Thanks for the responce. I shall need to do a little more reading up in regards to 'parallel split DNS' and try implement. I am next at this client Tuesday, thank God it is not critical - I have set them up to run Exchange POP connectors on their new SBS server, at present - this causes havoc with the overseas users as users in the local office in SA cannot send mail due to the local SBS server internal Exchange being the 'Authoritative' for the company.com domain. Of course they also cannot VPN, OWA etc.
Found my issue and was able to resolve (ISA 'edge' server is required to make the PPPoE connection, unless smart router in place and the local Server certificate must be the external DNS record entry, in my example 'office.company.com') - side note, as the ".local"/internal DNS service has a new zone "company.com" added to the original zone of "company.local" I only have one issue, to summarize:
The ISP, whom hosts the 'www.company.com' site, DNS server has a sub-domain record "office.company.com" with the 'Companies'/client ISA 2004 external NIC IP address (Public address) associated. The 'Company' has an internal 'Split' DNS zone "company.com" with an 'A' record, 'office.company.com' pointing to the internal NIC IP address '192.168.10.1' Now when internal users want to browse their 'www.company.com' website, an error message is displayed: 'tech reasons' * Error Code 10061: Connection refused * Background: The server you are attempting to access has refused the connection with the gateway. This usually results from trying to connect to a service that is inactive on the server. * Date: 2007/06/26 12:20:05 PM * Server: server01.company.local * Source: Remote server
Please bare in mind that we do not publish a web site as it is hosted elsewhere, I tried to create an additional 'A' record in the .local DNS 'company.com' zone pointing to the ISP DNS server - this just produces the same result.
For company resources that aren't under your control (such as using a Web hoster), then your internal zone and external zone information in the split DNS will be the same, since both the internal and external users must be able to resolve the resource to the external external IP address.
OK, somewhere I am missing the plot, any aid here would be much appreciated.
The Client now has an ISP's router in place and a service package that happens to include 5 public static IP addresses, therefore we do not require a 'free DDNS account' (this makes it easier to create 'split-dns' as the account is usually fictitious e.g., company.dyndns.org, so when a user queries the actual website www.company.com, the local DNS server simple forwards the query on recursively), all static IPs reside within the DMZ at the client in question.
This external ISP's DNS server has a sub-domain rr record office.company.com under the domain 'company.com', one that it is the SOA for - that sub-domain record points to the clients static IP 196.212.31.178 (this is the external NIC on the SBS 2003 server running ISA2004), but naturally its 'www.company.com' record on their DNS server points to another IP address on their web server, I do not have this IP address.
The internal server at the Client has a 'split' DNS record for the newly-created 'office.company.com' sub-domain record under the newly created primary zone 'company.com', this points to 192.168.10.1 - this means that should someone want to access the OWA facility, or setup Outlook over rpc - using the office.company.com rr record, it does not matter whether they are sitting on the Internal or External network, the result is the same & settings do not have to change
When an internal user queries for the www.company.com website the local DNS server says
"Hold on, I am the SOA for the primary 'company.com' zone (i.e. server01.company.LOCAL) on this 'split-DNS' configuration and its IP address is 192.168.10.1, but I do not have a record for www. let alone know what the IP address may be for that site, but I am still the SOA, therefore such a listing cannot possibly exist." Therefore the user obtains the error message when trying to browse their own website.
So I create a record within this local DNS zone pointing to the external public IP address of the ISPs DNS server hosting the website - in hope that when asking for www.company.com - it resolves to the ISP's DNS record for this site - naturally this won't work as the DNS server itself is not the Web publishing server or the unique IP for the 'www.company.com' site in question.
So back to step 1 - how do I query or pass on a query to resolve a web address to IP address when the local DNS server is the SOA for that Zone, but the actual Web site resides on another machine hosted elsewhere in the internet cloud? Will the actuall IP address for the site entered into the local dns zone listing do the trik?
Local server (Server01.company.local) hosts the email on it's exchange service (i.e. Small Business Server Premium 2003 SP2, ISA2004 SP3) - therefore POP3, SMTP & OWA as well as VPN need to be available via the net for external/international based users.
The Web site (and others owned by the client 'Company'') does not sit on the SBS box, it sits outside - therefore when running a 'Split-DNS' one has to point locally when inside the internal network, as the local server hosts the mail, enter in the split dns zones: a) 'company.local' (internal/private) points to the SOA Server01.company.local - 192.168.10.1 b) 'company.com' (external/public) points to the SOA Server01.company.local - 192.168.10.1 There is a sub-domain off 'company.com' - 'office.company.com' that is an 'A' record pointing to 192.168.10.1
External ISP has DNS server with a) 'company.com' points to there SOA DNS demeter.is.co.za jupiter.is.co.za titan.is.co.za They have a sub-domain (child domain) 'office.company.com' pointing to the static IP address on our external SBS 2003 NIC 196.212.31.178 (this wouldn't be too unlike pointing to a DynDNS.org IP that had been updated)
All works well both internally and externally - OWA, VPN, etc (well, cannot lie - I am still working out how to Publish the POP3 service on the SBS 2003 Server01 behind the ISA 2004 service, so that users in UK can 'dowload' there mail using a internet mail client - but will get there next time I am in at this client)
HOWEVER - the issue at hand is the inability to see the 'www.company.com' website that of course is sitting at the ISP (i.e. Not hosted locally) - Naturally the world can see the website 'www.company.com' (www.educationafrica.com to be more specific), just not the internal users - much to their dismay. The only thing I think i could do is get hold of the actuall IP for the site and enter an internal rr 'A' record on the Server01.company.local dns zone called 'www.company.com' and point it to the IP - unfortunatly I am not too certain if they use public or private IP's (i.e DDNS) for there web hosting & if the setup would actually work - will just have to try next time I am at the client.
Unless anyone has a better idea, this I am hoping for. Kind regards
If the internal users cannot access www.company.com then the problem is that you either don't have DNS zone for company.com on your internal DNS server or you haven't created a resource record for www.company.com in the company.com zone that points to the public IP address of www.company.com
No problem, Thanks for answer - resolved the issue using my explanation given above.
At external users PC (another client) ping -a 'www.company.com', retrieved the actual public IP address on the internet for the 'www.company.com' site.
Went to 'Company' client, added www 'A' record to the already internally created 'company.com' ('Split-DNS)zone - pointed it to the public IP address retrived earlier, refreshed DNS
Hey presto, all works - the other sub-domain entries on the internally created split zone all still point to the server01.company.locals IP - 192.168.10.1, but the www record points externally.
These articles are timeless... here we are still discussing it several years later.
Under Create the Internal Side of the Split DNS on the Internal Network DNS server You state the first step is to create the isaexternal.com zone in an Active Directory Integrated Zone. Yet the example implies the DNS server is not a DC (New Zone Wizard's Store in AD is greyed out).
Is there any benefit to be in or not in the AD Integrated.. Internally I run three AD/DCs all are DNS servers (can't get enough redundancy, I guess).
In setting up a split DNS for an illegal TLD for use externally with TSWEB, does each internal host you wish to connect to have to be defined by hand in the external DNS server ?
For users on the WWW to use Tsweb to get to their PCs from outside the corporate network (an illegal TLD), I have to be able to resolve names for hosts (PCs) within the internal network using the external legal domain name.
The article says that I need to Create the Internal Side of the Split DNS by creating a zone on the internal DNS server using the externally resolvable domain name and NOT allow dynamic updates. Therefore I am responsible for each host in this zone (A records). These A records could be WWW, OWA, RDP or in this case, user PCs (again the goal is tsweb access).
For the user to access his PC extenally, that PC host name must be resolvable via the external domain name on the internal DNS server (external zone) with the internal IP for that PC. Therefore I must add that PC's A record for that PC in the zone created.
What if both PCs (or a whole network of PCs) in the illegal TLD are to be accessed via domain.com (1.1.1.1)?
For instance: Internally we have PC1.domain.whatever, PC2.domain.whatever at 10.0.0.xxx Externally we have domain.com at 1.1.1.1
Extenally we want to resolve PC1.domain.com to PC1.domain.whatever.
Would the external DNS server (in our case our ISP) forward domain.com to 1.1.1.1.
The ISA would then resolve PC1.domain.com via the internal DNS server using the split DNS zone created for domain.com to an internal IP of 10.0.0.100 ... PC2.domain.com to 10.0.0.101 ... etc.
Do I then create a rule for each PC to be accessed via RDP?
The Illegal TLD zone in DNS stating PC1.domain.whatever at IP 10.0.0.100 would never be used from the outside.
The internal zone for domain.com (A record PC1.domain.com) does not transfer out so network naming and structure are secure.
A side benefit, I would be able to access PC1, both internally and externally by PC1.domain.com ------------------------------------------------------------------------ (nothing is so simple I can't complicate the heck out of it...)
OK. Not too sure about JCI400's requirements, but I shall put down what I have got on the go, perhaps that will aid the matter:
Get the VPN runing to your server, correctly (i.e. correct external 'ISP' DNS entry for the public facing URL/IP to point to the company server, I beleive called Tsweb.domain.whatever ) e.g VPN to Tsweb.dyndns.org or hyperthetical 196.xxx.xxx.xxx public IP if you have one
I use the Split DNS mainly for the following: *Want to use same RDC settings internally and externally for all clientele; *Want client to use same OWA address interanlly or externally should they require it; *A single entery to enable RDP-over-HTTP will be required for those consultants with laptops floating in and out of the office (although I prefer to give Exchange access over VPN, more secure). *Due to all this and actual Public IP listing on the internal DNS split pointing to the actual company Web site (which sits on the external web server somewhere in the cloud)
Any machine used externally, in our case client wanted to use 'Home pc' to access work PC and continue with the companys 'Pastel' accounting books, can thus simply VPN to the Tsweb.doamin.whatever server and then RDC to the users pc in question (providing it was left on) and continue to invoice or whatever.
The User uses their UN & PW to VPN onto the server, enters their office PC IP address into the RDC and of course their UN and PW again to gain access (we set the internal DHCP leases to 12 days, to accomidate leave etc, but havn't had a hitch with incorrect IP yet - this can be changed as per personal preferrences). Also, do not foget to add the user to the "Mobile users" (VPN access) group.
The Only question that remains is the number of users that require this access concurrently. Currently 3 are only permitted in SBS 2003 - not sure re: SBS 2008 or Essential Bus 2008. Anything more and I suggest running an additional member server behind your ISA with Win 2003/2008 std server and Terminal services, that adds a whole new plethora of opptions.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on ISA firewalls protecting illegal TLDs 
RE: Discussion about article on ISA firewalls protectin... - 
))
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread