Good Morning Tom - to answer your response, Yes, I have done that and this is what I discovered, when I built my DNS server to handle all my public name spaces and placed that server on my DMZ, I used the publishing feature of ISA, from a computer in front of the ISA's public interface, I used NSLOOKUP to do some testing, when I set my server through NSLOOKUP to the published IP address of my DNS server, simple queries like asking what the IP address of Yahoo.com was, resulted in no answer. The DNS server should not only function as the SOA for my public name spaces, in addition to serving computers on my private network for resolving Internet destinations. This does not seem to work, or at least I could not get it working using Server Publishing, or Packet Filters? Not to mention, I had to use the Primary bound IP Address on the external NIC rather than one of the secondary IP address that I added to the interface. This same scenario was discovered when I moved my public MX server behind ISA as well. Any clues ?? Thank U http://www.ISAserver.org Unfortunately, server-publishing DNS to the local box never seems to work. I've always had to packet-filter it <sigh> Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Thu, 30 Oct 2003 18:45:19 -0600 "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Hi Glenn, Why not create a DNS server publishing rule and bind the DNS listener to the internal interface? Then you can take advantage of the DNS application filter to protect yourself against DNS related attacks. HTH, Tom www.isaserver.org/shinder _____ From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, October 30, 2003 3:52 PM To: [ISAserver.org Discussion List] Cc: jim@xxxxxxxxxxxx Subject: [isalist] Interesting ISA Problem http://www.ISAserver.org [Glenn Maks] One more thing - it is strange that when creating the filters to pass DNS Send and Receive through you have the ability to apply the filter to ALL DEFAULT IP addresses on the External Interface? so one would assume that this same filter would work for any IP address bound to the Interface, including the secondary IP addresses? Ok - I solved my publishing DNS issue, I decided to run DNS on my ISA server and have that serve as my SOA for all my public name spaces, but here is something I discovered, both with publishing my MX server and playing around with publishing DNS Servers. I have on my External NIC one primary IP address and several additional IP addresses for other services like web sites and FTP sites and so on, I discovered that no matter what services I pass through ISA it will not work unless I use the Primary IP address. Let me explain, My Public MX server was living behind my old firewall, in the process of migrating services over and replacing my OLD firewall with ISA, I moved the MX server behind my ISA server, I took the Public IP address for the MX server and added it as an additional IP address to the External Interface of ISA, then I published the MX server, I found that mail could be delivered but the return trip got lost, it was not until I changed the Primary IP address of the ISA server to the Original IP address the MX server was known as, did the mail come back to me. ? Same as the DNS issue I had, running DNS on my ISA server and having it listen on all interfaces one would think it would work even though the IP address of the SOA server is NOT the primary IP address of the ISA External Interface. I hope I was clear in my explanation. Any Takers on this one ?? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gmaks@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')