[isalist] Re: Slightly OT Again:HP ProLiant DL320 Firewall/VPN/Cache Server setup DNS problem
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 7 Jul 2006 11:25:22 -0500
Hi Barbara,
You didn't do bad, but the caching only DNS server isn't absolutely
required. Its a nice security enhancement, but start with the basics
first and let you internal DNS server perform recursion or configure it
to use your ISP's DNS server as a forwarder.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Barbara Causey
Sent: Friday, July 07, 2006 11:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Slightly OT Again:HP ProLiant DL320
Firewall/VPN/Cache Server setup DNS problem
No, I have an internal DNS server. Did I do bad???
----- Original Message -----
From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Friday, July 07, 2006 11:26 AM
Subject: [isalist] Re: Slightly OT Again:HP ProLiant
DL320 Firewall/VPN/Cache Server setup DNS problem
Hi Barbara,
Thanks for getting the book! But one thing about my
books, it's like going to a medical school clinical lecture. If I'm
lecturing about evacuating epidural hematomas, you have to listen to the
whole thing -- you can't wink out during the time I'm talking about
preparing the skull and post-evacuation tamponade.
So, what you missed are the assumptions on page 493,
which was that you don't have any other servers on your network, and
thus we are installing a DNS server on the ISA firewall. Is that
assumption correct for your network?
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Barbara Causey
Sent: Friday, July 07, 2006 9:16 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Slightly OT Again:HP
ProLiant DL320 Firewall/VPN/Cache Server setup DNS problem
Thanks to everyone for their help. It is working
now, but something is still not right. If I set up the client computers
to use the ISA server as a web proxy server then no Internet access. The
ISA 2000 server was set up this way and it worked great.
In answer to your questions Dr. Tom, I was
following the instructions in your book that said to set up the ISA
server as a caching only DNS server. I configured the internal DNS
server to use the ISA's DNS server as its forwarder and I created the
rule you stated. The client computers are using the internal DNS server.
Any ideas on what else could be wrong?
Barbara
----- Original Message -----
From: Thomas W Shinder
<mailto:tshinder@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, July 06, 2006 1:18 PM
Subject: [isalist] Re: Slightly OT
Again:HP ProLiant DL320 Firewall/VPN/Cache Server setup DNS problem
Hi Barbara,
Why are you running a DNS server on the
ISA firewall? Is this configured as a caching only DNS server? If so,
you configure the internal DNS server to use the ISA firewall's DNS
server as it's forwarder, and you need to create a rule that allows the
internal DNS server access to the Local Host Network for the DNS
protocol.
Also, the clients should not be using
the ISA firewall's caching only DNS server as their DNS server, they
should be using the internal DNS server for both internal and external
name resolution.
Keep in mind that the caching only DNS
server on the ISA firewall is a poor man's solution. The best solution
is to have DNS resolvers on a DMZ segment.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
<http://www.isaserver.org/>
Blog:
http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Barbara Causey
Sent: Thursday, July 06, 2006 12:01 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Slightly OT Again:HP
ProLiant DL320 Firewall/VPN/Cache Server setup DNS problem
Hello, it's me again. :-)
I set up this server as a caching only
DNS server following the instructions
in the ISA Server 2004 book by Dr. Tom
and I can access the Internet on this
server, but not on any of the internal
computers. I get the "Can not find
server or DNS error". I can ping the
router through this server, but can't
get anywhere on the Internet. Everything
works fine through the old ISA 2000
server, but when I switch over to the
new one you can't go anywhere. Would
someone please point me in the right
direction to resolve this matter?
Thank you,
Barbara Causey
Other related posts:
