Re: How do IE & ISA use DNS...?

• From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 29 Sep 2003 09:40:59 +0200

Just dropping in for a quick comment (leaving the work for Jim of course
:) 

I have had a similar problem which I resolved by putting my internal DNS
on the external NIC configuration. So any lookups went to my internal
DNS. Worked fine for me. 

Cheers 
Mark

> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
> Posted At: Monday, September 29, 2003 9:32 AM
> Posted To: www.isaserver.org
> Conversation: [isalist] Re: How do IE & ISA use DNS...?
> Subject: [isalist] Re: How do IE & ISA use DNS...?
> 
> 
> http://www.ISAserver.org
> 
> 
> Jim,
> 
> In the article 
> (http://www.isaserver.org/tutorials/ISA_Clients__Part_1__Gener
> al_ISA_Server_
> Configuration.html) I find the following excerpt:
> 
> <The correct IP settings for your ISA server are absolutely 
> critical. At the very least, you have to provide a DNS server 
> for ISA to resolve external FQDN on behalf of Web Proxy and 
> Firewall clients>
> 
> Does this imply that I need to setup DNS Server settings on 
> the External NIC? ('cause I currently do not...)
> 
> My DNS setup is such that my 2 official DNS servers have 
> access to query/forward externally, and my ISA's internal NIC 
> is setup to look at my 2 DNS Servers, but there are no 
> settings on the external NIC. Is this OK?
> 
> What I am also thinking is that if ISA is somehow trying to 
> do lookups for web clients, then that is a problem for me 
> because I need to access a "private FQDN" that is hosted in 
> my own DNS, but if ISA is resolving these requests then it is 
> going to retrieve the "public FQDN" which is going to be 
> incorrect for my specific scenario (I access the site in 
> question via a private WAN link, not via the public Internet 
> connection)
> 
> In light of this, do you think that I can disable the default 
> DNS Packet Filter?
> 
> Cheers
> William R.
> 
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
> Sent: 29 September 2003 08:48 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How do IE & ISA use DNS...?
> 
> http://www.ISAserver.org
> 
> 
> Shweet. I've implemented the suggestions in the ISA Clients - 
> Part 1, will do some testing today.
> 
> BTW, what is DFW?
> 
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
> Sent: 26 September 2003 18:17 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How do IE & ISA use DNS...?
> 
> http://www.ISAserver.org
> 
> 
> Don't feel bad; it took me awhile to sort it all out, too.
> Then it took me a few weeks to make it look like it made 
> sense in a series of articles. Then it took Tom about an hour 
> to discuss it while I wasted time at DFW...
> 
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
>  http://isaserver.org/Jim_Harrison
>  http://isatools.org
> 
>  Read the help, books and articles!
> ----- Original Message ----- 
> From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, September 26, 2003 06:37
> Subject: [isalist] Re: How do IE & ISA use DNS...?
> 
> 
> http://www.ISAserver.org
> 
> 
> Uuuhhh, ok... it'll take me a while to process everything you 
> just said, but thanks anyway :)
> 
> Will also check the articles you mention...
> 
> Cheers
> William R.
> 
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: 26 September 2003 15:36 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How do IE & ISA use DNS...?
> 
> http://www.ISAserver.org
> 
> 
> That's where it gets fun.
> 
> - If you use the proxy settings without having the FW client 
> installed and the LAT host does not have a direct route 
> through ISA, IE is strictly a web proxy client
> 
> - If you use the proxy settings with the FW client without a 
> direct route through the ISA, then you're a 
> web-proxy-firewall client.  Remember; all traffic flows 
> through the FW client, because it layers itself on top of 
> Winsock.  It understand when someone wants to speak directly 
> with the ISA outgoing web requests listener as a web proxy 
> client (because that information is part of the mspclnt.ini 
> file) and lets that flow though unimpeded
> 
> - If you use the proxy settings with the FW client with a 
> direct route through the ISA, then you're a 
> web-proxy-firewall-secureNAT client.  This doesn't change 
> much in this particfular context, but another "web" app that 
> doesn't understand how to form proxy requests (your typical 
> java app) then becomes a firewall-secureNAT client.
> 
> - If you're crossing a nasty bridge on a foggy day and a 
> scraggly, blind, stinking old man queries you for your name, 
> quest and favorite color, then you're a 
> true-geek-web-proxy-firewall-secureNAT client
> 
> Check out my client articles at www.isaserver.org.  The first 
> one discusses the web proxy and firewall DNS caches and how 
> to control them.  Remember; they depend on the underlying 
> Windows name resolutoin functionality (also described in that 
> article).
> 
> 
>   Jim Harrison
>   MCP(NT4, W2K), A+, Network+, PCG
>   http://isaserver.org/Jim_Harrison/
>   http://isatools.org
>   Read the help / books / articles!
> 
> 
> On Fri, 26 Sep 2003 15:05:31 +0200
>  "William Robertson" <robertson.william@xxxxxxxxxxxxxx> 
> wrote: http://www.ISAserver.org
> 
> 
> Thanks for that Jim
> 
> But what if I am configured as all 3 clients... I.e. My IE 
> Proxy settings are set to use ISA, and I have the FW Client 
> installed, and my default gateway is set to use ISA... Which 
> of the 3 will take precedence?
> 
> Also, can you try and think of a reason why my scenario could 
> be happening, given my current DNS config (which I believe is 
> configured 100% according to all the articles on the 
> isaserver.org website). I mean, what is the W3Proxy DNS 
> cache, and how do I "fix" it...
> 
> Cheers
> William R.
> 
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: 26 September 2003 14:59 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: How do IE & ISA use DNS...?
> 
> http://www.ISAserver.org
> 
> 
> There are three answers to this:
> 
> * IE as WP client:
>   IE defers to ISA for all name resolution (CERN proxy 
> requests), which procedes like:
>   - w3proxy DNS cache, Windows name resolution process
> 
> * IE as FW client:
>   IE performs its own name resolution with the help of fwsrv, 
> which procedes
> like:
>   - fwsrv DNS cache, Windows name resolution process
> 
> * IE as SecureNAT client:
>   IE performs its own name resolution:
>   - Windows name resolution process
> 
> It's not specific to IE, but operates like this for any 
> CERN-aware app.
> 
>   Jim Harrison
>   MCP(NT4, W2K), A+, Network+, PCG
>   http://isaserver.org/Jim_Harrison/
>   http://isatools.org
>   Read the help / books / articles!
> 
> 
> On Fri, 26 Sep 2003 14:03:55 +0200
>  "William Robertson" <robertson.william@xxxxxxxxxxxxxx> 
> wrote: http://www.ISAserver.org
> 
> 
> Hi there
> 
> 
> 
> I have a WAN link to a parent company who hosts a server 
> which I wish to access via the WAN link as opposed to the 
> slow public internet connection. All the routers have been 
> configured to route traffic via the WAN link instead of via 
> the internet.
> 
> 
> 
> I now host a secondary DNS zone to my parent company in which 
> the private IP Address of the web server is listed, and when 
> I do an NSLOOKUP, TRACERT, PING etc I always connect via the 
> private IP Address over the WAN link.
> 
> 
> 
> But when I try to use Internet Explorer to access the website 
> I essentially get timeouts and can never connect to the 
> actual website. My theory now is that when I try to access 
> the website, my Internet Explorer (along with ISA I presume) 
> does not query my local DNS Server for the IP Address of the 
> website, but rather appears to receive the public IP Address 
> of the website (How..? I don't know!!), and that is why I 
> believe my connection times out because I try to access the 
> site from the internet, and the routers on that side then try 
> to route the traffic back across the WAN link thus creating 
> an invalid session and thus it fails.
> 
> 
> 
> The DNS is setup as follows:
> 
> -          My PC looks to internal DNS server
> 
> -          Internal NIC of ISA looks to Internal DNS Server
> 
> -          External NIC of ISA has no DNS settings
> 
> -          DNS Server configured to use ISP's DNS servers as 
> forwarders
> 
> 
> 
> Can anyone perhaps shed some light on this for me please?
> 
> 
> 
> Thanks
> 
> William R.
> 
> 
> 
> ---------------------------------------------------------------------
> Everything in this e-mail and attachments relating to the official 
> business of Columbus Stainless is proprietary to the company. It is 
> confidential, legally privileged and protected by law. Columbus 
> Stainless does not own and endorse any other content. Views and 
> opinions are those of the sender unless clearly stated as being that 
> of Columbus Stainless. The person addressed in the e-mail is the sole 
> authorised recipient.  Please notify the sender immediately if it has 
> unintentionally reached you and do not read, disclose or use the 
> content in any way. Whilst all reasonable steps are taken to ensure 
> the accuracy and integrity of information and data transmitted 
> electronically and to preserve the confidentiality thereof, no 
> liability or responsibility whatsoever is accepted if information or 
> data is,for whatever reason, corrupted or does not reach its 
> intended destination.
> ---------------------------------------------------------------------
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange > Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security 
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank 
> email to $subst('Email.Unsub')
> 

Other related posts:

• » How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?
• » Re: How do IE & ISA use DNS...?

1. Home
2. isalist
3. Archive
4. 09-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---