I just installed ISA enterprise on my w2k3 network and I'm not able to get internet access on amy of my client systems. I've done the following: Enabled intrusion detection and IP routing options. Configured the DHCP scope options for my secure NAT clients to use the IP of the ISA server as their gateway. Created client address sets for my client systems and servers. Created destination sets for my client systems and servers. Created a site & content rule to allow internet access on all destinations for my client and server systems. Created a protocol rule to allow internet access on all IP traffic for my client and server systems. This I'm thinking should've enable internet access on my client and server systems but it didn't. I have internet access on my iSA server but not any of the other systems. Can someone tell me what I did wrong or what step I missed?
keep in mind that a SecureNAT client must be able to do the DNS resolving for external FQDNs on his own. So, can you nslookup an external FQDN on a SecureNAT client? If not, do you have an internal DNS server with forwarders?
Unfortunately not. I get DNS request timed out when trying to nslookup bellsouth.net or anything externally. I have forwarding configured as so: Forwarders DNS domain: All other DNS domains bellsouth.net tzo.com
Domain forwarder IP address list: 18.104.22.168 - Bellsouth IP 22.214.171.124 - Bellsouth IP 126.96.36.199 - TZO IP 188.8.131.52 - TZO IP 184.108.40.206 - TZO IP
The Scope options I have configured for DNS on the DHCP server are as follows: 192.168.1.x - Internall DNS server 220.127.116.11 - Bellsouth DNS server 18.104.22.168 - " 22.214.171.124 - TZO DNS 126.96.36.199 - TZO DNS 188.8.131.52 - TZO DNS
From: The Netherlands
Either your SecureNAT Clients should make use of the internal DNS Server for external resolving (by Forwarders) OR they do their own requests (by setting external DNS Servers in client config. Secondary DNS)
In either case, a Protocol Rule should be in place for either ALL clients or the internal DNS to do a DNS Query to the outside world.
1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.
2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ˘Do not use recursion÷ box.
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.
Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.
DNS Query uses by default the UDP protocol. This is used for normal queries. However, if a response can't fit into one single UDP packet - take note that the maximum payload is 512 bytes as defined by RFC1035 - the resolver must switch to the TCP protocol. Because this will always be the case for zone transfers, that terminology is used in ISA server.
Keep in mind that this is *not* the only case the TCP protocol will be used. This happens also very often with an MX record lookup. Moreover, I believe that the SMTP implementations by Microsoft (IIS and Exchange) always try to do the MX record lookups with the TCP protocol first.
Thanks for the detailed reply but I'm still not having any luck getting my internet access for my securenat clients. I tried all of the steps mentioned below to include configuring a cache-only dns server on the ISA server. I also tried using the quickstart guide but it didn't help. I ended up removing the dhcp server from my domain controller and setting it up on the ISA server but nothing else worked in terms of allowing internet access for my securenat clients. So I figure I must have internal DNS screwed up somewhere. I uninstalled ISA from this w2k3 server along with DNS. So right now I only have it acting as a DHCP server. I still have my DLS connection in place along with my internal and external adapters configured as follows: Internal: 1st IP Address: 192.168.1.x - static Subnet: 255.255.255.0 Gateway: 0.0.0.0 DNS: 192.168.1.x - internal DNS server
External: 2nd IP Address: Obtain an IP... DNS: 192.168.1.x - static - IP of ISA server
If I connect to the internet I have internet access on this server. Yet if I attempt to ping any external resource, say www.msn.com, I get the following: Pinging www.msn.com 184.108.40.206 with 32 .... Request timed out. Request timed out. This also happens if I try to ping the IP. From this server I'm able to access all internal network resources and nslookup internal resources. I'm just unable to ping or get any hits on external resources. I'd like to get this working before re-installing ISA and the cache-only server so can anyone give me some refresher pointers on what I'm overlooking here? Thanks
if you got "Pinging www.msn.com 220.127.116.11 with 32 ...." as an answer to the ping command for 'www.msn.com', that means to me that the DNS resolving was working. How would the ping otherwise be aware of the IP address '18.104.22.168'?
BTW --- I strongly suggest you put the internal DNS and DHCP service on the internal ADC where it belongs, NOT on the ISA server. However, placing an *extra* caching-only DNS service on ISA is a good solution.
The timeouts are what's confusing and not being able to access the interent from any of my internal clients. I started with the DNS & DHCP servers residing on the same server, the domain controller, but changed it up after reading the DNs for ISA guide. Or maybe it was the quickstart guide. One suggested installing DHCP on the ISA server. My external interface is a 3COM Etherlink nic that plugs directly into my Alcatel DLS modem. The internal interface is also a 3COM which plugs into a 3COM switch. I had no problems creating the connection and getting this to work. I've uninstalled ISA and removed the DNS service from the ISA server in hopes of starting over with the internal DNS server only. As of right now DNS is working fine in that I'm able to nslookup external resources without any problems.
Hi Nube If this is the same issue I am having - I have found a (kludged) workaround.
(I'm using 2k3svr for the internal DHCP & DNS and 2000svr for the ISA machine. My ISA is as its own workgroup, of which it is the sole member.)
I use DHCP to publish the default gateway, which sets the clients to using the ISA machinename (which is properly resolved by a manual entry in my internal DNS) but it sets the client machines to use port 80 rather than port 8080.
I haven't found out (yet) how to automatically set the appropriate port for my DHCP clients, so I have to manually configure the InternetOptions control panel applet (using admin profile) to use the port 8080. (I pull up the InternetOptions using RunAs whilst one of the DomainUsers is logged into the station)
Once I do that, the SecureNAT clients can access the web without a difficulty.
Firewall clients obviously work immediately the Firewall client is installed as the client configures everything for itself.
PS. If anyone knows what I have misconfigured to mean that the DHCP gateway points to port 80 rather than port 8080 I'd be enormously grateful.
PPS. This 'solution' is obviously only really feasible in a small environment.
(EDIT: Hopefully Nube has fixed his problem, hadn't realised his post was from January)
[ September 23, 2004, 08:38 AM: Message edited by: Michael Flint ]