Just dropping in for a quick comment (leaving the work for Jim of course :) I have had a similar problem which I resolved by putting my internal DNS on the external NIC configuration. So any lookups went to my internal DNS. Worked fine for me. Cheers Mark > -----Original Message----- > From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] > Posted At: Monday, September 29, 2003 9:32 AM > Posted To: www.isaserver.org > Conversation: [isalist] Re: How do IE & ISA use DNS...? > Subject: [isalist] Re: How do IE & ISA use DNS...? > > > http://www.ISAserver.org > > > Jim, > > In the article > (http://www.isaserver.org/tutorials/ISA_Clients__Part_1__Gener > al_ISA_Server_ > Configuration.html) I find the following excerpt: > > <The correct IP settings for your ISA server are absolutely > critical. At the very least, you have to provide a DNS server > for ISA to resolve external FQDN on behalf of Web Proxy and > Firewall clients> > > Does this imply that I need to setup DNS Server settings on > the External NIC? ('cause I currently do not...) > > My DNS setup is such that my 2 official DNS servers have > access to query/forward externally, and my ISA's internal NIC > is setup to look at my 2 DNS Servers, but there are no > settings on the external NIC. Is this OK? > > What I am also thinking is that if ISA is somehow trying to > do lookups for web clients, then that is a problem for me > because I need to access a "private FQDN" that is hosted in > my own DNS, but if ISA is resolving these requests then it is > going to retrieve the "public FQDN" which is going to be > incorrect for my specific scenario (I access the site in > question via a private WAN link, not via the public Internet > connection) > > In light of this, do you think that I can disable the default > DNS Packet Filter? > > Cheers > William R. > > -----Original Message----- > From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] > Sent: 29 September 2003 08:48 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How do IE & ISA use DNS...? > > http://www.ISAserver.org > > > Shweet. I've implemented the suggestions in the ISA Clients - > Part 1, will do some testing today. > > BTW, what is DFW? > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: 26 September 2003 18:17 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How do IE & ISA use DNS...? > > http://www.ISAserver.org > > > Don't feel bad; it took me awhile to sort it all out, too. > Then it took me a few weeks to make it look like it made > sense in a series of articles. Then it took Tom about an hour > to discuss it while I wasted time at DFW... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, September 26, 2003 06:37 > Subject: [isalist] Re: How do IE & ISA use DNS...? > > > http://www.ISAserver.org > > > Uuuhhh, ok... it'll take me a while to process everything you > just said, but thanks anyway :) > > Will also check the articles you mention... > > Cheers > William R. > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: 26 September 2003 15:36 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How do IE & ISA use DNS...? > > http://www.ISAserver.org > > > That's where it gets fun. > > - If you use the proxy settings without having the FW client > installed and the LAT host does not have a direct route > through ISA, IE is strictly a web proxy client > > - If you use the proxy settings with the FW client without a > direct route through the ISA, then you're a > web-proxy-firewall client. Remember; all traffic flows > through the FW client, because it layers itself on top of > Winsock. It understand when someone wants to speak directly > with the ISA outgoing web requests listener as a web proxy > client (because that information is part of the mspclnt.ini > file) and lets that flow though unimpeded > > - If you use the proxy settings with the FW client with a > direct route through the ISA, then you're a > web-proxy-firewall-secureNAT client. This doesn't change > much in this particfular context, but another "web" app that > doesn't understand how to form proxy requests (your typical > java app) then becomes a firewall-secureNAT client. > > - If you're crossing a nasty bridge on a foggy day and a > scraggly, blind, stinking old man queries you for your name, > quest and favorite color, then you're a > true-geek-web-proxy-firewall-secureNAT client > > Check out my client articles at www.isaserver.org. The first > one discusses the web proxy and firewall DNS caches and how > to control them. Remember; they depend on the underlying > Windows name resolutoin functionality (also described in that > article). > > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > > On Fri, 26 Sep 2003 15:05:31 +0200 > "William Robertson" <robertson.william@xxxxxxxxxxxxxx> > wrote: http://www.ISAserver.org > > > Thanks for that Jim > > But what if I am configured as all 3 clients... I.e. My IE > Proxy settings are set to use ISA, and I have the FW Client > installed, and my default gateway is set to use ISA... Which > of the 3 will take precedence? > > Also, can you try and think of a reason why my scenario could > be happening, given my current DNS config (which I believe is > configured 100% according to all the articles on the > isaserver.org website). I mean, what is the W3Proxy DNS > cache, and how do I "fix" it... > > Cheers > William R. > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: 26 September 2003 14:59 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: How do IE & ISA use DNS...? > > http://www.ISAserver.org > > > There are three answers to this: > > * IE as WP client: > IE defers to ISA for all name resolution (CERN proxy > requests), which procedes like: > - w3proxy DNS cache, Windows name resolution process > > * IE as FW client: > IE performs its own name resolution with the help of fwsrv, > which procedes > like: > - fwsrv DNS cache, Windows name resolution process > > * IE as SecureNAT client: > IE performs its own name resolution: > - Windows name resolution process > > It's not specific to IE, but operates like this for any > CERN-aware app. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > > On Fri, 26 Sep 2003 14:03:55 +0200 > "William Robertson" <robertson.william@xxxxxxxxxxxxxx> > wrote: http://www.ISAserver.org > > > Hi there > > > > I have a WAN link to a parent company who hosts a server > which I wish to access via the WAN link as opposed to the > slow public internet connection. All the routers have been > configured to route traffic via the WAN link instead of via > the internet. > > > > I now host a secondary DNS zone to my parent company in which > the private IP Address of the web server is listed, and when > I do an NSLOOKUP, TRACERT, PING etc I always connect via the > private IP Address over the WAN link. > > > > But when I try to use Internet Explorer to access the website > I essentially get timeouts and can never connect to the > actual website. My theory now is that when I try to access > the website, my Internet Explorer (along with ISA I presume) > does not query my local DNS Server for the IP Address of the > website, but rather appears to receive the public IP Address > of the website (How..? I don't know!!), and that is why I > believe my connection times out because I try to access the > site from the internet, and the routers on that side then try > to route the traffic back across the WAN link thus creating > an invalid session and thus it fails. > > > > The DNS is setup as follows: > > - My PC looks to internal DNS server > > - Internal NIC of ISA looks to Internal DNS Server > > - External NIC of ISA has no DNS settings > > - DNS Server configured to use ISP's DNS servers as > forwarders > > > > Can anyone perhaps shed some light on this for me please? > > > > Thanks > > William R. > > > > --------------------------------------------------------------------- > Everything in this e-mail and attachments relating to the official > business of Columbus Stainless is proprietary to the company. It is > confidential, legally privileged and protected by law. Columbus > Stainless does not own and endorse any other content. Views and > opinions are those of the sender unless clearly stated as being that > of Columbus Stainless. The person addressed in the e-mail is the sole > authorised recipient. Please notify the sender immediately if it has > unintentionally reached you and do not read, disclose or use the > content in any way. Whilst all reasonable steps are taken to ensure > the accuracy and integrity of information and data transmitted > electronically and to preserve the confidentiality thereof, no > liability or responsibility whatsoever is accepted if information or > data is,for whatever reason, corrupted or does not reach its > intended destination. > --------------------------------------------------------------------- > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: > http://www.serverfiles.com No.1 Exchange > Server Resource > Site: http://www.msexchange.org Windows Security Resource > Site: http://www.windowsecurity.com/ Network Security > Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank > email to $subst('Email.Unsub') >