RE: Direct Access Issues w/SurfControl
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 13 Dec 2005 09:52:44 -0500
This sounds like a potentially extremely complex setup. (One could
almost refer to it as a split-split DNS! *grin*)
A little less than half of our network resides on that other subnet, so
it is definitely not small. It is all part of one AD Domain, and I
really hesitate to split it into multiple Domains. Due to the slow
speed of our WAN, each of our outer buildings has their own Domain
Controller, and each Domain Controller has a AD-Integrated DNS Server.
Each DC/DNS is set to look back to the PDC (and DC1) for upstream
resolution, and those servers are set to resolve names not in our local
network, creating the Split DNS.
Here is a rough diagram of the network structure
Internet
|
|
ISA--->10.20.1.1--->PDC
| |
| |--->DC2
|
|---->10.6.254.90--->10.6.8.x--->DC3
|
|--->10.6.9.x--->DC4
|
|--->10.6.10.x--->DC5
|
|--->10.6.12.x--->DC6
|
|--->10.6.14.x--->DC7
|
|--->10.6.15.x--->DC8
Right now it is configured as one big network, the Internal networks are
in "route" mode between them, and there is a firewall policy that allows
"All Protocols" to pass between those two subnets (come to think of it
though, I should move that to a higher precedence).
As it is currently configured, it works, for the most part. The only
problem appears to be the Auto-Configure feature to configure sites for
Direct Access. Without that feature working, all web browsing
(including our local webserver, OWA, and Grading server) pass through
the Web Proxy service. This isn't a "really" bad thing, but since
SurfControl is thrown into the mix, it messes everything up.
Since everything on the Internal Network is working with the DNS, the
only issue really in question is the DNS resolution of the ISA server.
If I forced a modified host file out to those workstations would that
override the DNS server?
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Monday, December 12, 2005 11:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Direct Access Issues w/SurfControl
http://www.ISAserver.org
Hi Dan,
The Web proxy configuration will work, if you fudge by creating a split
DNS to support your second internal Network hosts. However, it can be
tricky, depending on what you want the hosts on the second internal
network to access on the other internal network, because the split DNS
zone (which I usually put on the ISA firewall) won't be a secondary to
the main zone -- it will need to be separate and distinct, because that
array name must resolve to the local Web proxy listener for the other
internal network. The firewall client will work fine, IF you allow the
LDAP protocols from the second internal Network into the first internal
Network (assuming that the first Internal Network hosts the DCs).
If the second internal Network is small and doesn't have that many hosts
that require authentication, you can always mirror the accounts, but I
prefer not to do that, because I lose too many of the advantages that
Active Directory provides.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> Sent: Monday, December 12, 2005 9:55 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> I queried the server to see what was actually being sent to the
> workstations, and they "appear" to be correct.
>
> When I query http://10.20.1.1/wpad.dat (local subnet), I get a
> configuration script matching the settings on the Network in the ISA
> server. When I query http://10.20.1.1/wspad.dat I get the firewall
> version of this file, with the appropriate settings for that Network
> also. When I query
> http://10.20.1.1:8080/array.dll?Get.Routing.Script,
> I get a duplicate of the wpad.dat file, all seems good.
>
> When I query the same files using the 10.6.254.90 address instead
> (Remote subnet), I get basically the same files, but the settings in
> them match the settings for the remote subnet, which they
> should, so I'm
> at a loss for what is causing the troubles. I made some
> changes in the
> network properties, and when I re-queried the scripts, the changes
> showed up on the appropriate network.
>
> Since I was having problems with the DNS wpad designation, I set
> everything up to use IPs instead. The only place I see referencing a
> hostname is the wpad.dat/getarray file, where it says:
>
> DirectNames=new MakeNames();
> cDirectNames=3;
> HttpPort="8080";
> cNodes=1;
> function MakeProxies(){
> this[0]=new Node("gateway.MAPSNET.ORG",0,1.000000);
> }
>
> I'm not sure what this function does, but I'm wondering if it resolves
> this hostname to the wrong subnet if that might be the cause.
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, December 12, 2005 9:58 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Direct Access Issues w/SurfControl
>
> http://www.ISAserver.org
>
> Hi Dan,
>
> Indeed. The autoconfig script is going to be the pain point
> for all but
> one network, because there is only one autoconfig script maintained by
> the ISA firewall, so if they try to connect to the Web proxy listener
> that isn't local to their ISA firewall Network, then the connection
> attempt will fail. I tried publishing the Web listener on the
> non-local
> Network to the local Network, but no workie. I might try it again just
> for fun, though.
>
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
> > Sent: Monday, December 12, 2005 2:26 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Direct Access Issues w/SurfControl
> >
> > http://www.ISAserver.org
> >
> > Stefaan, I went through your article quite thoroughly, and it
> > clarified
> > many things for me, thanks. I decided to put these
> settings in place
> > here, and have had mixed results.
> >
> > The difficulties seem to arise because I have multiple
> > internal networks
> > on my ISA server. I enabled the "Use automatic
> configuration script"
> > option on both of these internal networks, but only one seems to be
> > working good.
> >
> > On one of the subnets, when I have that option enabled, I
> watched the
> > logs and saw that instead of using the web proxy, it is
> > trying to access
> > the external site directly using Port 80. When I disable
> that option,
> > it goes through the web proxy like it should. However, I
> > tried another
> > computer on that same subnet, and everything worked perfect,
> > so it just
> > doesn't make sense.
> >
> > I've retrieved all the wspad.dat and wspad.dat files from
> > both internet
> > networks, and they appear to be correct. Any ideas?
> >
Other related posts:
