Hi Ducan, In the DNS Access Rule, you can create computer objects for the Internal DNS servers and you can configure a computer object for the DNS forwarder. Then the SOURCE is the DNS server computer objects and the DESTINATION is the DNS forwarder. The PROTOCOL is DNS. Allow ALL USERS in the Access Rule. Not sure what you mean by "all servers bar the second NIC in the ISA firewall point to the internal DNS servers" HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Duncan J Cameron [mailto:duncan@xxxxxxxxxxxxxxxxxxxx] Sent: Sunday, September 26, 2004 3:56 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Design and Config http://www.ISAserver.org Internal DNS Servers have forwarders setup to forward to ISPs DNS Servers, DHCP assigns internal DNS Servers to clients, all servers bar the second NIC in the ISA point to the internal DNS Servers I will remove the ISP DNS servers from the second nic and leave it with no DNS, but its getting the rule to allow DNS traffic out on the ISA I am having trouble with, as far as I am aware I have wrote a rule that should let the traffic out, I must have something wrong, do you know if there is any URL where I could get screen shots of how it should be ? Regards Duncan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: 26 September 2004 21:43 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Design and Config http://www.ISAserver.org Hi Duncan, Again, remove the external DNS server from the external interface of the ISA firewall. Configure internal DNS servers to resolve Internet host names. Configure internal network clients to use those DNS servers Configure Access Rules allowing the DNS servers outbound access to Internet DNS servers using the DNS protocol. HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Duncan J Cameron [mailto:duncan@xxxxxxxxxxxxxxxxxxxx] Sent: Sunday, September 26, 2004 3:33 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Design and Config http://www.ISAserver.org have successfully wrote a rule to allow http & https traffic out for designated users, have tried writing one to allow dns out but just keep getting message in the ISA log saying DNS blocked or denied, the only reason I think web traffic is working is down to all clients web browsers pointing to ISA on port 8080, each PCs DG way is the local NIC of the ISA the outside NIC has the ISPs DNS Servers, the internal NIC is set to use the internal DNS Servers Duncan -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: 26 September 2004 21:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Design and Config http://www.ISAserver.org Have you created any access rules?? S -----Original Message----- From: Duncan J Cameron [mailto:duncan@xxxxxxxxxxxxxxxxxxxx] Sent: Sunday, September 26, 2004 4:42 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Design and Config http://www.ISAserver.org Hello Was just thinking now for outbound DNS I Could just set the 2 DCs DGs to the HW FW, and write a rule on the FW to only allow their 2 IPs out on the port 53 only I have only installed the FW Client on from the installation share of ISA, I tried to write ISA FW policy but I am confused to what the ISA System policies are they are what appear to be blocking the nslookups, Duncan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: 26 September 2004 20:36 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 Design and Config http://www.ISAserver.org Hi Duncan, Are you using: Firewall client? SecureNAT client? Web Proxy client? Remove the public DNS server from the external interface and put the internal interface on the top of the interface list. Create Access Rules allowing the traffic you want outbound. How would you exert access control if a "hardware" firewall were installed? Just let everything out? HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: duncan@xxxxxxxxxxxxxxxxxxxx [mailto:duncan@xxxxxxxxxxxxxxxxxxxx] Sent: Sunday, September 26, 2004 3:36 PM To: [ISAserver.org Discussion List] Subject: [isalist] ISA 2004 Design and Config http://www.ISAserver.org Can someone please give me some advice on the following, I an currently working on a system upgrade for a client, the previous domain was a Win NT4 Domain, I started the upgrade on Friday this week, so far I have upgrade the domain to 2003 AD, migrated all data, migrated exchange 5.5 server to exchange 2003, migrated SQL to SQL 2000, set up Citrix Meta frame XPa farm.& MS SUS Server All Server are HP ML370, 2gb, 3.06 Xeon 2 x 2003 Domain Controllers 1 x 2004 Exchange Server 1 x SQL 2000, on 2003 Server 1 x 2003 File Print 2 x 2003 Citrix Xpa Terminal Server 1 x 2003 SUS Server 1 x ISA 2004 running on 2003, 2nd NIC Installed, Started to configure ISA today, I have never installed ISA before and am having an absolute nightmare; I normally just install a Hardware Firewall. I am unsure how ISA should be. Configured 100% I have web access working at the moment through the ISA Server but nslookups are failing externaly, Current config, ISA Server has two network cards, protected subnet is 192.168.x.x /24, external card 172.29.x.x /24 External card has ISPs, DNS Servers, Internal Card has internal DNS Servers, Internal card has no DG set, external card is connected to protected interface on Hardware FW 172.29.x.254, Protected HWFW Interface then NATs out to Public IP, the current client has a /29 block of IPs, so I have configured the next available IP as an Alias on the HWFW, I then plan to setup the mobile VPN clients to that IP along with the site to site VPNs when I start the satellite offices, The protected network card of the ISA server is every host on the subnets default GW including all Servers Internet traffic is working through ISA but if I try and do an external nslookup the query fails, If I check the ISA logs I see messages, saying DNS Closed or sometimes Denied, NSlookups fail from every server including the ISA server I think the only reason http traffic working is due to the ISPs DNS Server being set on the external NIC, I have tried taking the HW FW out of the equation but still have the same problem of DNS queries failing externally, The only way I can think of getting this working for the client tomorrow is to, set all the other servers DG to the protected interface of the FW, setup a separate DMZ on one of the other FW interfaces then connect the ISAs external card to the FW DMZ port, I then plan to only allow port 53 out on the HW FW protected Interface, I will then setup the protected interface on the HW FW to allow 2 way site to site IKE VPNs from the other HW FWs in the satellite offices when the come on line. At the moment it setup so the protected FW interface is connected to the second NIC of the ISA as a DMZ, with my new plan above the protected interface on the FW will have a 192 address and will be connected to the same switch as the server bypassing the ISA server The Second card in the ISA will be connected to a separate DMZ and will only be used for incoming smtp and outgoing http traffic All web traffic from both PCs & Servers will go out through the ISA Server,All PCs will have the ISA Server set as there DG Server will be HW FW The hardware FW has a mail proxy I want it to send SMTP traffic to the external card of the ISA server, then have it some how proxy to exchange server. Can this be done ? Can somebody please advice me the best practice for the installation I am trying to carry out as I am unsure of the best ways to setup ISA Regards Duncan Cameron ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: duncan@xxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient named above. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum IT Solutions Ltd disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum IT Solutions Ltd or its subsidiaries or affiliates. administrator@xxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: duncan@xxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: duncan@xxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx