[isalist] Re: wpad.dat DNS entry
- From: "Roy Tsao" <caohuiming@xxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 1 Sep 2006 23:59:50 +0800
Hi Periyasamy,
How are you sure array's FQDN is never resolved to VIP by RRed DNS?
Roy
----- Original Message -----
From: Periyasamy, Raj
To: isalist@xxxxxxxxxxxxx
Sent: Friday, September 01, 2006 11:38 PM
Subject: [isalist] Re: wpad.dat DNS entry
You still need to keep the physical names of both array members in the DNS.
WPAD will issue a script to the client, that will point to both the ISA servers
by the physical name, not virtual name of NLB. When you do NETSTAT you will see
that your client is actually talking to the physical names of the ISA and not
the virtual name.
HTH.
Regards,
Raj Periyasamy
MCSE(Messaging), CCNA
------------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Roy Tsao
Sent: Friday, September 01, 2006 11:27 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Jim,
I am thinking about one more RR related scenario under ISA EE (not SE), say
after enable
NLB at internal interface of ISA EE array, what shall be the correct setting
at DNS when a record is set array's FQDN -> array's VIP
1) keep a record of each array's memember at DNS
2) or those must be deleted
How is client-side CARP in 1) and 2)?
----- Original Message -----
From: Roy Tsao
To: isalist@xxxxxxxxxxxxx
Sent: Friday, September 01, 2006 11:08 PM
Subject: [isalist] Re: wpad.dat DNS entry
Jim,
You are pointing out sort of worse issue in so called double loading
shareing using RR and
client-side CARP under ISA EE array, that's true!
However in the scenario I showed, RR is used for load-sharing among ISA
SE...
Dan,
I remembered you ever mentioned Raiwall was used in your network for NLB
under ISA SE,
that's the another reason I propose RR for ISA SE.
----- Original Message -----
From: Jim Harrison
To: isalist@xxxxxxxxxxxxx ; isalist@xxxxxxxxxxxxx
Sent: Friday, September 01, 2006 9:39 PM
Subject: [isalist] Re: wpad.dat DNS entry
If these servers operate in an array, using RR can actually decrease your
load-sharing across the array.
Since we're talking about WPAD here, you *must* bear in mind that the
script obtained from the ISA contains a list of servers by name or IP,
depending on your configuration.
If you try to round-robin or (worse yet), NLB these IPs, client-side CARP
will fight with the LB mechanism.
BTW, there's nothing wrong with multiple internal subnets.
In fact, it can help you control segmentation better, because no DG == no
non-local subnet & blackhole routers == no non-local subnet.
--------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ball, Dan
Sent: Fri 9/1/2006 4:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Okay, my bad, someday I'll get those terms right. What you say makes
sense, it's definitely an option.
I'm just hoping our WAN fiber goes into place soon, then I won't have to
worry about multiple internal sub-nets anymore.
--------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 2:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Hi Dan,
I said "Except SNAT".
Moreover, unless special client required as SNAT like published server,
FWC plus WPC shall be deployed to most of
clients under ISA Firewall environment, we can maximize the benefit
provided by ISA, right?
So even if there is gateway at client side, most of them shall go through
FWC or WPC connection.
Again, I try to say the positive point of DNS round robin feature, that's
it.
HTH,
Roy
----- Original Message -----
From: Thomas W Shinder
To: isalist@xxxxxxxxxxxxx
Sent: Friday, September 01, 2006 1:37 AM
Subject: [isalist] Re: wpad.dat DNS entry
I've done it in many deployments, and IIRC, that's how they do it at MS.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
----------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Thursday, August 31, 2006 12:26 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
We had briefly touched upon this topic about a year or so ago, but I
wasn't aware that it was an actual common practice.
----------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Thursday, August 31, 2006 12:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Hi Dan,
In most secure environments you don't give the clients a default
gateway and use the Firewall and Web proxy client configurations to enfroce
security. So, this might work fine using RR DNS.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
--------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Thursday, August 31, 2006 11:02 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
I'd have to say no.
- External sites are resolved by DNS server.
- Resolved sites are referenced then by IP address.
- Since an external site is resolved to an IP that is not
a "local" address, it resorts to using the default gateway to connect.
- Default gateways are entered by IP, not hostname,
nullifying the round-robin DNS abilities.
The exception to this might be if you use the FWC, then you might
be able to redirect all connections via DNS entries. You might be able to
share the proxy address too, but that default gateway is a kicker.
--------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 10:00 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Hm...
You have two ISA SE, let say its internal interface IP address is
192.168.0.1/24 and 192.168.0.2/24.
You creat two a record in DNS, isa.dan.local -> 192.168.0.1 and
isa.dan.local -> 192.168.0.2
Then by DNS round robin, your internal client (except SNAT) would
enjoy the connection to either
of the ISA SE server for ounbound connection, make sense?
----- Original Message -----
From: Ball, Dan
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 9:01 PM
Subject: [isalist] Re: wpad.dat DNS entry
I think that would only work on inbound connections. You can't
define round-robin DNS entries for someone else's server!
------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 8:42 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Surely about outbound connection!
----- Original Message -----
From: Ball, Dan
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 8:34 PM
Subject: [isalist] Re: wpad.dat DNS entry
You referring to incoming or outgoing connections?
----------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 8:28 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Dan,
Suppose you have two external line provided by different ISP,
normally two ISA EE is needed
but by using DNS round robin, you can deploy two ISA SE for
load balancing..., that's my
point.
HTH,
Roy
----- Original Message -----
From: Ball, Dan
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 8:19 PM
Subject: [isalist] Re: wpad.dat DNS entry
No, you would still have that "one default gateway" problem.
Besides, that feature is only for DNS entries that "you" control, not external.
--------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Thursday, August 31, 2006 4:36 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Dan,
Your problem is due to DNS round robin feature, and it shall
be solved by Stefaan's great
guidance.
On the other hand, don't you think we can utilize such round
rodin as a good feature to
implement NLB to balance connection to multi external
interface by using ISA STD version
only?
HTH,
Roy Tsao
----- Original Message -----
From: Stefaan Pouseele
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, August 31, 2006 4:08 PM
Subject: [isalist] Re: wpad.dat DNS entry
you might check out
http://support.microsoft.com/?kbid=842197.
HTH,
Stefaan
------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: donderdag 31 augustus 2006 3:28
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Good article, it sounds very similar to my scenario. I
already had the "enable netmask ordering" option enabled, so that is not the
problem. Do you think it might be because each of the 10.6.x.x subnets have a
mask of 255.255.255.0?
------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
Sent: Wednesday, August 30, 2006 3:57 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: wpad.dat DNS entry
Hi Dan,
check out my blog
http://blogs.isaserver.org/pouseele/2006/06/30/multi-networking-wpad-support-in-isa-2004/.
HTH,
Stefaan
------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: woensdag 30 augustus 2006 21:47
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] wpad.dat DNS entry
I'm having a serious problem here with the wpad name
resolution. I moved it from being sent out via DHCP to DNS per Jim's
recommendation, which seems to have speeded up some things, but is now
unreliable and causing problems.
The problem appears to be the multiple internal subnets.
Here is a diagram of how it is laid out:
Internet
|
ISA Server --- Internal Network 1 (10.20.1.1)
|
Internal Network 2 (10.6.254.90)---- 10.6.8.x Subnet
|-- 10.6.9.x
Subnet
|--
10.6.10.x Subnet
|--
10.6.12.x Subnet
|--
10.6.14.x Subnet
|--
10.6.15.x Subnet
I entered two Host (A) records for wpad, one for 10.20.1.1,
and another for 10.6.254.90.
Frequently I run across computers on the 10.6.x.x subnet
where the FWC cannot automatically detect the ISA server, so I ping wpad and it
resolves to the 10.20.1.1 address instead of the 10.6.254.90 address that it is
supposed to get. I try repairs and such, it keeps resolving to the wrong one.
When I reboot the computer, it resolves to the correct IP and works properly.
I reboot the computer several times, and it gets the correct address. But,
I'll hear of another computer having problems, and I'll check and it is the
same problem. This is not going to be pretty over the next few days as teacher
come back to work after summer vacation.
What is the best way to resolve this? Change it back to
DHCP, customize host files, etc?
All mail to and from this domain is GFI-scanned.
- References:
- [isalist] Re: wpad.dat DNS entry
- From: Periyasamy, Raj
Other related posts:
- » [isalist] wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- » [isalist] Re: wpad.dat DNS entry
- [isalist] Re: wpad.dat DNS entry
- From: Periyasamy, Raj