Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on ISA firewalls protecting illegal TLDs
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on ISA firewalls protectin... - 15.Feb.2007 1:10:55 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
With the dreaded .local illegal TLD, you have no option to run an integrated split DNS, so you'll need to run a parallel split DNS.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 16.Feb.2007 1:53:12 AM
|
|
|
thenovice
Posts: 14
Joined: 13.Feb.2007
Status: offline
|
Thanks for the responce. I shall need to do a little more reading up in regards to 'parallel split DNS' and try implement. I am next at this client Tuesday, thank God it is not critical - I have set them up to run Exchange POP connectors on their new SBS server, at present - this causes havoc with the overseas users as users in the local office in SA cannot send mail due to the local SBS server internal Exchange being the 'Authoritative' for the company.com domain. Of course they also cannot VPN, OWA etc.
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 26.Jun.2007 8:30:15 AM
|
|
|
thenovice
Posts: 14
Joined: 13.Feb.2007
Status: offline
|
Hi Tom
Found my issue and was able to resolve (ISA 'edge' server is required to make the PPPoE connection, unless smart router in place and the local Server certificate must be the external DNS record entry, in my example 'office.company.com') - side note, as the ".local"/internal DNS service has a new zone "company.com" added to the original zone of "company.local" I only have one issue, to summarize:
The ISP, whom hosts the 'www.company.com' site, DNS server has a sub-domain record "office.company.com" with the 'Companies'/client ISA 2004 external NIC IP address (Public address) associated.
The 'Company' has an internal 'Split' DNS zone "company.com" with an 'A' record, 'office.company.com' pointing to the internal NIC IP address '192.168.10.1'
Now when internal users want to browse their 'www.company.com' website, an error message is displayed: 'tech reasons'
* Error Code 10061: Connection refused
* Background: The server you are attempting to access has refused the connection with the gateway. This usually results from trying to connect to a service that is inactive on the server.
* Date: 2007/06/26 12:20:05 PM
* Server: server01.company.local
* Source: Remote server
Please bare in mind that we do not publish a web site as it is hosted elsewhere, I tried to create an additional 'A' record in the .local DNS 'company.com' zone pointing to the ISP DNS server - this just produces the same result.
Any work around?
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 26.Jun.2007 9:22:26 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
For company resources that aren't under your control (such as using a Web hoster), then your internal zone and external zone information in the split DNS will be the same, since both the internal and external users must be able to resolve the resource to the external external IP address.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 26.Jun.2007 10:55:43 AM
|
|
|
thenovice
Posts: 14
Joined: 13.Feb.2007
Status: offline
|
OK, somewhere I am missing the plot, any aid here would be much appreciated.
The Client now has an ISP's router in place and a service package that happens to include 5 public static IP addresses, therefore we do not require a 'free DDNS account' (this makes it easier to create 'split-dns' as the account is usually fictitious e.g., company.dyndns.org, so when a user queries the actual website www.company.com, the local DNS server simple forwards the query on recursively), all static IPs reside within the DMZ at the client in question.
This external ISP's DNS server has a sub-domain rr record office.company.com under the domain 'company.com', one that it is the SOA for - that sub-domain record points to the clients static IP 196.212.31.178 (this is the external NIC on the SBS 2003 server running ISA2004), but naturally its 'www.company.com' record on their DNS server points to another IP address on their web server, I do not have this IP address.
The internal server at the Client has a 'split' DNS record for the newly-created 'office.company.com' sub-domain record under the newly created primary zone 'company.com', this points to 192.168.10.1 - this means that should someone want to access the OWA facility, or setup Outlook over rpc - using the office.company.com rr record, it does not matter whether they are sitting on the Internal or External network, the result is the same & settings do not have to change
When an internal user queries for the www.company.com website the local DNS server says
"Hold on, I am the SOA for the primary 'company.com' zone (i.e. server01.company.LOCAL) on this 'split-DNS' configuration and its IP address is 192.168.10.1, but I do not have a record for www. let alone know what the IP address may be for that site, but I am still the SOA, therefore such a listing cannot possibly exist."
Therefore the user obtains the error message when trying to browse their own website.
So I create a record within this local DNS zone pointing to the external public IP address of the ISPs DNS server hosting the website - in hope that when asking for www.company.com - it resolves to the ISP's DNS record for this site - naturally this won't work as the DNS server itself is not the Web publishing server or the unique IP for the 'www.company.com' site in question.
So back to step 1 - how do I query or pass on a query to resolve a web address to IP address when the local DNS server is the SOA for that Zone, but the actual Web site resides on another machine hosted elsewhere in the internet cloud? Will the actuall IP address for the site entered into the local dns zone listing do the trik?
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 27.Jun.2007 9:17:30 AM
|
|
|
thenovice
Posts: 14
Joined: 13.Feb.2007
Status: offline
|
OK, I see I need to explain further:
Local server (Server01.company.local) hosts the email on it's exchange service (i.e. Small Business Server Premium 2003 SP2, ISA2004 SP3) - therefore POP3, SMTP & OWA as well as VPN need to be available via the net for external/international based users.
The Web site (and others owned by the client 'Company'') does not sit on the SBS box, it sits outside - therefore when running a 'Split-DNS' one has to point locally when inside the internal network, as the local server hosts the mail, enter in the split dns zones:
a) 'company.local' (internal/private) points to the SOA Server01.company.local - 192.168.10.1
b) 'company.com' (external/public) points to the SOA Server01.company.local - 192.168.10.1
There is a sub-domain off 'company.com' - 'office.company.com' that is an 'A' record pointing to 192.168.10.1
External ISP has DNS server with
a) 'company.com' points to there SOA DNS
demeter.is.co.za
jupiter.is.co.za
titan.is.co.za
They have a sub-domain (child domain) 'office.company.com' pointing to the static IP address on our external SBS 2003 NIC 196.212.31.178 (this wouldn't be too unlike pointing to a DynDNS.org IP that had been updated)
All works well both internally and externally - OWA, VPN, etc (well, cannot lie - I am still working out how to Publish the POP3 service on the SBS 2003 Server01 behind the ISA 2004 service, so that users in UK can 'dowload' there mail using a internet mail client - but will get there next time I am in at this client)
HOWEVER - the issue at hand is the inability to see the 'www.company.com' website that of course is sitting at the ISP (i.e. Not hosted locally) - Naturally the world can see the website 'www.company.com' (www.educationafrica.com to be more specific), just not the internal users - much to their dismay.
The only thing I think i could do is get hold of the actuall IP for the site and enter an internal rr 'A' record on the Server01.company.local dns zone called 'www.company.com' and point it to the IP - unfortunatly I am not too certain if they use public or private IP's (i.e DDNS) for there web hosting & if the setup would actually work - will just have to try next time I am at the client.
Unless anyone has a better idea, this I am hoping for. Kind regards
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 28.Jun.2007 7:49:18 AM
|
|
|
thenovice
Posts: 14
Joined: 13.Feb.2007
Status: offline
|
No problem, Thanks for answer - resolved the issue using my explanation given above.
At external users PC (another client) ping -a 'www.company.com', retrieved the actual public IP address on the internet for the 'www.company.com' site.
Went to 'Company' client, added www 'A' record to the already internally created 'company.com' ('Split-DNS)zone - pointed it to the public IP address retrived earlier, refreshed DNS
Hey presto, all works - the other sub-domain entries on the internally created split zone all still point to the server01.company.locals IP - 192.168.10.1, but the www record points externally.
Thanks again.
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 29.Jun.2007 9:48:22 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Novice,
GREAT! That's exactly how it works.
Congrats on getting your split DNS working -- your users will love you for it!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 22.Oct.2008 4:20:42 PM
|
|
|
JCI400
Posts: 19
Joined: 3.Feb.2007
Status: offline
|
These articles are timeless... here we are still discussing it several years later.
Under
Create the Internal Side of the Split DNS on the Internal Network DNS server
You state the first step is to create the isaexternal.com zone in an Active Directory Integrated Zone. Yet the example implies the DNS server is not a DC (New Zone Wizard's Store in AD is greyed out).
Is there any benefit to be in or not in the AD Integrated.. Internally I run three AD/DCs all are DNS servers (can't get enough redundancy, I guess).
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 24.Oct.2008 8:26:07 AM
|
|
|
JCI400
Posts: 19
Joined: 3.Feb.2007
Status: offline
|
In setting up a split DNS for an illegal TLD for use externally with TSWEB, does each internal host you wish to connect to have to be defined by hand in the external DNS server ?
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 28.Oct.2008 7:00:42 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Read the article again so that you're clear on the principles of a split DNS. Internal hosts are never configured to use external DNS servers.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 28.Oct.2008 2:28:35 PM
|
|
|
JCI400
Posts: 19
Joined: 3.Feb.2007
Status: offline
|
I did not phrase that correctly.
For users on the WWW to use Tsweb to get to their PCs from outside the corporate network (an illegal TLD), I have to be able to resolve names for hosts (PCs) within the internal network using the external legal domain name.
The article says that I need to Create the Internal Side of the Split DNS by creating a zone on the internal DNS server using the externally resolvable domain name and NOT allow dynamic updates. Therefore I am responsible for each host in this zone (A records). These A records could be WWW, OWA, RDP or in this case, user PCs (again the goal is tsweb access).
For the user to access his PC extenally, that PC host name must be resolvable via the external domain name on the internal DNS server (external zone) with the internal IP for that PC. Therefore I must add that PC's A record for that PC in the zone created.
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 29.Oct.2008 9:50:43 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
OK, I get it.
Yes. For example, supposed you have two PCs that you want to RDP server publish:
PC1
PC2
The public DNS entries are:
PC1.domain.com 1.1.1.1
PC2.domain.com 1.1.1.2
The private DNS entries are:
PC1.domain.com 10.0.0.100
PC2.domain.com 10.0.0.101
You then need to create two Server Publishing Rules, one for each of the public addresses that you'll be using for RDP publishing.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 29.Oct.2008 4:47:34 PM
|
|
|
JCI400
Posts: 19
Joined: 3.Feb.2007
Status: offline
|
What if both PCs (or a whole network of PCs) in the illegal TLD are to be accessed via domain.com (1.1.1.1)?
For instance:
Internally we have PC1.domain.whatever, PC2.domain.whatever at 10.0.0.xxx
Externally we have domain.com at 1.1.1.1
Extenally we want to resolve PC1.domain.com to PC1.domain.whatever.
Would the external DNS server (in our case our ISP) forward domain.com to 1.1.1.1.
The ISA would then resolve PC1.domain.com via the internal DNS server using the split DNS zone created for domain.com to an internal IP of 10.0.0.100 ... PC2.domain.com to 10.0.0.101 ... etc.
Do I then create a rule for each PC to be accessed via RDP?
The Illegal TLD zone in DNS stating PC1.domain.whatever at IP 10.0.0.100 would never be used from the outside.
The internal zone for domain.com (A record PC1.domain.com) does not transfer out so network naming and structure are secure.
A side benefit, I would be able to access PC1, both internally and externally by PC1.domain.com
------------------------------------------------------------------------
(nothing is so simple I can't complicate the heck out of it...)
|
|
|
|
|
RE: Discussion about article on ISA firewalls protectin... - 4.Nov.2008 7:34:54 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Whoa!! A split DNS allows you to resolve names separately for internal and external hosts for the SAME DOMAIN.
What's with the second domain? Do you want to create a split DNS for the second domain as well?
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
