• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about article on ISA firewalls protecting illegal TLDs

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on ISA firewalls protecting illegal TLDs Page: <<   < prev  1 2 [3] 4 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about article on ISA firewalls protectin... - 30.Jun.2006 9:18:09 PM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Yes Tom. I even did a DNS checkup for my domain and the result I got as follow;





CheckDNS.NET is asking root servers about authoritative NS for domain



  Got DNS list for 'vngateways.us' from a.gtld.biz or a.gtld.biz



  Found NS record: NS1.vngateways.us[63.252.121.67], was resolved to IP address by a.gtld.biz



  Found NS record: NS2.vngateways.us[63.252.121.68], was resolved to IP address by a.gtld.biz



  Domain has 2 DNS server(s)




CheckDNS.NET is verifying if NS are alive



  DNS server NS1.vngateways.us[63.252.121.67] is alive and authoritative for domain vngateways.us



  DNS server NS2.vngateways.us[63.252.121.68] is alive and authoritative for domain vngateways.us



  2 server(s) are alive




CheckDNS.NET checks if all NS have the same version



  All 2 your servers have the same zone version 19




CheckDNS.NET verifies www servers



  DNS round-robing with multiple web servers detected



  Checking HTTP server www.vngateways.us [63.252.121.68]



  HTTP server www.vngateways.us[63.252.121.68] answers on port 80



  Received: HTTP/1.1 200 OK (Server: Microsoft-IIS/6.0) . Under Construction. Under Construction. The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured. .Please try this site again later. If you still experience the problem, try contacting the Web site administrator. .If you are the Web site administrator and feel you have receiv



  Checking HTTP server www.vngateways.us [10.1.1.3]



  Error connecting to HTTP server www.vngateways.us [10.1.1.3] port 80 : timed out waiting for connection
If you could point out what did I do wrong and help me with the right configuration, that would be great. I've been struggling with it for a few days now and couldn't figure out the problem.

(in reply to tshinder)
Post #: 41
RE: Discussion about article on ISA firewalls protectin... - 1.Jul.2006 7:02:42 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jle,

It looks like your HOST (A) records are misconfigured.

The DNS advertiser should only have the public addresses used to connect to the site, which would be the IP address on the external interface of the ISA firewall that is being used by the Web listener publishing the site.

HTH,
Tom

< Message edited by tshinder -- 1.Jul.2006 7:04:20 PM >


_____________________________

Thomas W Shinder, M.D.

(in reply to jle2005)
Post #: 42
RE: Discussion about article on ISA firewalls protectin... - 5.Jul.2006 5:33:04 PM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hello Tom,

Are you saying that I should setup a HOST (A) record, with a public IP address on my public DNS Server even though DNS Server is setup with private IP address? I forgot to mention in my last post that the web server is setup on one of my public DNS Server. When I created the two rules to publish those two DNS Servers, I thought it should take care all the IP mapping for me already. I also created a web server publishing rule to publish the internal web server which is on one of the DNS Server with a web listener that map to the IP address on the external interface of the ISA firewall.

(in reply to tshinder)
Post #: 43
RE: Discussion about article on ISA firewalls protectin... - 6.Jul.2006 4:40:35 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jle,

The ISA firewall won't automagically configure your DNS server, although that would be a feature that would make the ISA firewall completely different than any other one in the market

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jle2005)
Post #: 44
RE: Discussion about article on ISA firewalls protectin... - 8.Jul.2006 1:07:21 AM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hello Tom,

Thank you for replying. Could you show me how to configure my DNS Server to with ISA Server? If you don't mind. Thank you

(in reply to tshinder)
Post #: 45
RE: Discussion about article on ISA firewalls protectin... - 9.Jul.2006 6:57:24 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jle,

You need to create Host (A) records based on the IP address that the external users will use to connect to the internal sites. These will be the addresses used by the Web and Server Publishing Rule listeners for the rules you create.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jle2005)
Post #: 46
RE: Discussion about article on ISA firewalls protectin... - 11.Jul.2006 10:06:17 PM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hello Tom,

You are the man and thank you for pointing that out. I finally get my DNS and Web server up and running in my test lab.

(in reply to tshinder)
Post #: 47
RE: Discussion about article on ISA firewalls protectin... - 12.Jul.2006 3:40:36 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jle,

Great! Good to hear you got it working and thanks for the follow up!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jle2005)
Post #: 48
RE: Discussion about article on ISA firewalls protectin... - 12.Jul.2006 10:26:02 PM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hello Tom,

Could you let me know what kind of rule should I create to let the internal host to access the web server on the DZM? I created an access rule to allow internal host to access the web server on the DMZ, but it didn't work. When I try to access my web server on the DMZ from the internal host, I got the error below. Please help

    Error Code 10061: Connection refused
    Background: When the gateway or proxy server contacted the upstream (Web) server, the connection was refused. This usually results from trying to connect to a service that is inactive on the upstream server.

(in reply to tshinder)
Post #: 49
RE: Discussion about article on ISA firewalls protectin... - 13.Jul.2006 2:56:45 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jle,

Is there a rule allowing connections from that Host to the DMZ?

Is there a Network Rule connecting the source ISA firewall Network to the destination ISA firewall Network?

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jle2005)
Post #: 50
RE: Discussion about article on ISA firewalls protectin... - 13.Jul.2006 6:25:54 PM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hello Tom,

Thank you for replying and yes, I created two rules below.

1) Access rule:

    Action
       Allow
    Protocols
       http
    From
       Internal
    To
       DMZ
     Users
       All Users

2) Network rule
     Internal to DMZ Relation (Route)



(in reply to tshinder)
Post #: 51
RE: Discussion about article on ISA firewalls protectin... - 14.Jul.2006 5:15:32 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jle,

It could be that you're looping through the ISA firewall's external interface?

Put the FQDN of the Web server in the Direct Access list on the ISA firewall and see if that helps. Remember not to mix IP addresses and FQDNs in the Direct Access list, or it won't work.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jle2005)
Post #: 52
RE: Discussion about article on ISA firewalls protectin... - 20.Jul.2006 11:47:04 PM   
jle2005

 

Posts: 37
Joined: 19.Jan.2006
Status: offline
Hello Tom,

Could you give me a little more detail steps on how to "put the FQDN of the Web server in the Direct Access list on the ISA firewall"? Thank you very much

(in reply to tshinder)
Post #: 53
RE: Discussion about article on ISA firewalls protectin... - 21.Jul.2006 4:02:09 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jle,

http://www.isaserver.org/pages/search.asp?query=Direct+Access



HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jle2005)
Post #: 54
RE: Discussion about article on ISA firewalls protectin... - 30.Aug.2006 12:12:05 PM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
Not sure if this is covered anywhere else but I recently had a problem with SSL and Exchange Public Folders when implementing split DNS.

To allow the Exchange server to be refered to by it's external name (mail.xyz.com.au) by windows mobile devices or any connection requiring an SSL connection, I had to replace the certificate in IIS with the same one used on the ISA Server (that is for mail.xyz.com.au).

This works great after some tweaking of ISA settings, etc.

The problem seems to be when you go to access Public Folders, if SSL is required for the Exadmin virtual folder in IIS then you will get errors in Outlook and in the Exchange System Manager you will get the following error:

The SSL cerficate server name is incorrect
 
ID noL c103b404
Exchange System Manager.

Work around is to disable the SSL requirement for Exadmin, however I have yet to find out why this happens exactly and if ther is a better solution.  There may also be other related issues that I have yet to discover.

(in reply to tshinder)
Post #: 55
RE: Discussion about article on ISA firewalls protectin... - 30.Aug.2006 12:24:00 PM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
Using Stub records for external web servers.

To make managing external resources that need to be accessed in the same namespace, such as externally hosted web servers, easier I have used Stub zones with success.  Often web hosting companies make changes to their servers and address space, making it painful to manually update your A record to point to the correct external IP address.  Stub records can help get around this.

For example lets say your domain is xyz.com and you have a website at www.xyz.com that is hosted externally by a web hosting provider; I would create a stub zone called www under the xyz.com forward lookup zone in DNS that has the external DNS servers that are responsible for your xyz.com domain name resolution externally (often the web host, your ISP, or a DNS hosting provider).  Then whenever an internal client looks up www.xyz.com the DNS server refers the request to the external DNS servers and returns the correct external IP address.

So far this has worked well for me and has required zero maintenance, but perhaps people can see a problem with this or know of a better way?

(in reply to Money Penney)
Post #: 56
RE: Discussion about article on ISA firewalls protectin... - 30.Aug.2006 3:25:18 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Money Penney

Using Stub records for external web servers.

To make managing external resources that need to be accessed in the same namespace, such as externally hosted web servers, easier I have used Stub zones with success.  Often web hosting companies make changes to their servers and address space, making it painful to manually update your A record to point to the correct external IP address.  Stub records can help get around this.

For example lets say your domain is xyz.com and you have a website at www.xyz.com that is hosted externally by a web hosting provider; I would create a stub zone called www under the xyz.com forward lookup zone in DNS that has the external DNS servers that are responsible for your xyz.com domain name resolution externally (often the web host, your ISP, or a DNS hosting provider).  Then whenever an internal client looks up www.xyz.com the DNS server refers the request to the external DNS servers and returns the correct external IP address.

So far this has worked well for me and has required zero maintenance, but perhaps people can see a problem with this or know of a better way?


Hi MP,

Very clever! I like it!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Money Penney)
Post #: 57
RE: Discussion about article on ISA firewalls protectin... - 25.Nov.2006 4:36:51 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Hi Tom,
I guess I have been one of those people that got "hot under the collar" as you said over Split-DNS.  Of the possible reasons you gave (below):

Maybe itís because they believe they need to rename their internal network domains, or that they think there is an adverse security impact, or maybe its just because DNS is so difficult to understand in the first place, that the idea of further complicating the issue puts them over the edge.

That last one is one of the two reasons in my case. I just can't stand overcomplicating something that I already have to work at trying to understand clearly.  The second reason would be due to another possible misunderstanding in that I thought it required two DNS servers in addition to the ISP's.  However if I'm not mistaken (this time), the ISP's DNS can be the second DNS, meaning that I would only have my internal AD DNS to worry about. This takes away a large part of what I didn't like about (what I percieved about) Split-DNS.

So, I'm starting to come around...
I still need to study these articles some more though.

Phillip Windell
phillip.windell@wandtv.com

(in reply to tshinder)
Post #: 58
RE: Discussion about article on ISA firewalls protectin... - 26.Nov.2006 10:26:59 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Phil,

That's right. You don't need to use another external DNS server if you don't want to, your ISP's DNS server will work just fine for the external zone. You don't even need to create another DNS server on the internal network, you can host the parallel internal zone on your existing internal DNS servers.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to pwindell)
Post #: 59
RE: Discussion about article on ISA firewalls protectin... - 15.Feb.2007 9:27:16 AM   
thenovice

 

Posts: 15
Joined: 13.Feb.2007
Status: offline
Thanks all, have been deliberating through all notes provided on Split DNS, and DDNS. I just cannot seem to crack it - any aid will be welcome, this is for a charity therefor the least Costing route would be the best - here is the senario:

[Internal network, 'internal.local', 192.168.1.0/24, SBS box with ISA2004, Exchange, etc - sole server]  -connected to-  ["DMZ", i.e external NIC of SBS Preimium Server connected to Linxsys ADSL router, thus 192.168.10.0/28]  -connected to-  ['Public' Internet, 'external.dyndns.org', DDNS updated dynamic IP]
Required:
- NB all MX rr records to point mail directly to the SBS Exchange (therefore mail redirected from current ISP NS for the company.com domain to the 'external.dyndns.org' url and thus all mail is delivered to the SBS box).
- OWA access to this mail (for temp access for roaming users at hotel lobies aquiring funds from overseas)
- POP facility for off-shore users to download and manage emial
- VPN for boss
Done:
Created 2nd Primary Zone on internal DNS (on SBS server), entered records as follows: 'external.dyndns.org' = to 192.168.1.1 (SBS server IP).
'owa.external.dyndns.org' = to 192.168.1.1 as it is the same server
'pop.external.dyndns.org' = to 192.168.1.1 as it is the same server
'smtp.external.dyndns.org' = to 192.168.1.1 as it is the same server
Created 'free' account with Dyndns.org = 'external.dyndns.org'
Linksys router has built-in DDNS client - configured it, & although it updated 'external.dyndns.org' IP address, I could not get onto the server or access those required services. So I disabled this feature on the router, downloaded the DDNS client and installed it on the SBS server - IP updating works fine, but still unable to access anything - Help

(in reply to PietjePuck)
Post #: 60

Page:   <<   < prev  1 2 [3] 4 5   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on ISA firewalls protecting illegal TLDs Page: <<   < prev  1 2 [3] 4 5   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts