Hi Tom, The router does need to know about your DMZ segment. Otherwise, it would not know how to route packets to that network ID. That's why we needed to know about the details of your network traces! Good to hear you got it working, thanks for the follow up! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] Sent: Saturday, February 15, 2003 1:29 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Issue http://www.ISAserver.org Tom and John, I got it!!! John, you are the man!! The problem was my router. I did not have it configured to route packets to the correct subnet! The bizarre part of it is that the external interface of the ISA did not show any packets trying to go out. Once I made the router change, I could see the packets going. Does ISA supposed to do that??? Anyway, thank you all for all the help! Tom -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, February 14, 2003 10:17 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Issue http://www.ISAserver.org Tom, Please do not use ping to confirm connectivity. Please put a client on the segment on the network connected to the external interface, and try to query the DNS server on the DMZ. Run netmon on the DNS server on the DMZ and the client on the external network. That is the ONLY way you can accurately troubleshooting the situation. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] Sent: Friday, February 14, 2003 4:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Issue http://www.ISAserver.org When I put the DNS server on the Internet I can resolve everything... Nothing if it's on the DMZ. I even follow exact steps in your new book just to verify pings (p.82-86) and still don't get responses... I can ping from the ISA the DNS on the DMZ but I cannot ping anything from the DNS on the DMZ. Something very strange is happening... Tom > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> > Date: 2003/02/14 Fri PM 02:07:39 EST > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Subject: [isalist] RE: DNS Issue > > http://www.ISAserver.org > > > Hi Tom, > > Do the queries from the external clients make it to the DNS server on > the DMZ? When you put a DNS client on the segment that the external > interface is connected to, do you see any response? > > Is IP Routing enabled on the ISA Server? > > Thanks! > Tom > > Thomas W Shinder > www.isaserver.org/shinder > ISA Server and Beyond: http://tinyurl.com/1jq1 > Configuring ISA Server: http://tinyurl.com/1llp > > > -----Original Message----- > From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] > Sent: Friday, February 14, 2003 12:39 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: DNS Issue > > > http://www.ISAserver.org > > > Tom and John, > > I appreciate the help on this one. I've worked with ISA's for a long > time and never ran into problems like this one. I tried creating the > rules you suggested and it is a trihome environment. At this point I > just want to resolve external addresses from my DNS which is on my DMZ. > I can't even do that... I believe it's a routing issue within ISA and I > opened a case with Microsoft. They are puzzeled as well since it > "should" work... > > I will update the group on this one. > > Thanks, > > Tom > > > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> > > Date: 2003/02/14 Fri PM 01:10:02 EST > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Subject: [isalist] RE: DNS Issue > > > > http://www.ISAserver.org > > > > > > Hi Tom, > > > > It sounds like you want to put your public DNS server on the trihomed, > > public address DMZ segment. > > > > You need to create packet filters to allow: > > > > Source any > > Destination TCP 53 > > > > Source any > > Destination UDP 53 > > > > A dynamic packet filter will allow the DNS servers to respond to the > > clients > > > > The DNS server on the DMZ should be an "advertiser", so that it only > > answers for names that its authoritative for. It should not be able to > > perform recursion. I'm pretty sure I have the details of that config > in > > the second book. If not, they are in the split DNS article over at > > www.isaserver.org/shinder > > > > HTH, > > Tom > > > > Thomas W Shinder > > www.isaserver.org/shinder > > ISA Server and Beyond: http://tinyurl.com/1jq1 > > Configuring ISA Server: http://tinyurl.com/1llp > > > > > > -----Original Message----- > > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx] > > Sent: Thursday, February 13, 2003 2:00 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] DNS Issue > > > > > > http://www.ISAserver.org > > > > > > Hello Group! > > > > I'm working on a test ISA using three home DMZ configuration. (see > chart > > at: http://members.cox.net/tomerm1/ ) I read both ISA books and can't > > find proper configuration to get DNS to resolve names. My ISA dns > > settings point to both Internal and External DNS (on the local > > interface). My Internal DNS has a forwarder points to the External DNS > > which is configured as default installation. My internal DNS is AD > > integrated and I removed all root hints from AD. I cannot resolve from > > either Internal clients using SNAT or the External DNS server. Even > the > > ISA would not resolve. I tried several packet filters rules with no > > luck. > > > > Does anyone know what packet filters I need to get it working??? > > > > Thank you all, > > > > Tom > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Exchange Server Resource Site: http://www.msexchange.org/ > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Exchange Server Resource Site: http://www.msexchange.org/ > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > tomerm1@xxxxxxx > > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: tomerm1@xxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tomerm1@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')