FW: Firewall client / DNS problem

• From: Andrew Dadmun <adadmun@xxxxxxxxxxxxx>
• To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 29 Nov 2001 11:25:43 -0500

2nd try at posting this.  Lyris rejected the first for some unknown reason.

>  -----Original Message-----
> From:         Andrew Dadmun  
> Sent: Thursday, November 29, 2001 11:11 AM
> To:   'isalist@xxxxxxxxxxxxx'
> Subject:      Firewall client / DNS problem
> 
> Hi
> 
> RE:  ISA Enterprise on Win2K server SP2 with latest hot fixes for Win2K
> and ISA.  This ISA server also serves as a PPTP server.
> 
> I thought I'd give this list a try before I call MS PSS.  We have a couple
> of application/web server in our DMZ (perimeter) that we use one at a
> time.  When we want to make one live, we merely switch our DNS.  The TTL
> on the DNS is low - 600 seconds.  This allows up to update code on the
> non-live server and then make it active by switching the DNS.  That's all
> fine to the external world - it works great.  However, we have discovered
> a problem with internal users who use the firewall client.  Those internal
> users get the wrong IP address.  They get the old IP address after the DNS
> update.  Even after waiting the 600 seconds.  Even after much longer.  If
> they disable the firewall client, they get the correct IP address
> immediately.  If they re-enable the firewall client, they again get the
> old address.
> 
> I have confirmed this on my own PC.  With the firewall client enabled, if
> I ping (or http browse) the FQDN, I get the wrong address.  If I do a
> nslookup from my PC to the DNS server, I get the correct IP address.
> 
> Another aspect of this that is strange - if I go to the ISA server's
> console I get the correct IP address.  So, the ISA server, external users,
> and users with the firewall client disabled (or not installed) all get the
> correct information.  Only users with the firewall client installed get
> the wrong info.
> 
> Can anyone shed some light on this problem?  I have done a pretty
> extensive search on groups.google.com and I haven't found the solution
> yet.  Let me know if you need more info.
> 
> Regards,
> Andrew Dadmun <> Senior Network Engineer
> e-Builder, Inc. http://www.e-builder.net
> Voice: 352-384-2940 <> Fax: 352-380-0352
> 
> 

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription