RE: Interesting ISA Problem

• From: Glenn Maks <gmaks@xxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 31 Oct 2003 08:22:04 -0500

Good Morning Tom - to answer your response, Yes, I have done that and this
is what I discovered, when I built my DNS server to handle all my public
name spaces and placed that server on my DMZ, I used the publishing feature
of ISA, from a computer
in front of the ISA's public interface, I used NSLOOKUP to do some testing,
when I set my server through NSLOOKUP to the published IP address of my DNS
server, simple queries like asking what the IP address of Yahoo.com was,
resulted in no answer. The DNS server should not only function as the SOA
for my public name spaces, in addition to serving computers on my private
network for resolving Internet destinations. This does not seem to work, or
at least I could not get it working using Server Publishing, or Packet
Filters? Not to mention, I had to use the Primary bound IP Address on the
external NIC rather than one of the secondary IP address that I added to the
interface. This same scenario was discovered when I moved my public MX
server behind ISA as well. Any clues ??

  Thank U

http://www.ISAserver.org

Unfortunately, server-publishing DNS to the local box never seems to work.
I've always had to packet-filter it <sigh>

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Thu, 30 Oct 2003 18:45:19 -0600
 "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Hi Glenn,
 
Why not create a DNS server publishing rule and bind the DNS listener to
the internal interface? Then you can take advantage of the DNS
application filter to protect yourself against DNS related attacks.
 
HTH,
Tom
www.isaserver.org/shinder
 

  _____  

From: Glenn Maks [mailto:gmaks@xxxxxxxxx] 
Sent: Thursday, October 30, 2003 3:52 PM
To: [ISAserver.org Discussion List]
Cc: jim@xxxxxxxxxxxx
Subject: [isalist] Interesting ISA Problem


http://www.ISAserver.org


[Glenn Maks] 
 
One more thing - it is strange that when creating the filters to pass
DNS Send and Receive through you have the ability to apply the filter to
ALL DEFAULT IP addresses on the External Interface? so one would assume
that this same filter would work for any IP address bound to the
Interface, including the secondary IP addresses?
 
 
 
 Ok - I solved my publishing DNS issue, I decided to run DNS on my ISA
server and have that serve as my SOA for all my public name spaces, but
here is something I discovered, both with publishing my MX server and
playing around with publishing DNS Servers.

        I have on my External NIC one primary IP address and several
additional IP addresses for other services like web sites and FTP sites
and so on, I discovered that no matter

        what services I pass through ISA it will not work unless I use
the Primary IP address. Let me explain, My Public MX server was living
behind my old firewall, in the process of migrating services over and
replacing my OLD firewall with ISA, I moved the MX server behind my ISA
server, I took the Public IP address for the MX server and added it as
an additional IP address to the External Interface of ISA, then I
published the MX server, I found that mail could be delivered but the
return trip got lost, it was not until I changed

        the Primary IP address of the ISA server to the Original IP
address the MX server was known as, did the mail come back to me. ? Same
as the DNS issue I had, running DNS
        on my ISA server and having it listen on all interfaces one
would think it would work even though the IP address of the SOA server
is NOT the primary IP address of the ISA External Interface. I hope I
was clear in my explanation.  Any Takers on this one ??

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Interesting ISA Problem
• » Interesting ISA Problem
• » RE: Interesting ISA Problem
• » RE: Interesting ISA Problem
• » RE: Interesting ISA Problem
• » RE: Interesting ISA Problem
• » RE: Interesting ISA Problem
• » RE: Interesting ISA Problem
• » RE: Interesting ISA Problem
• » Re: Interesting ISA Problem

1. Home
2. isalist
3. Archive
4. 10-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---