• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on ISA firewalls protecting illegal TLDs

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about article on ISA firewalls protecting illegal TLDs Page: [1] 2 3 4 5   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about article on ISA firewalls protecting il... - 31.May2005 8:28:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for disucssing the article on ISA firewalls protecting illegal TLDs at:

http://www.isaserver.org/tutorials/2004illegaltldsplitdns.html

HTH,
Tom

[ May 31, 2005, 08:33 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on ISA firewalls protectin... - 5.Jun.2005 3:52:00 AM   
PietjePuck

 

Posts: 3
Joined: 5.Jun.2005
From: Netherlands
Status: offline
Great article, but I maybe have an addition, an important reason not to have a spit DNS zone is the hassle of managing the external hostnames especially when there are a lot of hostnames involved (like www, mail, ftp etc) and you only want to make a single hostname available through ISA. What I do: I create a new zone with a single host except the host is the zone-name (if I publish office.domain.com; I create a zone named office.doamin.com). This frees me of the burden of managing the external hostnames but gives me the pleasure of the same hostname for internal and external use.

(in reply to tshinder)
Post #: 2
RE: Discussion about article on ISA firewalls protectin... - 5.Jun.2005 11:46:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi PietjePuck,

Nice tip!

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion about article on ISA firewalls protectin... - 14.Jun.2005 4:46:00 PM   
Guest
Thanks for this article. In the example, the company had an already existing Active Directory domain called isaserver.local. But if you were starting from scratch and installing AD, is there any advantage to having isaserver.local? In other words, why not just do the split domain setup for isaexternal.com and you only have 1 AD domain also called isaexternal.com?

(in reply to tshinder)
  Post #: 4
RE: Discussion about article on ISA firewalls protectin... - 15.Jun.2005 6:42:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Anon,

Exactly. If you already have an existing domain, then do it right from the start and bag the .local, .lan, .whatever, and just do it right from the start.

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about article on ISA firewalls protectin... - 22.Jun.2005 8:28:00 AM   
ajheywood

 

Posts: 3
Joined: 22.Jun.2005
Status: offline
I have a quick question (I think) about the best way to implement split dns in our case.

Currently our domain name for internal use is mycompany.local and we also have registered with our isp mycompany.co.uk. The dns for mycompany.co.uk is hosted by our isp and I have through there web interface setup owa.mycompany.co.uk and a few others.

So if I want to have the internal clients access resources using the public name I create a zone on my local dns server for mycompany.co.uk but do I make it a stub zone or a primary zone as the zone will only ever be accessed by local users as it is not publicly available?

(in reply to tshinder)
Post #: 6
RE: Discussion about article on ISA firewalls protectin... - 22.Jun.2005 10:22:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andy,

Create the mycompany.uk.co domain on your own DNS server, and create the host records that internal users should use to access internal resoruces.

If there are resources on the mycompany.uk.co that are located at external locations, then enter host records mapping to those external locations.

HTH,
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion about article on ISA firewalls protectin... - 2.Sep.2005 4:28:00 AM   
humorfox

 

Posts: 3
Joined: 2.Sep.2005
Status: offline
May I know if the split DNS may cause any DNS resolution issue on the ISA Server itself? See the following network diagram:

Internet - ISA - LAN

What is the recommendation to configure DNS Server for the ISA server? Should I configure the internal DNS server for both the internal NIC and the external NIC? Or should I configure the public DNS server on the external NIC and configure the internal DNS server on the internal NIC?

Thank you for your help.

(in reply to tshinder)
Post #: 8
RE: Discussion about article on ISA firewalls protectin... - 2.Sep.2005 8:49:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Cameron,

The ISA firewall should use the Internal DNS server and the internal DNS server is authoritative (responsible) for the internal side (internal zone) of the split DNS.

The internal interface of the ISA firewall should be on the top of the interface list, and ONLY the internal interface should have a DNS server configured on it. The external interface should NOT have a DNS server configured on it, and NO interface of the ISA firewall should ever have an external DNS server configured on it.

HTH,
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion about article on ISA firewalls protectin... - 7.Sep.2005 8:12:00 PM   
Guest
I have a 2K SBS w\ ISA.

I have for months had the ISA running with the WAN interface being a modem, recently I moved to a broadband interface (via NIC#2).

Since then I have had the Server freeze multiple times requiring a reset, with no errors or logging.

The lockup only occurs when the interface is active (connected to the internet). When ISA is running along with everything else but the cable is disconnected no problem occurs.

I am assuming some type of DNS/Active Directory failure. Can a domain.com cause an issue with my domain.local simply by existing?

Thanks

(in reply to tshinder)
  Post #: 10
RE: Discussion about article on ISA firewalls protectin... - 19.Sep.2005 5:00:00 AM   
djhuang

 

Posts: 2
Joined: 19.Sep.2005
From: Taiwan
Status: offline
Hello,

First, thanks for the great article you posted.It really helps a lot.
Second, I have a question about DNS configuration on the exchange server.
We have one exchange server acting as the primary mail server and providing
POP3, RPC/http, OWA services to clients and replicate mails with other
sites via the intranet.
This mail server is also responsible for delivering mails to the internet via
SMTP. I would like to ask how to setup the DNS for this exchange server.
If I choose the internal DNS, then there's no way to resolve the internet domain.
If I select the external DNS, the communication to GC/DC would be failed
(It would try to get ldap data from internet because domain name of the remote office
is resolved to a public one).
Same thing happens if I point the DNS to the internal interface of ISA server.

The exchange server is attached to the internal network (1 subnet only) as well as
the DC/DNS server. But the default gateway is directed to the internal interface of
the ISA server (for SMTP mail delivering). A static route to the interal network is added
to compensate the strange default gateway.

Any suggestions would be very appreciated.
Thank you.

djhuang

(in reply to tshinder)
Post #: 11
RE: Discussion about article on ISA firewalls protectin... - 20.Sep.2005 11:33:00 AM   
Anders

 

Posts: 19
Joined: 11.Apr.2002
From: Denmark
Status: offline
Assuming that you are using Exchange 2000 or 2003 you can configure the SMTP protocol with an address of an external DNS Server. This way the Exchange Server will use the internal DNS for anything but sending mail to the Internet.
If you are using exchange 5.x (well, start upgrading) you can set up a smart host to get around the problem.

(in reply to tshinder)
Post #: 12
RE: Discussion about article on ISA firewalls protectin... - 20.Sep.2005 6:51:00 PM   
longman

 

Posts: 50
Joined: 7.Feb.2005
Status: offline
Another option is to configure a forwarder on your internal dns servers with the forwarder being the isa server.

(in reply to tshinder)
Post #: 13
RE: Discussion about article on ISA firewalls protectin... - 12.Oct.2005 11:49:00 PM   
tad_braun

 

Posts: 101
Joined: 31.Dec.2003
Status: offline
Hello,

I tried this tip, and it seemed to work fine. We could access webmail.ourdomain.com from internal and external just fine, including FBA. But then internal people started calling in and saying they could not get to our www.ourdomain.com website hosted at an ISP. The website used www.ourdomain.com, and since there were no records other than the webmail.ourdomain.com record in the local DNS zone for ourdomain.com, the web request bombed out. To fix this, is it as simple as adding a second A record pointing to www.ourdomain.com and the external IP address?

(in reply to tshinder)
Post #: 14
RE: Discussion about article on ISA firewalls protectin... - 20.Nov.2005 8:18:17 PM   
m25man

 

Posts: 1
Joined: 20.Nov.2005
Status: offline
Tom,

An interesting article which helps me understand my own problem a little better (I think).

One of my clients (a school) has an internal domain name and a different fqdn, however the internal domain name set up by a previous contractor is actually a legitamate TLD belonging to the previous contractor!!!!

So internally they are oldcontractorsdomainname.net and externally they are realschool.local-edauth.sch.uk

To add to the dilemma the local school broadband consortium allocate IP addresses and port forward from the internet. Outbound requests are restricted and must be chained to the broadband providers upstream proxy.

So the school has a single public IP which gets forwarded to the designated private IP Pool and on to the ISA 2004 WAN NIC (10.1.1.1)

The Internal network is 192.168.0.0

ISA 2004 was chosen for it's ability to publish multiple web servers behind a single ip which is fine and I have grasped the principles of this by testing from the 10.1.1.0 LAN (effectively a DMZ)

Here is my problem, which Im certain is DNS related and has so far proven to be difficult to fix, after reading your article several times I thought split DNS would solve the problem but so far it is still proving a hard one to crack.

Rules based upon the url incoming from the external clients should be re-directing them to the appropriate webdav server but instead ISA returns a refferal page from chained upstream proxy with the message server#.school.net is not resolved.

So I know that the clients are being forwarded by the Education Authority Firewall from the internet to the ISA (external) 10.x.x. NIC and it seems that ISA is working trying to do what it is programmed to do but is defeated by the internal dns that of course belives it is supposed to be elsewhere!

Am I expecting too much from ISA to handle this ugly scenario! Im now considering a Domain rename as a simpler solution.

Geoff

(in reply to tshinder)
Post #: 15
RE: Discussion about article on ISA firewalls protectin... - 2.Feb.2006 11:21:07 AM   
trw2006

 

Posts: 1
Joined: 2.Feb.2006
Status: offline
now I understand the split dns.  TY       while implementing the instructions in this article i found some decrepancies that happened while i configed my sbs2003 server. 

When entering host A records for the internal side dns i noticed that checking the create pointer resulted in an error message stating i could not do it because i had no reverse lookup zone related to the new forward zone.  So I created them anyway w/o pointers. Is a rev zone needed here? Hmm I saw dozens of other posts elsewhere of stumped people too, not from ur article tho.

On the step where the new zone is created "forward" type was not mentioned but of course it was implied. Newbees like me need the all the details.  Thats not a biggy but not mentioning in the steps that under properties of the new zone, when created, "allow zone transfers" is checked by default and that could be bad as I read.  I only noticed it cuz i check over the properties on all this stuff and some folks arent so thorough.

4/5 stars on this and TY Tom for the great info.  I enjoy and appreciate all your articles.   TW

(in reply to m25man)
Post #: 16
RE: Discussion about article on ISA firewalls protectin... - 3.Feb.2006 12:53:39 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Guest

I have a 2K SBS w\ ISA.

I have for months had the ISA running with the WAN interface being a modem, recently I moved to a broadband interface (via NIC#2).

Since then I have had the Server freeze multiple times requiring a reset, with no errors or logging.

The lockup only occurs when the interface is active (connected to the internet). When ISA is running along with everything else but the cable is disconnected no problem occurs.

I am assuming some type of DNS/Active Directory failure. Can a domain.com cause an issue with my domain.local simply by existing?

Thanks


Hi Guide,

Put a cheap broadband NAT device in front of the ISA firewall.

HTH,
Tom 

_____________________________

Thomas W Shinder, M.D.

(in reply to Guest)
Post #: 17
RE: Discussion about article on ISA firewalls protectin... - 3.Feb.2006 12:55:29 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: djhuang

Hello,

First, thanks for the great article you posted.It really helps a lot.
Second, I have a question about DNS configuration on the exchange server.
We have one exchange server acting as the primary mail server and providing
POP3, RPC/http, OWA services to clients and replicate mails with other
sites via the intranet.
This mail server is also responsible for delivering mails to the internet via
SMTP. I would like to ask how to setup the DNS for this exchange server.
If I choose the internal DNS, then there's no way to resolve the internet domain.
If I select the external DNS, the communication to GC/DC would be failed
(It would try to get ldap data from internet because domain name of the remote office
is resolved to a public one).
Same thing happens if I point the DNS to the internal interface of ISA server.

The exchange server is attached to the internal network (1 subnet only) as well as
the DC/DNS server. But the default gateway is directed to the internal interface of
the ISA server (for SMTP mail delivering). A static route to the interal network is added
to compensate the strange default gateway.

Any suggestions would be very appreciated.
Thank you.

djhuang


Hi DJ,

You should use an internal DNS server is configured to resolve both internal and external names.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to djhuang)
Post #: 18
RE: Discussion about article on ISA firewalls protectin... - 3.Feb.2006 12:56:45 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: tad_braun

Hello,

I tried this tip, and it seemed to work fine. We could access webmail.ourdomain.com from internal and external just fine, including FBA. But then internal people started calling in and saying they could not get to our www.ourdomain.com website hosted at an ISP. The website used www.ourdomain.com, and since there were no records other than the webmail.ourdomain.com record in the local DNS zone for ourdomain.com, the web request bombed out. To fix this, is it as simple as adding a second A record pointing to www.ourdomain.com and the external IP address?


Hi Tad,

In that case you enter the appropriate IP addresses for the external resources, as mentioned in the article.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tad_braun)
Post #: 19
RE: Discussion about article on ISA firewalls protectin... - 3.Feb.2006 12:59:55 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: m25man

Tom,

An interesting article which helps me understand my own problem a little better (I think).

One of my clients (a school) has an internal domain name and a different fqdn, however the internal domain name set up by a previous contractor is actually a legitamate TLD belonging to the previous contractor!!!!

So internally they are oldcontractorsdomainname.net and externally they are realschool.local-edauth.sch.uk

To add to the dilemma the local school broadband consortium allocate IP addresses and port forward from the internet. Outbound requests are restricted and must be chained to the broadband providers upstream proxy.

So the school has a single public IP which gets forwarded to the designated private IP Pool and on to the ISA 2004 WAN NIC (10.1.1.1)

The Internal network is 192.168.0.0

ISA 2004 was chosen for it's ability to publish multiple web servers behind a single ip which is fine and I have grasped the principles of this by testing from the 10.1.1.0 LAN (effectively a DMZ)

Here is my problem, which Im certain is DNS related and has so far proven to be difficult to fix, after reading your article several times I thought split DNS would solve the problem but so far it is still proving a hard one to crack.

Rules based upon the url incoming from the external clients should be re-directing them to the appropriate webdav server but instead ISA returns a refferal page from chained upstream proxy with the message server#.school.net is not resolved.

So I know that the clients are being forwarded by the Education Authority Firewall from the internet to the ISA (external) 10.x.x. NIC and it seems that ISA is working trying to do what it is programmed to do but is defeated by the internal dns that of course belives it is supposed to be elsewhere!

Am I expecting too much from ISA to handle this ugly scenario! Im now considering a Domain rename as a simpler solution.

Geoff


Hi Geoff,

This scenario is a perfect example of the utility of a split DNS. Since your internal zone servers only internal clients, it doesn't matter who has registered your internal domain name, since your internal clients don't give a hoot about an external zone entries for that domain name, and that includes the ISA firewall, since it will resolve your internal domain name to internal addresss.

Thanks for pointing out a fantastic example of why split DNS rocks!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to m25man)
Post #: 20

Page:   [1] 2 3 4 5   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about article on ISA firewalls protecting illegal TLDs Page: [1] 2 3 4 5   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts