• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about article on ISA firewalls protecting illegal TLDs

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on ISA firewalls protecting illegal TLDs Page: <<   < prev  1 2 3 [4] 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about article on ISA firewalls protectin... - 15.Feb.2007 1:10:55 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
With the dreaded .local illegal TLD, you have no option to run an integrated split DNS, so you'll need to run a parallel split DNS.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to thenovice)
Post #: 61
RE: Discussion about article on ISA firewalls protectin... - 16.Feb.2007 1:53:12 AM   
thenovice

 

Posts: 15
Joined: 13.Feb.2007
Status: offline
Thanks for the responce. I shall need to do a little more reading up in regards to 'parallel split DNS' and try implement. I am next at this client Tuesday, thank God it is not critical - I have set them up to run Exchange POP connectors on their new SBS server, at present - this causes havoc with the overseas users as users in the local office in SA cannot send mail due to the local SBS server internal Exchange being the 'Authoritative' for the company.com domain. Of course they also cannot VPN, OWA etc.

(in reply to tshinder)
Post #: 62
RE: Discussion about article on ISA firewalls protectin... - 26.Jun.2007 8:30:15 AM   
thenovice

 

Posts: 15
Joined: 13.Feb.2007
Status: offline
Hi Tom

Found my issue and was able to resolve (ISA 'edge' server is required to make the PPPoE connection, unless smart router in place and the local Server certificate must be the external DNS record entry, in my example 'office.company.com') - side note, as the ".local"/internal DNS service has a new zone "company.com" added to the original zone of "company.local" I only have one issue, to summarize:

The ISP, whom hosts the 'www.company.com' site, DNS server has a sub-domain record "office.company.com" with the 'Companies'/client ISA 2004 external NIC IP address (Public address) associated.
The 'Company' has an internal 'Split' DNS zone "company.com" with an 'A' record, 'office.company.com' pointing to the internal NIC IP address '192.168.10.1'
Now when internal users want to browse their 'www.company.com' website, an error message is displayed: 'tech reasons'
* Error Code 10061: Connection refused
* Background: The server you are attempting to access has refused the connection with the gateway. This usually results from trying to connect to a service that is inactive on the server.
* Date: 2007/06/26 12:20:05 PM
* Server: server01.company.local
* Source: Remote server

Please bare in mind that we do not publish a web site as it is hosted elsewhere, I tried to create an additional 'A' record in the .local DNS 'company.com' zone pointing to the ISP DNS server - this just produces the same result.

Any work around?

(in reply to thenovice)
Post #: 63
RE: Discussion about article on ISA firewalls protectin... - 26.Jun.2007 9:22:26 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
For company resources that aren't under your control (such as using a Web hoster), then your internal zone and external zone information in the split DNS will be the same, since both the internal and external users must be able to resolve the resource to the external external IP address.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to thenovice)
Post #: 64
RE: Discussion about article on ISA firewalls protectin... - 26.Jun.2007 10:55:43 AM   
thenovice

 

Posts: 15
Joined: 13.Feb.2007
Status: offline
OK, somewhere I am missing the plot, any aid here would be much appreciated.

The Client now has an ISP's router in place and a service package that happens to include 5 public static IP addresses, therefore we do not require a 'free DDNS account' (this makes it easier to create 'split-dns' as the account is usually fictitious e.g., company.dyndns.org, so when a user queries the actual website www.company.com, the local DNS server simple forwards the query on recursively), all static IPs reside within the DMZ at the client in question.

This external ISP's DNS server has a sub-domain rr record office.company.com under the domain 'company.com', one that it is the SOA for - that sub-domain record points to the clients static IP 196.212.31.178 (this is the external NIC on the SBS 2003 server running ISA2004), but naturally its 'www.company.com' record on their DNS server points to another IP address on their web server, I do not have this IP address.

The internal server at the Client has a 'split' DNS record for the newly-created 'office.company.com' sub-domain record under the newly created primary zone 'company.com', this points to 192.168.10.1 - this means that should someone want to access the OWA facility, or setup Outlook over rpc - using the office.company.com rr record, it does not matter whether they are sitting on the Internal or External network, the result is the same & settings do not have to change

When an internal user queries for the www.company.com website the local DNS server says

"Hold on, I am the SOA for the primary 'company.com' zone (i.e. server01.company.LOCAL) on this 'split-DNS' configuration and its IP address is 192.168.10.1, but I do not have a record for www. let alone know what the IP address may be for that site, but I am still the SOA, therefore such a listing cannot possibly exist."
Therefore the user obtains the error message when trying to browse their own website.

So I create a record within this local DNS zone pointing to the external public IP address of the ISPs DNS server hosting the website - in hope that when asking for www.company.com - it resolves to the ISP's DNS record for this site - naturally this won't work as the DNS server itself is not the Web publishing server or the unique IP for the 'www.company.com' site in question.

So back to step 1 - how do I query or pass on a query to resolve a web address to IP address when the local DNS server is the SOA for that Zone, but the actual Web site resides on another machine hosted elsewhere in the internet cloud? Will the actuall IP address for the site entered into the local dns zone listing do the trik?

(in reply to tshinder)
Post #: 65
RE: Discussion about article on ISA firewalls protectin... - 27.Jun.2007 9:17:30 AM   
thenovice

 

Posts: 15
Joined: 13.Feb.2007
Status: offline
OK, I see I need to explain further:

Local server (Server01.company.local) hosts the email on it's exchange service (i.e. Small Business Server Premium 2003 SP2, ISA2004 SP3) - therefore POP3, SMTP & OWA as well as VPN need to be available via the net for external/international based users.

The Web site (and others owned by the client 'Company'') does not sit on the SBS box, it sits outside - therefore when running a 'Split-DNS' one has to point locally when inside the internal network, as the local server hosts the mail, enter in the split dns zones:
a) 'company.local' (internal/private) points to the SOA Server01.company.local - 192.168.10.1
b) 'company.com' (external/public) points to the SOA Server01.company.local - 192.168.10.1
There is a sub-domain off 'company.com' - 'office.company.com' that is an 'A' record pointing to 192.168.10.1

External ISP has DNS server with
a) 'company.com' points to there SOA DNS
demeter.is.co.za
jupiter.is.co.za
titan.is.co.za
They have a sub-domain (child domain) 'office.company.com' pointing to the static IP address on our external SBS 2003 NIC 196.212.31.178 (this wouldn't be too unlike pointing to a DynDNS.org IP that had been updated)

All works well both internally and externally - OWA, VPN, etc (well, cannot lie - I am still working out how to Publish the POP3 service on the SBS 2003 Server01 behind the ISA 2004 service, so that users in UK can 'dowload' there mail using a internet mail client - but will get there next time I am in at this client)

HOWEVER - the issue at hand is the inability to see the 'www.company.com' website that of course is sitting at the ISP (i.e. Not hosted locally) - Naturally the world can see the website 'www.company.com' (www.educationafrica.com to be more specific), just not the internal users - much to their dismay.
The only thing I think i could do is get hold of the actuall IP for the site and enter an internal rr 'A' record on the Server01.company.local dns zone called 'www.company.com' and point it to the IP - unfortunatly I am not too certain if they use public or private IP's (i.e DDNS) for there web hosting & if the setup would actually work - will just have to try next time I am at the client.

Unless anyone has a better idea, this I am hoping for. Kind regards

(in reply to thenovice)
Post #: 66
RE: Discussion about article on ISA firewalls protectin... - 27.Jun.2007 1:20:46 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
If the internal users cannot access www.company.com  then the problem is that you either don't have DNS zone for company.com on your internal DNS server or you haven't created a resource record for www.company.com in the company.com zone that points to the public IP address of www.company.com

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to thenovice)
Post #: 67
RE: Discussion about article on ISA firewalls protectin... - 28.Jun.2007 7:49:18 AM   
thenovice

 

Posts: 15
Joined: 13.Feb.2007
Status: offline
No problem, Thanks for answer - resolved the issue using my explanation given above.

At external users PC (another client) ping -a 'www.company.com', retrieved the actual public IP address on the internet for the 'www.company.com' site.

Went to 'Company' client, added www 'A' record to the already internally created 'company.com' ('Split-DNS)zone - pointed it to the public IP address retrived earlier, refreshed DNS

Hey presto, all works - the other sub-domain entries on the internally created split zone all still point to the server01.company.locals IP - 192.168.10.1, but the www record points externally.

Thanks again.

(in reply to tshinder)
Post #: 68
RE: Discussion about article on ISA firewalls protectin... - 29.Jun.2007 9:48:22 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Novice,

GREAT! That's exactly how it works.

Congrats on getting your split DNS working -- your users will love you for it!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to thenovice)
Post #: 69
RE: Discussion about article on ISA firewalls protectin... - 22.Oct.2008 4:20:42 PM   
JCI400

 

Posts: 21
Joined: 3.Feb.2007
Status: offline
These articles are timeless... here we are still discussing it several years later.

Under
Create the Internal Side of the Split DNS on the Internal Network DNS server
You state the first step is to create the isaexternal.com zone in an Active Directory Integrated Zone. Yet the example implies the DNS server is not a DC (New Zone Wizard's Store in AD is greyed out).

Is there any benefit to be in or not in the AD Integrated.. Internally I run three AD/DCs all are DNS servers (can't get enough redundancy, I guess).


(in reply to tshinder)
Post #: 70
RE: Discussion about article on ISA firewalls protectin... - 24.Oct.2008 8:04:08 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
You can configure the external zone in an AD integrated DNS. No problem with that.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to JCI400)
Post #: 71
RE: Discussion about article on ISA firewalls protectin... - 24.Oct.2008 8:26:07 AM   
JCI400

 

Posts: 21
Joined: 3.Feb.2007
Status: offline
In setting up a split DNS for an illegal TLD for use externally with TSWEB, does each internal host you wish to connect to have to be defined by hand in the external DNS server ?

(in reply to tshinder)
Post #: 72
RE: Discussion about article on ISA firewalls protectin... - 28.Oct.2008 7:00:42 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Read the article again so that you're clear on the principles of a split DNS. Internal hosts are never configured to use external DNS servers.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to JCI400)
Post #: 73
RE: Discussion about article on ISA firewalls protectin... - 28.Oct.2008 2:28:35 PM   
JCI400

 

Posts: 21
Joined: 3.Feb.2007
Status: offline
I did not phrase that correctly.

For users on the WWW to use Tsweb to get to their PCs from outside the corporate network (an illegal TLD), I have to be able to resolve names for hosts (PCs) within the internal network using the external legal domain name.

The article says that I need to Create the Internal Side of the Split DNS by creating a zone on the internal DNS server using the externally resolvable domain name and NOT allow dynamic updates. Therefore I am responsible for each host in this zone (A records). These A records could be WWW, OWA, RDP or in this case, user PCs (again the goal is tsweb access).

For the user to access his PC extenally, that PC host name must be resolvable via the external domain name on the internal DNS server (external zone) with the internal IP for that PC. Therefore I must add that PC's A record for that PC in the zone created.

(in reply to tshinder)
Post #: 74
RE: Discussion about article on ISA firewalls protectin... - 29.Oct.2008 9:50:43 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
OK, I get it.

Yes. For example, supposed you have two PCs that you want to RDP server publish:

PC1
PC2

The public DNS entries are:

PC1.domain.com 1.1.1.1
PC2.domain.com 1.1.1.2

The private DNS entries are:

PC1.domain.com 10.0.0.100
PC2.domain.com 10.0.0.101

You then need to create two Server Publishing Rules, one for each of the public addresses that you'll be using for RDP publishing.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to JCI400)
Post #: 75
RE: Discussion about article on ISA firewalls protectin... - 29.Oct.2008 4:47:34 PM   
JCI400

 

Posts: 21
Joined: 3.Feb.2007
Status: offline
What if both PCs (or a whole network of PCs) in the illegal TLD are to be accessed via domain.com (1.1.1.1)?

For instance:
Internally we have PC1.domain.whatever, PC2.domain.whatever at 10.0.0.xxx
Externally we have domain.com at 1.1.1.1

Extenally we want to resolve PC1.domain.com to PC1.domain.whatever.

Would the external DNS server (in our case our ISP) forward domain.com to 1.1.1.1.

The ISA would then resolve PC1.domain.com via the internal DNS server using the split DNS zone created for domain.com to an internal IP of 10.0.0.100 ... PC2.domain.com to 10.0.0.101 ... etc.

Do I then create a rule for each PC to be accessed via RDP?

The Illegal TLD zone in DNS stating PC1.domain.whatever at IP 10.0.0.100 would never be used from the outside.

The internal zone for domain.com (A record PC1.domain.com) does not transfer out so network naming and structure are secure.

A side benefit, I would be able to access PC1, both internally and externally by PC1.domain.com
------------------------------------------------------------------------
(nothing is so simple I can't complicate the heck out of it...)

(in reply to tshinder)
Post #: 76
RE: Discussion about article on ISA firewalls protectin... - 4.Nov.2008 7:34:54 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Whoa!! A split DNS allows you to resolve names separately for internal and external hosts for the SAME DOMAIN.

What's with the second domain? Do you want to create a split DNS for the second domain as well?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to JCI400)
Post #: 77
ISA ignores spoofed packets dectection? - 5.Feb.2009 4:01:54 PM   
thejedi70

 

Posts: 73
Joined: 11.Apr.2001
Status: offline
-

(in reply to tshinder)
Post #: 78
RE: ISA ignores spoofed packets dectection? - 7.Feb.2009 11:51:40 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Not sure how to answer that one

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to thejedi70)
Post #: 79
RE: Discussion about article on ISA firewalls protectin... - 8.Feb.2009 1:02:32 PM   
thenovice

 

Posts: 15
Joined: 13.Feb.2007
Status: offline
OK. Not too sure about JCI400's requirements, but I shall put down what I have got on the go, perhaps that will aid the matter:

Get the VPN runing to your server, correctly (i.e. correct external 'ISP' DNS entry for the public facing URL/IP to point to the company server, I beleive called Tsweb.domain.whatever )
e.g VPN to Tsweb.dyndns.org or hyperthetical 196.xxx.xxx.xxx public IP if you have one

I use the Split DNS mainly for the following:
*Want to use same RDC settings internally and externally for all clientele;
*Want client to use same OWA address interanlly or externally should they require it;
*A single entery to enable RDP-over-HTTP will be required for those consultants with laptops floating in and out of the office (although I prefer to give Exchange access over VPN, more secure).
*Due to all this and actual Public IP listing on the internal DNS split pointing to the actual company Web site (which sits on the external web server somewhere in the cloud)

Any machine used externally, in our case client wanted to use 'Home pc' to access work PC and continue with the companys 'Pastel' accounting books, can thus simply VPN to the Tsweb.doamin.whatever server and then RDC to the users pc in question (providing it was left on) and continue to invoice or whatever.

The User uses their UN & PW to VPN onto the server, enters their office PC IP address into the RDC and of course their UN and PW again to gain access (we set the internal DHCP leases to 12 days, to accomidate leave etc, but havn't had a hitch with incorrect IP yet - this can be changed as per personal preferrences). Also, do not foget to add the user to the "Mobile users" (VPN access) group.

The Only question that remains is the number of users that require this access concurrently. Currently 3 are only permitted in SBS 2003 - not sure re: SBS 2008 or Essential Bus 2008. Anything more and I suggest running an additional member server behind your ISA with Win 2003/2008 std server and Terminal services, that adds a whole new plethora of opptions.

(in reply to JCI400)
Post #: 80

Page:   <<   < prev  1 2 3 [4] 5   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on ISA firewalls protecting illegal TLDs Page: <<   < prev  1 2 3 [4] 5   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts