Hi Duncan, OK, I take it that you have not installed the Firewall client or configured the browsers as Web Proxy clients on any of the systems yet. So, this means you are using the SecureNAT client config, where the client systems route Internet bound communicaitons through the ISA firewall's interface closest to the clients. The Access Rules are pretty straightforward. The wizard asks for the protocol, the source location the destination location, and the users who are allowed to use that rule. So, if your internal DNS servers are configured to perform Internet host name lookup, configure the clients to use your Internal DNS server. Then create an Access Rule allowing the DNS servers outbound access to the DNS protocol. ISA firewall rules are evaluated from the top down. The first rule that matches the connections characteristics is applied. The exception is when you have rules that require authentication. In that case, an unauthenticated user is treated as a member of a "unauthenticated user group" and the connection will be denied. Make sure the Network Rule controlling the relationship between the source and destination networks reflects the route relationship you desire. HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Duncan J Cameron [mailto:duncan@xxxxxxxxxxxxxxxxxxxx] Sent: Sunday, September 26, 2004 2:42 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Design and Config http://www.ISAserver.org Hello Was just thinking now for outbound DNS I Could just set the 2 DCs DGs to the HW FW, and write a rule on the FW to only allow their 2 IPs out on the port 53 only I have only installed the FW Client on from the installation share of ISA, I tried to write ISA FW policy but I am confused to what the ISA System policies are they are what appear to be blocking the nslookups, Duncan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: 26 September 2004 20:36 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Design and Config http://www.ISAserver.org Hi Duncan, Are you using: Firewall client? SecureNAT client? Web Proxy client? Remove the public DNS server from the external interface and put the internal interface on the top of the interface list. Create Access Rules allowing the traffic you want outbound. How would you exert access control if a "hardware" firewall were installed? Just let everything out? HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: duncan@xxxxxxxxxxxxxxxxxxxx [mailto:duncan@xxxxxxxxxxxxxxxxxxxx] Sent: Sunday, September 26, 2004 3:36 PM To: [ISAserver.org Discussion List] Subject: [isalist] ISA 2004 Design and Config http://www.ISAserver.org Can someone please give me some advice on the following, I an currently working on a system upgrade for a client, the previous domain was a Win NT4 Domain, I started the upgrade on Friday this week, so far I have upgrade the domain to 2003 AD, migrated all data, migrated exchange 5.5 server to exchange 2003, migrated SQL to SQL 2000, set up Citrix Meta frame XPa farm.& MS SUS Server All Server are HP ML370, 2gb, 3.06 Xeon 2 x 2003 Domain Controllers 1 x 2004 Exchange Server 1 x SQL 2000, on 2003 Server 1 x 2003 File Print 2 x 2003 Citrix Xpa Terminal Server 1 x 2003 SUS Server 1 x ISA 2004 running on 2003, 2nd NIC Installed, Started to configure ISA today, I have never installed ISA before and am having an absolute nightmare; I normally just install a Hardware Firewall. I am unsure how ISA should be. Configured 100% I have web access working at the moment through the ISA Server but nslookups are failing externaly, Current config, ISA Server has two network cards, protected subnet is 192.168.x.x /24, external card 172.29.x.x /24 External card has ISPs, DNS Servers, Internal Card has internal DNS Servers, Internal card has no DG set, external card is connected to protected interface on Hardware FW 172.29.x.254, Protected HWFW Interface then NATs out to Public IP, the current client has a /29 block of IPs, so I have configured the next available IP as an Alias on the HWFW, I then plan to setup the mobile VPN clients to that IP along with the site to site VPNs when I start the satellite offices, The protected network card of the ISA server is every host on the subnets default GW including all Servers Internet traffic is working through ISA but if I try and do an external nslookup the query fails, If I check the ISA logs I see messages, saying DNS Closed or sometimes Denied, NSlookups fail from every server including the ISA server I think the only reason http traffic working is due to the ISPs DNS Server being set on the external NIC, I have tried taking the HW FW out of the equation but still have the same problem of DNS queries failing externally, The only way I can think of getting this working for the client tomorrow is to, set all the other servers DG to the protected interface of the FW, setup a separate DMZ on one of the other FW interfaces then connect the ISAs external card to the FW DMZ port, I then plan to only allow port 53 out on the HW FW protected Interface, I will then setup the protected interface on the HW FW to allow 2 way site to site IKE VPNs from the other HW FWs in the satellite offices when the come on line. At the moment it setup so the protected FW interface is connected to the second NIC of the ISA as a DMZ, with my new plan above the protected interface on the FW will have a 192 address and will be connected to the same switch as the server bypassing the ISA server The Second card in the ISA will be connected to a separate DMZ and will only be used for incoming smtp and outgoing http traffic All web traffic from both PCs & Servers will go out through the ISA Server,All PCs will have the ISA Server set as there DG Server will be HW FW The hardware FW has a mail proxy I want it to send SMTP traffic to the external card of the ISA server, then have it some how proxy to exchange server. Can this be done ? Can somebody please advice me the best practice for the installation I am trying to carry out as I am unsure of the best ways to setup ISA Regards Duncan Cameron ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: duncan@xxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx