RE: ISA-/DNS Query-Please Advice
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 14 Aug 2005 08:37:47 -0700
Bad form, Smee.
List rule #1 - Don't be a jerk
List rule #2 - Don't mail anyone directly unless they ask you to.
You need to read the ISA help, and the articles on www.isaserver.org.
There is much about ISA that you need to understand.
-----Original Message-----
From: hodakara kara [mailto:hatem20102011@xxxxxxxxx]
Sent: Saturday, August 13, 2005 11:46 PM
To: Administrator
Cc: Jim Harrison
Subject: [isalist] RE: ISA-/DNS Query-Please Advice
http://www.ISAserver.org
thanks for your reply.
What i understood is, no need to install DNS server on the ISA, because
i do not have external users they will access from internet and use my
DNS server to access the computers on my LAN.
i have already Internal DNS on my Network, installed on the Domain
Controller it self.
And All the users they register them self in the DNS Locally here in my
network.
is that correct ?
so in this case, No need at all to install the DNS on the ISA, i need
only to let the users to only USE my Internal DNS , and if the query
could not resolve, the DNS which is internal , well send the query to
the - ISP DNS - Forwarder, and well get the reply from ISP DNS, and then
will give it back to the users.
Also, i have here my Exchange server 2003, and installed on it GFI POP3
downloader, because i am using POP3 to collect my E-mails from the Host
company - Not the ISP- which is located in USA, - XO.COM.
in the past, we used to put in the SMTP, the IP Address of my SMTP
server which has been given by the ISP.
and the POP3, we used to put the MX record for my domain which is hosted
in USA.
====================================================================
Second question :-
so this is what i want to do, so can you please guide me to the steps ,
what Protocol rule should i open for outgoing trffic , - DNS, SMTP,
POP3, HTTP. and what Protocol rule should closed ?
======================================================================
third questions :-
No need at all to have any Packet filter, or application Filter,
because here is in my situation, i do not have any users from outside,
connect to the isa, and then access any thing on my Internal Network,
that is why we do not need at all to configure any thing on Packet
filter or Application Filter, and i am going only to work with the
Protocol Rule , is that correct , or not ?
======================================================================
Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org
Those are two separate questions.
You need to install DNS on ISA *or* you need to point the
internal
clients to the ISP DNS server.
-----Original Message-----
From: hodakara kara [mailto:hatem20102011@xxxxxxxxx]
Sent: Saturday, August 13, 2005 12:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA-/DNS Query-Please Advice
http://www.ISAserver.org
dear jim;
thanks for reply.
Actually i do not want to let the external user connect to my
internal
network , do i need to make dns on isa
Jim Harrison wrote:
http://www.ISAserver.org
Two problems with this scenario:
1 - you don't own the 90.0.0/24 netblock - you should not be
using it
for your internal network. Instead, use something from the
RFC-1918
set:
10/8
169.254/16
172.16/12
192.168/16
2 - Unlike WinProxy, ISA will *not* perform "DNS proxy", so
installing
DNS on the ISA will be required. Just *don't* make this DNS
server
available from the Internet (no "allow all" rules)
Jim
-----Original Message-----
From: hodakara kara [mailto:hatem20102011@xxxxxxxxx]
Sent: Saturday, August 13, 2005 3:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA-/DNS Query-Please Advice
http://www.ISAserver.org
Dear all,
My network consist of the follwoing enviroment - with WinProxy
as
Firewall- :-
1. Domain Controller,with DNS on it ,, with the following
Settings
on the IP :-
IP:- 90.0.0.10
SM: 255.255.255.0
GW: 90.0.0.20 --------------------------> this is the internal
IP of
WinProxy Interface.
DNS: 90.0.0.10 --------------------------> it register it self
in the
current DNS - internal DNS-
2. 30 users, Windows XP-Pro, SP2 on it and they configured to
register
there self in the DNS which is ( 90.0.0.10 ), and GW which is (
90.0.0.20), i mean all the users have this DNS ( 90.0.0.10), and
have
this Default Gateway ( 90.0.0.20).
3. The internal DNS server configured to forward all the quires
to the
internal IP-Address of WinProxy which is ( 90.0.0.20), inorder
to be
able to browse internet names and able to reslove the external
domains
as well.
4. One Firewall which is WinProxy, not under our doamin, which
have 2
NIC with the following informations:-
First Nic on WinProxy:-
===================
IP : 90.0.0.20
SM : 255.255.255.0
GW : N/A
DNS : N/A
Second Nic on WinProxy which is connected to Router, and then
the router
connect to VSAT:-
================================
IP : 213.255.237.106
SM : 255.255.255.248
GW : 213.255.237.105
DNS : 213.255.237.8
213.255.237.9
and we are behind firewall, even we configure the Outlook to use
the IP-
Address of the internal WinProxy interface as POP3 & SMTP.
and on the WinProxy, we configured the SMTP& POP3 with the real
IP-Address.
=====================================================================
Now we are going to install ISA server 2000.
i want to know if this steps which i am going to do is correct
or not .
1. i will bring new server for ISA, with 2 Nic.
2. install Win Server on it .
3. Give the internal interface of the ISA this IP ( 90.0.0.10),
and this
DNS ( 90.0.0.10), without Gateway on it .
4. install DNS server on ISA.
5.Configure the DNS to lisiten only on the Internal Interface -
not
external.
6.Create the Forward lookup Zone and Reverse Lookup Zone.
7.Make the Local DNS forward the query to the external DNS of
the ISP.
8. install the domain controller on the other machine and let it
to
register it self on the Internal IP of ISA. and put the gateway
also for
that .
9. let all the user register them self in the the current DNS.
10. Configure the users normally.
11. make sure that the server & the Clients able to browse and
see the
internt.
=================================================================
second Part , install the DNS server on the ISA server it self
and we
will start working on it .
So my question is :-
1. is there any thing wrong in this configuration, from
installing DNS
server on the ISA server and let all the users register them
self in the
DNS which is located on the ISA, and configured the ISA server
to
forward the quires to the external DNS of the ISP ? if there is
any
Problem, do you receommend any other solution . ?
2. After i install on each client the Firewall Client software
which is
come from ISA server , is there any traffic i should allow for
the
inbound / outbound for the DNS to go from ISA server to the
external DNS
server of the ISP, so is there any Protocol Rule or Packet
filter should
i do it , in order to let the traffic go out from my ISA server
to the
external DNS, and to inter from the external DNS to my ISA
server ?
Please Help in this situation , as soon as possible .
--
thanks
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------ List
Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server
Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA
Server
FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------ Visit
TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------ You are
currently
subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To
unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: hatem20102011@xxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
________________________________
Start your day with Yahoo! - make it your home page
------------------------------------------------------ List
Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server
Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA
Server
FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------ Visit
TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------ You are
currently
subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To
unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: hatem20102011@xxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------ List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server
Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server
FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------ Visit
TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------ You are currently
subscribed to this ISAserver.org Discussion List as: theo@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
