Re: HTTP-DNS Problem with WAN Site

• From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 9 Dec 2003 20:52:21 +0200

Hey Jim... would you perhaps have any comments for me on my observations
below?

-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: 09 December 2003 15:47 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: HTTP-DNS Problem with WAN Site

http://www.ISAserver.org

Hi Jim,

I've just been planning to implement your suggested changes, but then I
realised the following:
- Creating my own Primary DNS for the specific zone won't help because the
current IP Addresses listed in the secondary zone are in fact the correct
private address
- So if I delete this secondary and make my own primary with the same
addresses, it doesn't do anything for me as I am going to be back where I
started.
- The problem is that the servers I need to access are still outside/beyond
my ISA Firewall so I cannot include that domain in my LDT as I need ISA to
pass the request on.

In my opinion the problem is that either the ISA or IE Web Browser does not
make use of my internal DNS servers when it comes to querying this secondary
zone. And in light of this the query for the specific zone is handed off to
my ISP's public DNS servers who then reply with the public address of the
web servers.

The only way I can see this happening is if the ISA itself decides to
"bypass" the internal DNS Servers because he feels for some reason that the
internal DNS Servers won't "know" about the requested domain, or
alternatively, my DNS servers decide that because it is ISA that is making
the request the zone must be public and so the request is forwarded...

I know, I'm rambling, but does anyone perhaps have a similar scenario that
they can test this and see if they have the same problem?

Cheers
William R.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 08 December 2003 20:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: HTTP-DNS Problem with WAN Site

http://www.ISAserver.org

14120 happens (mostly) when internal clients try to access ISA-published
resources using an ISA-external IP because either they or ISA resolves the
server name to an ISA external IP.
Remember; by default, ISA resolves names for Web Proxy and Firewall clients.
If it determines that home.ast.co.za is an external IP, that's what the
clients believe, too.
You're better off adding that domain to the LDT and ditching the secondary
zone for home.ast.co.za.
Create a primary zone of that name and enter your internal IPs.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message -----
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, December 08, 2003 10:32
Subject: [isalist] Re: HTTP-DNS Problem with WAN Site


http://www.ISAserver.org

Yeah, I'm not quite sure I actually understand that... I've read the article
once before and was a little out of my depth at the time. S'pose I'll just
try again though. Do you believe that if I follow that article again I
should be able to resolve my problem?

What is the 14120 error?

Cheers
William R.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 08 December 2003 20:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: HTTP-DNS Problem with WAN Site

http://www.ISAserver.org

This is a candidate for the ubiquitous 14120 error.
Your ISA is resolving according to the DNS configuration and the DNS servers
it speaks to.
Take a read in Tom's "Split DNS" article.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message -----
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, December 08, 2003 09:41
Subject: [isalist] Re: HTTP-DNS Problem with WAN Site


http://www.ISAserver.org

Dang, dodgy fonts creeping in all over the place...

Anyway, thanks on the terminology clarification, s'pose it depends on what
view you take and these days it sometimes feels like I'm protecting the
internet from my internal users, hehe...

The DNS setup of my firewall is as follows:
External NIC
- No DNS settings whatsoever

Internal NIC
- Primary & Secondary DNS (& WINS) is set to my own private DNS (which is
hosting the secondary DNS for my parent company)
- Other DNS Settings:
- "Append primary & connection specific DNS suffixes" enabled with
the "Append parent suffixes of the primary DNS suffix" selected
- "DNS suffix for this connection" - Empty
- "Register the connection's addresses in DNS" - selected

My WEBProxy log shows the following:
<MyIP>,<MyUserName>, Mozilla/4.0 (comp....), Y, 12/8/2003, 19:34:41,
w3proxy, <FIREWALL>, -, home.ast.co.za, 196.25.52.23, 80, 22938, 597, 0,
http, TCP, GET, http://home.ast.co.za/, -, Inet, 10060, 0x0, pWEB Users,
scWEB Users

Now you won't know this, but the IP Address that has been resolved above
(196.25.52.23) is not correct. This is most likely the public IP Address for
this website, but the IP I need to use is a private B-Class address (172.16.
x.x) which will get routed via my WAN link. So obviously the problem is that
my ISA Firewall (or my IE Web Browser) has not used my local DNS server to
do the lookup. Hmmm.... Any thoughts on how I can get this to work Jim? I
recall a while ago I posted an issue trying to understand how IE & ISA use
DNS to resolve the site names, but the answer I got there didn't help in
solving this dilemma, so maybe you've got a trump card for me?

Cheers
William R.



-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: 08 December 2003 17:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: HTTP-DNS Problem with WAN Site

http://www.ISAserver.org

No, ya didn't, but I'll answer anyway.  ;-)

..that's not "behind" ISA; that' "in front of"...
What's in the ISA WEBEXT..log?

Does ISA know to use your DNS server for that domain?

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message -----
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, December 07, 2003 23:34
Subject: [isalist] HTTP-DNS Problem with WAN Site


http://www.ISAserver.org

(Ha, fixed it this time…)

Hi there



I have what I think is an interesting scenario. My whole ISA setup currently
works like a charm for all of the fancy schmancy requests I’ve had from 
my
users. But this latest one baffles me intensely. I have a PIX firewall
behind my ISA (LAN → ISA →PIX → Internet), off which I 
host a DMZ segment
to my parent company over a WAN link.



My DNS Server is also hosting a secondary DNS to their primary Windows 2000
DNS Servers so that I am able to name lookup their servers etc. I have thus
also added their domain name to my "Append these DNS suffixes..." option
under TCP/IP DNS properties on my workstation, and any nslookup for a server
in their domain works 100%.



The problem is though, when I try and connect to ANY of their websites (and
there are quite a few) via IE, I can only connect by using the IP Address of
the site, and *NOT* the FQDN. As noted, all DNS lookups work fine, (except
Reverse Lookups - is that a problem?), and I cannot think of anything else
more to try. I have enabled debugging on my PIX to see if there is any
traffic, and when using the FQDN the traffic does not even get to my PIX, so
that tells me the problem is between my IE and the ISA.



Is there perhaps someone who has a similar scenario that may be able to
suggest something?



Cheers

William R.




---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official
business of Columbus Stainless is proprietary to the company. It is
confidential, legally privileged and protected by law. Columbus
Stainless does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that
of Columbus Stainless. The person addressed in the e-mail is the sole
authorised recipient.  Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the
content in any way. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if information or
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official
business of Columbus Stainless is proprietary to the company. It is
confidential, legally privileged and protected by law. Columbus
Stainless does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that
of Columbus Stainless. The person addressed in the e-mail is the sole
authorised recipient.  Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the
content in any way. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if information or
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official
business of Columbus Stainless is proprietary to the company. It is
confidential, legally privileged and protected by law. Columbus
Stainless does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that
of Columbus Stainless. The person addressed in the e-mail is the sole
authorised recipient.  Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the
content in any way. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if information or
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official
business of Columbus Stainless is proprietary to the company. It is
confidential, legally privileged and protected by law. Columbus
Stainless does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that
of Columbus Stainless. The person addressed in the e-mail is the sole
authorised recipient.  Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the
content in any way. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if information or
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official 
business of Columbus Stainless is proprietary to the company. It is 
confidential, legally privileged and protected by law. Columbus 
Stainless does not own and endorse any other content. Views and 
opinions are those of the sender unless clearly stated as being that 
of Columbus Stainless. The person addressed in the e-mail is the sole 
authorised recipient.  Please notify the sender immediately if it has 
unintentionally reached you and do not read, disclose or use the 
content in any way. Whilst all reasonable steps are taken to ensure 
the accuracy and integrity of information and data transmitted 
electronically and to preserve the confidentiality thereof, no 
liability or responsibility whatsoever is accepted if information or 
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------

Other related posts:

• » HTTP-DNS Problem with WAN Site
• » HTTP-DNS Problem with WAN Site
• » HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site
• » Re: HTTP-DNS Problem with WAN Site

1. Home
2. isalist
3. Archive
4. 12-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---