RE: ISA Publish Scenario

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 9 Aug 2004 22:50:06 -0500

Hi John,

They are WRONG. What security risk does having public and private DNS
zones, which share NO information at all, pose to the organization?

The good news is that I understand the Microsoft courseware is being
update to reflect the fact in an "Access Anywhere" world, you're in a
boat without an oar without using a split DNS. I use it for every
rollout I can, and even when the poor sod's started with a dreaded
.local, we can still get them up and running with a split DNS by just
adding the proper zone files on their current internal and external DNS
servers. It just removes a bit of the complete transparency.

I don't see how stub zones would solve the problem that a split DNS
solves -- complete and total transparency for users who roam between
internal and external networks. Do you think Microsoft employees have to
remember what names where used on their internal network and when they
go off site? 

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Monday, August 09, 2004 8:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Publish Scenario


http://www.ISAserver.org

1. I was taught from the get go to when ever and where ever possible, do
not
use the same internal domain name for AD as the external name.
2. Doesn't Windows Server 2003 DNS allow stub zones or such, to where
you
can include some records, and all others send to another server?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, August 09, 2004 6:14 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Publish Scenario
> 
> http://www.ISAserver.org
> 
> Hi William,
> 
> It sure would be nice if the Microsoft DNS supported views, it would
> make life a lot simpler. As it stands right now, you need to use two
> separate machines to host the Internal and External zones.
> 
> Tom
> www.isaserver.org/shinder
> Get the book!
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
> 
> 
> -----Original Message-----
> From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
> Sent: Monday, August 09, 2004 8:01 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Publish Scenario
> 
> 
> http://www.ISAserver.org
> 
> Hello Tom,
> 
> The next question is does Microsoft intend to support a DNS server
that
> handles a split DNS environment?  That is similar to views that are
> available
> in Bind 9.  When a request is made from an internal host you should
get
> one
> set of information. When the request comes from an external address
you
> should get another.
> 
> In our environment we are not primary on our dns so its quite
difficult
> to
> set up a split DNS. I could change the zone file after receiving it
from
> the
> primary name server but that's quite ugly.
> 
> Thanks
> 
> Bill
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, August 09, 2004 8:48 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Publish Scenario
> 
> http://www.ISAserver.org
> 
> Hi William,
> 
> The answer is *always* to create a split DNS. The ISA firewall really
> doesn't
> like looping back through itself for requests from Internal network
> clients.
> As you're noticed, when SecureNAT clients try to loop back through the
> ISA
> firewall, it doesn't work because the ISA firewall isn't proxying the
> request. It will work at times with the Firewall client (since its
> acting as
> a Winsock proxy) and will always work with the Web Proxy client.
> 
> Also, the ISA firewall doesn't have an integrated mode. You also get
all
> firewall features with the ISA firewall, although you can cripple it
by
> installing it in single NIC mode.
> 
> HTH,
> Tom
> 
> -----Original Message-----
> From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
> Sent: Monday, August 09, 2004 7:25 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] ISA Publish Scenario
> 
> http://www.ISAserver.org
> 
> Hello,
> 
> I am setting up ISA 2004 to publish several web servers. I have a
> diagram at:
> http://www.cs.cornell.edu/~wtholmes/publishingsetup.htm
> 
> 
> With this setup there is a split routing problem and I was wondering
if
> there
> is a way to fix this within ISA.
> 
> The external listener on the ISA server is on the DMZ network. When a
> web
> request comes into this listener from an external client everything
> works as
> expected. The request goes through the Checkpoint firewall to the DMZ
to
> the
> ISA server which requests the page from the appropriate back-end web
> server.
> 
> However when the request comes from an internal client it passes
through
> the
> checkpoint firewall to the ISA server which responds its internal
> interface.
> This creates a split route. The checkpoint firewall seeing the
incoming
> request but never seeing the outgoing request drops the connection.
The
> ISA
> server sees a request coming to its external interface from a subnet
> that
> should only appear on its internal interface and also drops the
> connection.
> 
> Solutions not involving ISA:
> 
> 1. Create a split DNS so that requests for
> http://isaserver_listener_address
> from an internal host are directed to the internal network interface
on
> the
> ISA server.
> 
> 2. Modify the routing tables in the CISCO router to redirect requests
to
> the
> DMZ listener's address on the ISA server to the internal ISA server
> address.
> 
> 3. Configure all clients to use the ISA server as their web proxy.
> 
> My question: Is there a way to configure ISA so that requests received
> on its
> external interface are answered on its external interface regardless
of
> the
> source IP. In other words when publishing a web site can you ignore
> normal IP
> routing.
> 
> The answer is likely a no but I just thought I would ask.
> 
> Thanks
> 
> Bill
> 
> William Holmes (MCP)
> Department of Computer Science
> 310 Upson Hall
> Cornell University
> Ithaca, NY 14853
> wtholmes@xxxxxxxxxxxxxx
> 607 255-1757 (o) 607 227-6049 (c)
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network
> Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network
> Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> wtholmes@xxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » ISA Publish Scenario
• » RE: ISA Publish Scenario
• » RE: ISA Publish Scenario
• » RE: ISA Publish Scenario
• » RE: ISA Publish Scenario
• » RE: ISA Publish Scenario
• » RE: ISA Publish Scenario
• » RE: ISA Publish Scenario
• » RE: ISA Publish Scenario
• » RE: ISA Publish Scenario

1. Home
2. isalist
3. Archive
4. 08-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---