OK, so ... assuming that the primary DNS is on the public side of ISA - you will need to create a packet filter on the ISA server to allow the zone transfer. There are protocols already created for "DNS Zone Transfer" & "DNS Zone Transfer Server" (look in Policy Elements/Protocols in the ISA MMC to see how they are set up), but these won't be available for Packet Filters. In the ISA MMC right-click on IP Packet Filters (in Access Policy) and select new, then filter. Name the filter, select allow, select custom, set it up for protocol=TCP direction=inbound local port=53 remote port=all, use the default external interface, and restrict it to the IP address of your current firewall. I wouldn't leave the packet filter enabled indefinitely, but it should allow you to get the zones transferred. As a side note - it would be far better to set up a DNS server *behind* ISA, and then server publish it. Running other processes on the ISA server is a security risk (as you most likely already know). Paul Nuernberger -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, October 23, 2003 3:09 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Zone XFers http://www.ISAserver.org Actually, I am replacing my aging firewall with ISA, My old firewall also served as the SOA for my public domains, I wanted my ISA server to also serve in this manner when I eventually shut off my old firewall, for now I was trying to get my Primary Zone file transferred off my old firewall and onto my ISA server, when I turn off my old firewall all I need to do is change my zone file from secondary to primary on the ISA server, make sense? so for now I can not even get the zone transferred .. ? -----Original Message----- From: Paul Nuernberger [mailto:pen@xxxxxxxxx] Sent: Thursday, October 23, 2003 3:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Zone XFers http://www.ISAserver.org Glenn, are you using ISA as a DNS Server or just trying to get the information to a DNS server behind ISA ?? Paul Nuernberger -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, October 23, 2003 2:41 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Zone XFers http://www.ISAserver.org Ok - did that and the same results, was unable to xfer zone, in addition, I was no longer able to do NSLOOKUPs so I re-enabled the DNS Filter ... The DNS Filter definition is for DNS lookups, do I have to create special packet filters and apply them to the Public interface of ISA to get a successful Zone XFer ? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, October 23, 2003 3:07 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Zone XFers http://www.ISAserver.org Hi Glenn, Disable the DNS filter and try it again. HTH, Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, October 23, 2003 2:01 PM To: [ISAserver.org Discussion List] Subject: [isalist] DNS Zone XFers Importance: High http://www.ISAserver.org To allow DNS Zone XFers onto a Microsoft ISA Server, does one have to create Protocol Rules that include the pre-defined DNS protocols? I get a 6523 error when I try to create a secondary zone file and transfer it from my primary DNS Server ??? Thank U Glenn ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pen@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pen@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')