Hi Tom, Do the queries from the external clients make it to the DNS server on the DMZ? When you put a DNS client on the segment that the external interface is connected to, do you see any response? Is IP Routing enabled on the ISA Server? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] Sent: Friday, February 14, 2003 12:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Issue http://www.ISAserver.org Tom and John, I appreciate the help on this one. I've worked with ISA's for a long time and never ran into problems like this one. I tried creating the rules you suggested and it is a trihome environment. At this point I just want to resolve external addresses from my DNS which is on my DMZ. I can't even do that... I believe it's a routing issue within ISA and I opened a case with Microsoft. They are puzzeled as well since it "should" work... I will update the group on this one. Thanks, Tom > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> > Date: 2003/02/14 Fri PM 01:10:02 EST > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Subject: [isalist] RE: DNS Issue > > http://www.ISAserver.org > > > Hi Tom, > > It sounds like you want to put your public DNS server on the trihomed, > public address DMZ segment. > > You need to create packet filters to allow: > > Source any > Destination TCP 53 > > Source any > Destination UDP 53 > > A dynamic packet filter will allow the DNS servers to respond to the > clients > > The DNS server on the DMZ should be an "advertiser", so that it only > answers for names that its authoritative for. It should not be able to > perform recursion. I'm pretty sure I have the details of that config in > the second book. If not, they are in the split DNS article over at > www.isaserver.org/shinder > > HTH, > Tom > > Thomas W Shinder > www.isaserver.org/shinder > ISA Server and Beyond: http://tinyurl.com/1jq1 > Configuring ISA Server: http://tinyurl.com/1llp > > > -----Original Message----- > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx] > Sent: Thursday, February 13, 2003 2:00 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] DNS Issue > > > http://www.ISAserver.org > > > Hello Group! > > I'm working on a test ISA using three home DMZ configuration. (see chart > at: http://members.cox.net/tomerm1/ ) I read both ISA books and can't > find proper configuration to get DNS to resolve names. My ISA dns > settings point to both Internal and External DNS (on the local > interface). My Internal DNS has a forwarder points to the External DNS > which is configured as default installation. My internal DNS is AD > integrated and I removed all root hints from AD. I cannot resolve from > either Internal clients using SNAT or the External DNS server. Even the > ISA would not resolve. I tried several packet filters rules with no > luck. > > Does anyone know what packet filters I need to get it working??? > > Thank you all, > > Tom > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: tomerm1@xxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')