[isalist] Re: wpad.dat DNS entry

Not yet, and let me check it...

Thanks,

Roy Tsao
  ----- Original Message ----- 
  From: Thomas W Shinder 
  To: isalist@xxxxxxxxxxxxx 
  Sent: Saturday, September 02, 2006 10:17 PM
  Subject: [isalist] Re: wpad.dat DNS entry


  Didn't ANYONE read the link I sent???

  Thomas W Shinder, M.D.
  Site: www.isaserver.org
  Blog: http://blogs.isaserver.org/shinder/
  Book: http://tinyurl.com/3xqb7
  MVP -- ISA Firewalls





----------------------------------------------------------------------------
    From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Roy Tsao
    Sent: Saturday, September 02, 2006 2:20 AM
    To: isalist@xxxxxxxxxxxxx
    Subject: [isalist] Re: wpad.dat DNS entry


    I want to make sure about mixed configuration amount RR feature, ISA EE 
array and also NLB when enable client-side carp
    through WPAD.
      Case 1): ISA EE Array without NLB
               per Jim's saying, RR shall be disabled since it conflicts with 
client-side carp.
      Case 2): ISA EE Array with NLB
               a) RR eabled
                  - DNS holds A record to both of array's VIP and DIP
                    This is not a good configuration I suppose oer case 1)
               b) RR disabled
                  - DNS holds A record to both of array's VIP and DIP
                    I am not sure how client-side carp handle it.
                  - DNS holds A record to array's VIP only
                    I am not sure either!

    With regards,

    Roy Tsao
    ----- Original Message ----- 
      From: Periyasamy, Raj 
      To: isalist@xxxxxxxxxxxxx 
      Sent: Saturday, September 02, 2006 4:45 AM
      Subject: [isalist] Re: wpad.dat DNS entry


      Are we talking abour RR or NLB? Because if you use NLB with ISA EE, you 
dont need RR.

      HTH. 
      Regards, 
      Raj Periyasamy 
      MCSE(Messaging), CCNA 




--------------------------------------------------------------------------
      From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] 
On Behalf Of Roy Tsao
      Sent: Friday, September 01, 2006 12:00 PM
      To: isalist@xxxxxxxxxxxxx
      Subject: [isalist] Re: wpad.dat DNS entry


      Hi Periyasamy,

      How are you sure array's FQDN is never resolved to VIP by RRed DNS?

      Roy
        ----- Original Message ----- 
        From: Periyasamy, Raj 
        To: isalist@xxxxxxxxxxxxx 
        Sent: Friday, September 01, 2006 11:38 PM
        Subject: [isalist] Re: wpad.dat DNS entry


        You still need to keep the physical names of both array members in the 
DNS. WPAD will issue a script to the client, that will point to both the ISA 
servers by the physical name, not virtual name of NLB. When you do NETSTAT you 
will see that your client is actually talking to the physical names of the ISA 
and not the virtual name.
        HTH. 
        Regards, 
        Raj Periyasamy 
        MCSE(Messaging), CCNA 


------------------------------------------------------------------------
        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
        Sent: Friday, September 01, 2006 11:27 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: wpad.dat DNS entry


        Jim,

        I am thinking about one more RR related scenario under ISA EE (not SE), 
say after enable 
        NLB at internal interface of ISA EE array, what shall be the correct 
setting
        at DNS when a record is set array's FQDN -> array's VIP
           1) keep a record of each array's memember at DNS
           2) or those must be deleted
        How is client-side CARP in 1) and 2)? 
          ----- Original Message ----- 
          From: Roy Tsao 
          To: isalist@xxxxxxxxxxxxx 
          Sent: Friday, September 01, 2006 11:08 PM
          Subject: [isalist] Re: wpad.dat DNS entry


          Jim,

          You are pointing out sort of worse issue in so called double loading 
shareing using RR and 
          client-side CARP under ISA EE array, that's true! 
          However in the scenario I showed, RR is used for load-sharing among 
ISA SE...

          Dan, 
          I remembered you ever mentioned Raiwall was used in your network for 
NLB under ISA SE,
          that's the another reason I propose RR for ISA SE.
            ----- Original Message ----- 
            From: Jim Harrison 
            To: isalist@xxxxxxxxxxxxx ; isalist@xxxxxxxxxxxxx 
            Sent: Friday, September 01, 2006 9:39 PM
            Subject: [isalist] Re: wpad.dat DNS entry


            If these servers operate in an array, using RR can actually 
decrease your load-sharing across the array.
            Since we're talking about WPAD here, you *must* bear in mind that 
the script obtained from the ISA contains a list of servers by name or IP, 
depending on your configuration.

            If you try to round-robin or (worse yet), NLB these IPs, 
client-side CARP will fight with the LB mechanism.

            BTW, there's nothing wrong with multiple internal subnets.
            In fact, it can help you control segmentation better, because no DG 
== no non-local subnet & blackhole routers == no non-local subnet.

--------------------------------------------------------------------

            From: isalist-bounce@xxxxxxxxxxxxx on behalf of Ball, Dan
            Sent: Fri 9/1/2006 4:20 AM
            To: isalist@xxxxxxxxxxxxx
            Subject: [isalist] Re: wpad.dat DNS entry


            Okay, my bad, someday I'll get those terms right.  What you say 
makes sense, it's definitely an option.



            I'm just hoping our WAN fiber goes into place soon, then I won't 
have to worry about multiple internal sub-nets anymore.




--------------------------------------------------------------------

            From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
            Sent: Thursday, August 31, 2006 2:25 PM
            To: isalist@xxxxxxxxxxxxx
            Subject: [isalist] Re: wpad.dat DNS entry



            Hi Dan,



            I said "Except SNAT".



            Moreover, unless special client required as SNAT like published 
server, FWC plus WPC shall be deployed to most of

            clients under ISA Firewall environment, we can maximize the benefit 
provided by ISA, right?

            So even if there is gateway at client side, most of them shall go 
through FWC or WPC connection.

            Again, I try to say the positive point of DNS round robin feature, 
that's it.



            HTH,



            Roy 

              ----- Original Message ----- 

              From: Thomas W Shinder 

              To: isalist@xxxxxxxxxxxxx 

              Sent: Friday, September 01, 2006 1:37 AM

              Subject: [isalist] Re: wpad.dat DNS entry



              I've done it in many deployments, and IIRC, that's how they do it 
at MS.



              Thomas W Shinder, M.D.
              Site: www.isaserver.org
              Blog: http://blogs.isaserver.org/shinder/
              Book: http://tinyurl.com/3xqb7
              MVP -- ISA Firewalls






----------------------------------------------------------------

                From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
                Sent: Thursday, August 31, 2006 12:26 PM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: wpad.dat DNS entry

                We had briefly touched upon this topic about a year or so ago, 
but I wasn't aware that it was an actual common practice.




----------------------------------------------------------------

                From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
                Sent: Thursday, August 31, 2006 12:18 PM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: wpad.dat DNS entry



                Hi Dan,



                In most secure environments you don't give the clients a 
default gateway and use the Firewall and Web proxy client configurations to 
enfroce security. So, this might work fine using RR DNS.



                Thomas W Shinder, M.D.
                Site: www.isaserver.org
                Blog: http://blogs.isaserver.org/shinder/
                Book: http://tinyurl.com/3xqb7
                MVP -- ISA Firewalls






--------------------------------------------------------------

                  From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
                  Sent: Thursday, August 31, 2006 11:02 AM
                  To: isalist@xxxxxxxxxxxxx
                  Subject: [isalist] Re: wpad.dat DNS entry

                  I'd have to say no.

                  -          External sites are resolved by DNS server.

                  -          Resolved sites are referenced then by IP address.

                  -          Since an external site is resolved to an IP that 
is not a "local" address, it resorts to using the default gateway to connect.

                  -          Default gateways are entered by IP, not hostname, 
nullifying the round-robin DNS abilities.



                  The exception to this might be if you use the FWC, then you 
might be able to redirect all connections via DNS entries.  You might be able 
to share the proxy address too, but that default gateway is a kicker.




--------------------------------------------------------------

                  From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
                  Sent: Thursday, August 31, 2006 10:00 AM
                  To: isalist@xxxxxxxxxxxxx
                  Subject: [isalist] Re: wpad.dat DNS entry



                  Hm...



                  You have two ISA SE, let say its internal interface IP 
address is 192.168.0.1/24 and 192.168.0.2/24.

                  You creat two a record in DNS, isa.dan.local -> 192.168.0.1   
and  isa.dan.local -> 192.168.0.2

                  Then by DNS round robin, your internal client (except SNAT) 
would enjoy the connection to either

                  of the ISA SE server for ounbound connection, make sense? 

                    ----- Original Message ----- 

                    From: Ball, Dan 

                    To: isalist@xxxxxxxxxxxxx 

                    Sent: Thursday, August 31, 2006 9:01 PM

                    Subject: [isalist] Re: wpad.dat DNS entry



                    I think that would only work on inbound connections.  You 
can't define round-robin DNS entries for someone else's server!




------------------------------------------------------------

                    From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
                    Sent: Thursday, August 31, 2006 8:42 AM
                    To: isalist@xxxxxxxxxxxxx
                    Subject: [isalist] Re: wpad.dat DNS entry



                    Surely about outbound connection!

                      ----- Original Message ----- 

                      From: Ball, Dan 

                      To: isalist@xxxxxxxxxxxxx 

                      Sent: Thursday, August 31, 2006 8:34 PM

                      Subject: [isalist] Re: wpad.dat DNS entry



                      You referring to incoming or outgoing connections? 




----------------------------------------------------------

                      From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
                      Sent: Thursday, August 31, 2006 8:28 AM
                      To: isalist@xxxxxxxxxxxxx
                      Subject: [isalist] Re: wpad.dat DNS entry



                      Dan,



                      Suppose you have two external line provided by different 
ISP, normally two ISA EE is needed 

                      but by using DNS round robin, you can deploy two ISA SE 
for load balancing..., that's my

                      point.



                      HTH,



                      Roy 

                        ----- Original Message ----- 

                        From: Ball, Dan 

                        To: isalist@xxxxxxxxxxxxx 

                        Sent: Thursday, August 31, 2006 8:19 PM

                        Subject: [isalist] Re: wpad.dat DNS entry



                        No, you would still have that "one default gateway" 
problem.  Besides, that feature is only for DNS entries that "you" control, not 
external.




--------------------------------------------------------

                        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
                        Sent: Thursday, August 31, 2006 4:36 AM
                        To: isalist@xxxxxxxxxxxxx
                        Subject: [isalist] Re: wpad.dat DNS entry



                        Dan,



                        Your problem is due to DNS round robin feature, and it 
shall be solved by Stefaan's great 

                        guidance. 

                        On the other hand, don't you think we can utilize such 
round rodin as a good feature to

                        implement NLB to balance connection to multi external 
interface by using ISA STD version

                        only?



                        HTH,



                        Roy Tsao

                          ----- Original Message ----- 

                          From: Stefaan Pouseele 

                          To: isalist@xxxxxxxxxxxxx 

                          Sent: Thursday, August 31, 2006 4:08 PM

                          Subject: [isalist] Re: wpad.dat DNS entry



                          you might check out 
http://support.microsoft.com/?kbid=842197. 



                          HTH, 

                          Stefaan




------------------------------------------------------

                          From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
                          Sent: donderdag 31 augustus 2006 3:28
                          To: isalist@xxxxxxxxxxxxx
                          Subject: [isalist] Re: wpad.dat DNS entry

                          Good article, it sounds very similar to my scenario.  
I already had the "enable netmask ordering" option enabled, so that is not the 
problem.  Do you think it might be because each of the 10.6.x.x subnets have a 
mask of 255.255.255.0?  








------------------------------------------------------

                          From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele
                          Sent: Wednesday, August 30, 2006 3:57 PM
                          To: isalist@xxxxxxxxxxxxx
                          Subject: [isalist] Re: wpad.dat DNS entry



                          Hi Dan, 



                          check out my blog 
http://blogs.isaserver.org/pouseele/2006/06/30/multi-networking-wpad-support-in-isa-2004/.
 



                          HTH, 

                          Stefaan




------------------------------------------------------

                          From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
                          Sent: woensdag 30 augustus 2006 21:47
                          To: isalist@xxxxxxxxxxxxx
                          Subject: [isalist] wpad.dat DNS entry

                          I'm having a serious problem here with the wpad name 
resolution.  I moved it from being sent out via DHCP to DNS per Jim's 
recommendation, which seems to have speeded up some things, but is now 
unreliable and causing problems.



                          The problem appears to be the multiple internal 
subnets.  Here is a diagram of how it is laid out:



                          Internet

                              |

                          ISA Server --- Internal Network 1 (10.20.1.1)

                              |

                          Internal Network 2 (10.6.254.90)---- 10.6.8.x Subnet

                                                                         |-- 
10.6.9.x Subnet

                                                                         |-- 
10.6.10.x Subnet

                                                                         |-- 
10.6.12.x Subnet

                                                                         |-- 
10.6.14.x Subnet

                                                                         |-- 
10.6.15.x Subnet

                              

                          I entered two Host (A) records for wpad, one for 
10.20.1.1, and another for 10.6.254.90.  



                          Frequently I run across computers on the 10.6.x.x 
subnet where the FWC cannot automatically detect the ISA server, so I ping wpad 
and it resolves to the 10.20.1.1 address instead of the 10.6.254.90 address 
that it is supposed to get.  I try repairs and such, it keeps resolving to the 
wrong one.  When I reboot the computer, it resolves to the correct IP and works 
properly.  I reboot the computer several times, and it gets the correct 
address.  But, I'll hear of another computer having problems, and I'll check 
and it is the same problem.  This is not going to be pretty over the next few 
days as teacher come back to work after summer vacation.



                          What is the best way to resolve this?  Change it back 
to DHCP, customize host files, etc?  

            All mail to and from this domain is GFI-scanned.

Other related posts: