RE: Browser exceptions and FQDN internal addresses

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 9 Dec 2004 14:54:39 -0600

Hi Nate,

What do the hosts that get that error have in common?

Thanks! 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: nmead@xxxxxxxx [mailto:nmead@xxxxxxxx] 
Sent: Thursday, December 09, 2004 1:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Browser exceptions and FQDN internal addresses

http://www.ISAserver.org



According to the HowTo article on the site, this is exactly what I have
already done.

<snip>
Web and DNS Servers Hosted by ISP or 3rd Party Hosting Service

Another situation commonly seen with smaller networks is when the DNS
and the Web servers are hosted by an ISP or hosting service. In this
case, the internal network uses the same domain name as the Web site.
When you try to access the server on the Internet by going to
www.domain.com, the request fails. The reason for this is that the
internal network clients query your internal DNS server which is
authoritative for the domain.com domain (assuming that you're using an
Active Directory domain). The DNS server on your internal network looks
for an entry for www in its zone database for domain.com, it doesn't
find an answer and informs you of this fact.

This is an easy problem to solve. All you need to do is enter resource
records for the resources that are hosted externally. For example, if
you have a Web server hosted by someone else, just put in a Host (A)
entry for www in your domain.com forward lookup zone. Put the actual
public address in the Host (A) record. The only limitation this creates
is that you can't host a server by the same name on the internal
network. That's because the name is already taken by the external
network server!

<snip>

My A record for www points to the public IP address of the hosted
website.

When some users try to access it, they get:

403 Forbidden - The ISA Server denies the specified Uniform Resource
Locator (URL). (12202) Internet Security and Acceleration Server


All clients are firewall clients.

Thanks,
Nate




-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, December 09, 2004 1:32 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Browser exceptions and FQDN internal addresses

http://www.ISAserver.org

You need to create a split DNS and configure the internal machines to
use the Internal DNS server when using direct access. Then, create a A
record for www.domain.com in your internal DNS that resolves the name to
the non-internal address clients need to connect. Make sure you've
configured your clients as firewall client too (improves both security
and functionality).

HTH,

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: nmead@xxxxxxxx [mailto:nmead@xxxxxxxx]
Sent: Thursday, December 09, 2004 11:38 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Browser exceptions and FQDN internal addresses

http://www.ISAserver.org


I was wondering the best way to address this issue.   I need a way to
not proxy local addresses (internal web applications), so I added
*.mydomain.com, BUT I still need users to hit 'www.mydomain.com', which
is not hosted internally.   I had created a DNS entry internally for
'www' and pointed it to the correct public IP address in the hopes that
it would resolve and realize that it was in fact external, but this
appears to work spotty at best, some machines it works, some it doesn't.

In addition to the wildcard domain exception, I also have network
exceptions listed 10.*, etc. but we found that clients would still make
either initial requests to (causing 5-10 second delay) or completely
utilize the ISA server to hit internal apps without the domain
exception.
All clients are using the firewall client and I have the LAT setup with
all of our internal addresses.
The reason we need to use fqdn's for internal web applications is due to
having multiple domains on our network  (sister companies) and the users
in each domain need access to multiple 'internal' companies web
applications.  Therefore we need to address local intranet applications
via fqdn.
So is there an easier way for me to create an exception to the
*.mydomain.com browser exception?   Or will I have to enter in all
internal web applications and remove the wildcard exception?
Any ideas would be appreciated...
Thanks,
Nate


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
nmead@xxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Browser exceptions and FQDN internal addresses
• » RE: Browser exceptions and FQDN internal addresses
• » RE: Browser exceptions and FQDN internal addresses
• » RE: Browser exceptions and FQDN internal addresses
• » RE: Browser exceptions and FQDN internal addresses
• » RE: Browser exceptions and FQDN internal addresses

1. Home
2. isalist
3. Archive
4. 12-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---