Hey Jim... would you perhaps have any comments for me on my observations below? -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: 09 December 2003 15:47 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: HTTP-DNS Problem with WAN Site http://www.ISAserver.org Hi Jim, I've just been planning to implement your suggested changes, but then I realised the following: - Creating my own Primary DNS for the specific zone won't help because the current IP Addresses listed in the secondary zone are in fact the correct private address - So if I delete this secondary and make my own primary with the same addresses, it doesn't do anything for me as I am going to be back where I started. - The problem is that the servers I need to access are still outside/beyond my ISA Firewall so I cannot include that domain in my LDT as I need ISA to pass the request on. In my opinion the problem is that either the ISA or IE Web Browser does not make use of my internal DNS servers when it comes to querying this secondary zone. And in light of this the query for the specific zone is handed off to my ISP's public DNS servers who then reply with the public address of the web servers. The only way I can see this happening is if the ISA itself decides to "bypass" the internal DNS Servers because he feels for some reason that the internal DNS Servers won't "know" about the requested domain, or alternatively, my DNS servers decide that because it is ISA that is making the request the zone must be public and so the request is forwarded... I know, I'm rambling, but does anyone perhaps have a similar scenario that they can test this and see if they have the same problem? Cheers William R. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 08 December 2003 20:38 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: HTTP-DNS Problem with WAN Site http://www.ISAserver.org 14120 happens (mostly) when internal clients try to access ISA-published resources using an ISA-external IP because either they or ISA resolves the server name to an ISA external IP. Remember; by default, ISA resolves names for Web Proxy and Firewall clients. If it determines that home.ast.co.za is an external IP, that's what the clients believe, too. You're better off adding that domain to the LDT and ditching the secondary zone for home.ast.co.za. Create a primary zone of that name and enter your internal IPs. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, December 08, 2003 10:32 Subject: [isalist] Re: HTTP-DNS Problem with WAN Site http://www.ISAserver.org Yeah, I'm not quite sure I actually understand that... I've read the article once before and was a little out of my depth at the time. S'pose I'll just try again though. Do you believe that if I follow that article again I should be able to resolve my problem? What is the 14120 error? Cheers William R. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 08 December 2003 20:21 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: HTTP-DNS Problem with WAN Site http://www.ISAserver.org This is a candidate for the ubiquitous 14120 error. Your ISA is resolving according to the DNS configuration and the DNS servers it speaks to. Take a read in Tom's "Split DNS" article. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, December 08, 2003 09:41 Subject: [isalist] Re: HTTP-DNS Problem with WAN Site http://www.ISAserver.org Dang, dodgy fonts creeping in all over the place... Anyway, thanks on the terminology clarification, s'pose it depends on what view you take and these days it sometimes feels like I'm protecting the internet from my internal users, hehe... The DNS setup of my firewall is as follows: External NIC - No DNS settings whatsoever Internal NIC - Primary & Secondary DNS (& WINS) is set to my own private DNS (which is hosting the secondary DNS for my parent company) - Other DNS Settings: - "Append primary & connection specific DNS suffixes" enabled with the "Append parent suffixes of the primary DNS suffix" selected - "DNS suffix for this connection" - Empty - "Register the connection's addresses in DNS" - selected My WEBProxy log shows the following: <MyIP>,<MyUserName>, Mozilla/4.0 (comp....), Y, 12/8/2003, 19:34:41, w3proxy, <FIREWALL>, -, home.ast.co.za, 196.25.52.23, 80, 22938, 597, 0, http, TCP, GET, http://home.ast.co.za/, -, Inet, 10060, 0x0, pWEB Users, scWEB Users Now you won't know this, but the IP Address that has been resolved above (196.25.52.23) is not correct. This is most likely the public IP Address for this website, but the IP I need to use is a private B-Class address (172.16. x.x) which will get routed via my WAN link. So obviously the problem is that my ISA Firewall (or my IE Web Browser) has not used my local DNS server to do the lookup. Hmmm.... Any thoughts on how I can get this to work Jim? I recall a while ago I posted an issue trying to understand how IE & ISA use DNS to resolve the site names, but the answer I got there didn't help in solving this dilemma, so maybe you've got a trump card for me? Cheers William R. -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: 08 December 2003 17:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: HTTP-DNS Problem with WAN Site http://www.ISAserver.org No, ya didn't, but I'll answer anyway. ;-) ..that's not "behind" ISA; that' "in front of"... What's in the ISA WEBEXT..log? Does ISA know to use your DNS server for that domain? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, December 07, 2003 23:34 Subject: [isalist] HTTP-DNS Problem with WAN Site http://www.ISAserver.org (Ha, fixed it this time…) Hi there I have what I think is an interesting scenario. My whole ISA setup currently works like a charm for all of the fancy schmancy requests I’ve had from my users. But this latest one baffles me intensely. I have a PIX firewall behind my ISA (LAN → ISA →PIX → Internet), off which I host a DMZ segment to my parent company over a WAN link. My DNS Server is also hosting a secondary DNS to their primary Windows 2000 DNS Servers so that I am able to name lookup their servers etc. I have thus also added their domain name to my "Append these DNS suffixes..." option under TCP/IP DNS properties on my workstation, and any nslookup for a server in their domain works 100%. The problem is though, when I try and connect to ANY of their websites (and there are quite a few) via IE, I can only connect by using the IP Address of the site, and *NOT* the FQDN. As noted, all DNS lookups work fine, (except Reverse Lookups - is that a problem?), and I cannot think of anything else more to try. I have enabled debugging on my PIX to see if there is any traffic, and when using the FQDN the traffic does not even get to my PIX, so that tells me the problem is between my IE and the ISA. Is there perhaps someone who has a similar scenario that may be able to suggest something? Cheers William R. --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. --------------------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --------------------------------------------------------------------- Everything in this e-mail and attachments relating to the official business of Columbus Stainless is proprietary to the company. It is confidential, legally privileged and protected by law. Columbus Stainless does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Columbus Stainless. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is,for whatever reason, corrupted or does not reach its intended destination. ---------------------------------------------------------------------