Announcement

Collapse
No announcement yet.

DNS problem on ISA 2006

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS problem on ISA 2006

    Hi all
    I installed ISA 2006 behind DSL router with 3 NICs cards

    here is my Interface settings
    External 172.16.0.x
    perimeter 10.0.0.x
    internal 192.168.0.x


    I know you shouldn't configure DNS on your external NIC, however without them clients couldn't access internet. and the internet was slower
    should I install DNS service on ISA ?

    DO I need static route for perimeter and internal ???

  • #2
    Re: DNS problem on ISA 2006

    No and mabye?

    Tell me, how is your network configured?
    Have you a drawing?
    Can you post an IP config /all?
    How is your NIC Binding order?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: DNS problem on ISA 2006

      Definite no to DNS on the ISA Server, maybe as Dumber says to the static routes although I would expect not if ISA is properly configured.

      http://blog.msfirewall.org.uk/2008/0...work-card.html is the best guide I have seen for how to properly configure your NICs for ISA. Upwards of 75% of weird DNS issues I have seen with ISA Servers have come from incorrect NIC configuration or incorrect binding order.
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      sigpic
      Cruachan's Blog

      Comment


      • #4
        Re: DNS problem on ISA 2006

        I solved DNS problem
        I installed DNS service on ISA server cache-only, Enabled Forwarders, and added the IP addresses of the ISP DNS servers , on external and perimeter NICs configured DNS to use 127.0.0.1 its worked.

        but I have other problem my wireless clients cannot access to anything after I installed ISA, I tried static ip address same issue.

        its looks like for ISA wireless its not from internal network even with same ip range
        thanks in advance

        Comment


        • #5
          Re: DNS problem on ISA 2006

          We asked you some questions where you didn't gave an answer on.
          Again, please reply to our questions and remove the incorrect workaround you created.
          The more services you add the
          more vulnerable can your firewall become.

          I think you made some interesting choices. Althpough I know running the DNS services on ISA is supported by Microsoft I recommend you not to use this in a domain environment.
          Just think about authentication, finding DC's etc
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: DNS problem on ISA 2006

            Agree 100% with Dumber, that is not fixed. That's a workaround and not a very sensible one IMO.

            With the exception of SBS 2003 Premium, ISA Server best practice is never to install anything other than ISA Server on your box. Without intending to be rude, why bother asking if you should install DNS on your ISA Server, have 2 people tell you not to, and then do it anyway? If nothing can access the internet without DNS Servers configured on the external NIC then I'm 100% certain that your NIC configuration is wrong, and correcting it will resolve the DNS issues.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: DNS problem on ISA 2006

              It's supported if you choose for DNS isolation.
              http://technet.microsoft.com/en-us/l.../cc302590.aspx

              For the rest I agree with cruachan.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: DNS problem on ISA 2006

                okey I removed DNS service from ISA server its working fine, but still have web publishing and wireless clients no access to anything problem

                Windows IP Configuration

                Host Name . . . . . . . . . . . . : isaserver
                Primary Dns Suffix . . . . . . . : GLOBALONE.LOCAL
                Node Type . . . . . . . . . . . . : Unknown
                IP Routing Enabled. . . . . . . . : Yes
                WINS Proxy Enabled. . . . . . . . : No
                DNS Suffix Search List. . . . . . : GLOBALONE.LOCAL

                Ethernet adapter External:

                Connection-specific DNS Suffix . :
                Description . . . . . . . . . . . : ADMtek AN983 10/100 PCI Adapter
                Physical Address. . . . . . . . . : 00-08-A1-B0-21-8B
                DHCP Enabled. . . . . . . . . . . : No
                IP Address. . . . . . . . . . . . : 192.168.1.1
                Subnet Mask . . . . . . . . . . . : 255.255.255.0
                Default Gateway . . . . . . . . . : 192.168.1.2
                NetBIOS over Tcpip. . . . . . . . : Disabled

                Ethernet adapter Perimeter:

                Connection-specific DNS Suffix . :
                Description . . . . . . . . . . . : ADMtek AN983 10/100 PCI Adapter #2
                Physical Address. . . . . . . . . : 00-08-A1-BA-81-99
                DHCP Enabled. . . . . . . . . . . : No
                IP Address. . . . . . . . . . . . : 10.0.0.1
                Subnet Mask . . . . . . . . . . . : 255.0.0.0
                Default Gateway . . . . . . . . . :

                Ethernet adapter Internal:

                Connection-specific DNS Suffix . :
                Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
                Physical Address. . . . . . . . . : 48-5B-39-F0-91-98
                DHCP Enabled. . . . . . . . . . . : No
                IP Address. . . . . . . . . . . . : 192.168.0.75
                Subnet Mask . . . . . . . . . . . : 255.255.255.0
                Default Gateway . . . . . . . . . :
                DNS Servers . . . . . . . . . . . : 192.168.0.1
                192.168.0.2
                Last edited by mcse_696; 7th November 2010, 15:01.

                Comment


                • #9
                  Re: DNS problem on ISA 2006

                  Can't you make a "simple" drawing?
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: DNS problem on ISA 2006

                    We need to know where your wireless access point is in relation to your ISA Server, and also what device is sitting between the ISA Server and the internet.

                    ISA itself does NAT from External, so ideally it should have an external IP address so you are not going through 2 layers of NAT to the internet.
                    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                    sigpic
                    Cruachan's Blog

                    Comment

                    Working...
                    X