As soon as you said routing issue a light bulb came on. Do you have the subnets configured properly? A trihomed must have properly configured subnets and routes. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com > -----Original Message----- > From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] > Sent: Friday, February 14, 2003 10:39 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: DNS Issue > > http://www.ISAserver.org > > > Tom and John, > > I appreciate the help on this one. I've worked with ISA's for a long time and never > ran into problems like this one. I tried creating the rules you suggested and it is a > trihome environment. At this point I just want to resolve external addresses from my > DNS which is on my DMZ. I can't even do that... I believe it's a routing issue within > ISA and I opened a case with Microsoft. They are puzzeled as well since it "should" > work... > > I will update the group on this one. > > Thanks, > > Tom > > > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> > > Date: 2003/02/14 Fri PM 01:10:02 EST > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Subject: [isalist] RE: DNS Issue > > > > http://www.ISAserver.org > > > > > > Hi Tom, > > > > It sounds like you want to put your public DNS server on the trihomed, > > public address DMZ segment. > > > > You need to create packet filters to allow: > > > > Source any > > Destination TCP 53 > > > > Source any > > Destination UDP 53 > > > > A dynamic packet filter will allow the DNS servers to respond to the > > clients > > > > The DNS server on the DMZ should be an "advertiser", so that it only > > answers for names that its authoritative for. It should not be able to > > perform recursion. I'm pretty sure I have the details of that config in > > the second book. If not, they are in the split DNS article over at > > www.isaserver.org/shinder > > > > HTH, > > Tom > > > > Thomas W Shinder > > www.isaserver.org/shinder > > ISA Server and Beyond: http://tinyurl.com/1jq1 > > Configuring ISA Server: http://tinyurl.com/1llp > > > > > > -----Original Message----- > > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx] > > Sent: Thursday, February 13, 2003 2:00 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] DNS Issue > > > > > > http://www.ISAserver.org > > > > > > Hello Group! > > > > I'm working on a test ISA using three home DMZ configuration. (see chart > > at: http://members.cox.net/tomerm1/ ) I read both ISA books and can't > > find proper configuration to get DNS to resolve names. My ISA dns > > settings point to both Internal and External DNS (on the local > > interface). My Internal DNS has a forwarder points to the External DNS > > which is configured as default installation. My internal DNS is AD > > integrated and I removed all root hints from AD. I cannot resolve from > > either Internal clients using SNAT or the External DNS server. Even the > > ISA would not resolve. I tried several packet filters rules with no > > luck. > > > > Does anyone know what packet filters I need to get it working??? > > > > Thank you all, > > > > Tom > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Exchange Server Resource Site: http://www.msexchange.org/ > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Exchange Server Resource Site: http://www.msexchange.org/ > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > tomerm1@xxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > isalist@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')