.Jul.2006 10:26:02 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hello Tom,
Could you let me know what kind of rule should I create to let the internal host to access the web server on the DZM? I created an access rule to allow internal host to access the web server on the DMZ, but it didn't work. When I try to access my web server on the DMZ from the internal host, I got the error below. Please help
Error Code 10061: Connection refused
Background: When the gateway or proxy server contacted the upstream (Web) server, the connection was refused. This usually results from trying to connect to a service that is inactive on the upstream server.
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 13.Jul.2006 2:56:45 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jle,
Is there a rule allowing connections from that Host to the DMZ?
Is there a Network Rule connecting the source ISA firewall Network to the destination ISA firewall Network?
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 13.Jul.2006 6:25:54 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hello Tom,
Thank you for replying and yes, I created two rules below.
1) Access rule:
Action
Allow
Protocols
http
From
Internal
To
DMZ
Users
All Users
2) Network rule
Internal to DMZ Relation (Route)
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 14.Jul.2006 5:15:32 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jle,
It could be that you're looping through the ISA firewall's external interface?
Put the FQDN of the Web server in the Direct Access list on the ISA firewall and see if that helps. Remember not to mix IP addresses and FQDNs in the Direct Access list, or it won't work.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 20.Jul.2006 11:47:04 PM
|
|
|
jle2005
Posts: 33
Joined: 19.Jan.2006
Status: offline
|
Hello Tom,
Could you give me a little more detail steps on how to "put the FQDN of the Web server in the Direct Access list on the ISA firewall"? Thank you very much
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 30.Aug.2006 12:12:05 PM
|
|
|
Money Penney
Posts: 130
Joined: 18.Sep.2002
From: Melbourne
Status: offline
|
Not sure if this is covered anywhere else but I recently had a problem with SSL and Exchange Public Folders when implementing split DNS.
To allow the Exchange server to be refered to by it's external name (mail.xyz.com.au) by windows mobile devices or any connection requiring an SSL connection, I had to replace the certificate in IIS with the same one used on the ISA Server (that is for mail.xyz.com.au).
This works great after some tweaking of ISA settings, etc.
The problem seems to be when you go to access Public Folders, if SSL is required for the Exadmin virtual folder in IIS then you will get errors in Outlook and in the Exchange System Manager you will get the following error:
The SSL cerficate server name is incorrect
ID noL c103b404
Exchange System Manager.
Work around is to disable the SSL requirement for Exadmin, however I have yet to find out why this happens exactly and if ther is a better solution. There may also be other related issues that I have yet to discover.
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 30.Aug.2006 12:24:00 PM
|
|
|
Money Penney
Posts: 130
Joined: 18.Sep.2002
From: Melbourne
Status: offline
|
Using Stub records for external web servers.
To make managing external resources that need to be accessed in the same namespace, such as externally hosted web servers, easier I have used Stub zones with success. Often web hosting companies make changes to their servers and address space, making it painful to manually update your A record to point to the correct external IP address. Stub records can help get around this.
For example lets say your domain is xyz.com and you have a website at www.xyz.com that is hosted externally by a web hosting provider; I would create a stub zone called www under the xyz.com forward lookup zone in DNS that has the external DNS servers that are responsible for your xyz.com domain name resolution externally (often the web host, your ISP, or a DNS hosting provider). Then whenever an internal client looks up www.xyz.com the DNS server refers the request to the external DNS servers and returns the correct external IP address.
So far this has worked well for me and has required zero maintenance, but perhaps people can see a problem with this or know of a better way?
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 26.Nov.2006 10:26:59 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Phil,
That's right. You don't need to use another external DNS server if you don't want to, your ISP's DNS server will work just fine for the external zone. You don't even need to create another DNS server on the internal network, you can host the parallel internal zone on your existing internal DNS servers.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 15.Feb.2007 9:27:16 AM
|
|
|
thenovice
Posts: 14
Joined: 13.Feb.2007
Status: offline
|
Thanks all, have been deliberating through all notes provided on Split DNS, and DDNS. I just cannot seem to crack it - any aid will be welcome, this is for a charity therefor the least Costing route would be the best - here is the senario:
[Internal network, 'internal.local', 192.168.1.0/24, SBS box with ISA2004, Exchange, etc - sole server] -connected to- ["DMZ", i.e external NIC of SBS Preimium Server connected to Linxsys ADSL router, thus 192.168.10.0/28] -connected to- ['Public' Internet, 'external.dyndns.org', DDNS updated dynamic IP]
Required:
- NB all MX rr records to point mail directly to the SBS Exchange (therefore mail redirected from current ISP NS for the company.com domain to the 'external.dyndns.org' url and thus all mail is delivered to the SBS box).
- OWA access to this mail (for temp access for roaming users at hotel lobies aquiring funds from overseas)
- POP facility for off-shore users to download and manage emial
- VPN for boss
Done:
Created 2nd Primary Zone on internal DNS (on SBS server), entered records as follows: 'external.dyndns.org' = to 192.168.1.1 (SBS server IP).
'owa.external.dyndns.org' = to 192.168.1.1 as it is the same server
'pop.external.dyndns.org' = to 192.168.1.1 as it is the same server
'smtp.external.dyndns.org' = to 192.168.1.1 as it is the same server
Created 'free' account with Dyndns.org = 'external.dyndns.org'
Linksys router has built-in DDNS client - configured it, & although it updated 'external.dyndns.org' IP address, I could not get onto the server or access those required services. So I disabled this feature on the router, downloaded the DDNS client and installed it on the SBS server - IP updating works fine, but still unable to access anything - Help 
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
Got DNS list for 'vngateways.us' from a.gtld.biz or a.gtld.biz 
Found NS record: NS1.vngateways.us[63.252.121.67], was resolved to IP address by a.gtld.biz 
Domain has 2 DNS server(s) 
Error connecting to HTTP server 
