[isalist] Re: wpad.dat DNS entry
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 31 Aug 2006 12:37:56 -0500
I've done it in many deployments, and IIRC, that's how they do it at MS.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Thursday, August 31, 2006 12:26 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
We had briefly touched upon this topic about a year or so ago,
but I wasn't aware that it was an actual common practice...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Thursday, August 31, 2006 12:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Hi Dan,
In most secure environments you don't give the clients a default
gateway and use the Firewall and Web proxy client configurations to
enfroce security. So, this might work fine using RR DNS.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Thursday, August 31, 2006 11:02 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
I'd have to say no...
- External sites are resolved by DNS server.
- Resolved sites are referenced then by IP
address.
- Since an external site is resolved to an IP
that is not a "local" address, it resorts to using the default gateway
to connect.
- Default gateways are entered by IP, not
hostname, nullifying the round-robin DNS abilities.
The exception to this might be if you use the FWC, then
you might be able to redirect all connections via DNS entries. You
might be able to share the proxy address too, but that default gateway
is a kicker...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 10:00 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Hm...
You have two ISA SE, let say its internal interface IP
address is 192.168.0.1/24 and 192.168.0.2/24.
You creat two a record in DNS, isa.dan.local ->
192.168.0.1 and isa.dan.local -> 192.168.0.2
Then by DNS round robin, your internal client (except
SNAT) would enjoy the connection to either
of the ISA SE server for ounbound connection, make
sense?
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 9:01 PM
Subject: [isalist] Re: wpad.dat DNS entry
I think that would only work on inbound
connections. You can't define round-robin DNS entries for someone
else's server!
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 8:42 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Surely about outbound connection!
----- Original Message -----
From: Ball, Dan
<mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 8:34 PM
Subject: [isalist] Re: wpad.dat DNS
entry
You referring to incoming or outgoing
connections?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 8:28 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Dan,
Suppose you have two external line
provided by different ISP, normally two ISA EE is needed
but by using DNS round robin, you can
deploy two ISA SE for load balancing..., that's my
point.
HTH,
Roy
----- Original Message -----
From: Ball, Dan
<mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 8:19 PM
Subject: [isalist] Re: wpad.dat DNS
entry
No, you would still have that "one
default gateway" problem... Besides, that feature is only for DNS
entries that "you" control, not external.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 4:36 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Dan,
Your problem is due to DNS round robin
feature, and it shall be solved by Stefaan's great
guidance.
On the other hand, don't you think we
can utilize such round rodin as a good feature to
implement NLB to balance connection to
multi external interface by using ISA STD version
only?
HTH,
Roy Tsao
----- Original Message -----
From: Stefaan Pouseele
<mailto:stefaan.pouseele@xxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 4:08 PM
Subject: [isalist] Re: wpad.dat DNS
entry
you might check out
http://support.microsoft.com/?kbid=842197.
HTH,
Stefaan
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: donderdag 31 augustus 2006 3:28
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Good article, it sounds very similar to
my scenario. I already had the "enable netmask ordering" option
enabled, so that is not the problem. Do you think it might be because
each of the 10.6.x.x subnets have a mask of 255.255.255.0?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
Sent: Wednesday, August 30, 2006 3:57 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS
entry
Hi Dan,
check out my blog
http://blogs.isaserver.org/pouseele/2006/06/30/multi-networking-wpad-sup
port-in-isa-2004/.
HTH,
Stefaan
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: woensdag 30 augustus 2006 21:47
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] wpad.dat DNS entry
I'm having a serious problem here with
the wpad name resolution. I moved it from being sent out via DHCP to
DNS per Jim's recommendation, which seems to have speeded up some
things, but is now unreliable and causing problems.
The problem appears to be the multiple
internal subnets... Here is a diagram of how it is laid out:
Internet
|
ISA Server --- Internal Network 1
(10.20.1.1)
|
Internal Network 2 (10.6.254.90)----
10.6.8.x Subnet
|-- 10.6.9.x Subnet
|-- 10.6.10.x Subnet
|-- 10.6.12.x Subnet
|-- 10.6.14.x Subnet
|-- 10.6.15.x Subnet
I entered two Host (A) records for wpad,
one for 10.20.1.1, and another for 10.6.254.90.
Frequently I run across computers on the
10.6.x.x subnet where the FWC cannot automatically detect the ISA
server, so I ping wpad and it resolves to the 10.20.1.1 address instead
of the 10.6.254.90 address that it is supposed to get. I try repairs
and such, it keeps resolving to the wrong one. When I reboot the
computer, it resolves to the correct IP and works properly. I reboot
the computer several times, and it gets the correct address. But, I'll
hear of another computer having problems, and I'll check and it is the
same problem. This is not going to be pretty over the next few days as
teacher come back to work after summer vacation.
What is the best way to resolve this?
Change it back to DHCP, customize host files, etc?
Other related posts:
