Hi Shawn, Are you still able to perform reverse lookups? Or did you disable that? If so, users are able to access forbidden sites using IP addresses? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Quillman Shawn (RBNA/CIT1.1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Tuesday, April 08, 2003 8:02 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Issues relating to MS article Q292018 http://www.ISAserver.org We have the same scenario here (caching/logging only ISA proxy forwarding to another firewall) and experienced the same problem with ISA trying to resolve everything. I applied the patch and made the registry changes described in this article and the problem went away. When we put the sniffer on the line the only dns requests were for internal hosts which is how my rules were set up. I think the patch is included in SP1. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Hecquet, Reuben [mailto:Reuben.Hecquet@xxxxxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, April 08, 2003 6:35 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Issues relating to MS article Q292018 http://www.ISAserver.org For security reasons the ISA that the users talk to has no DNS resolution. It is used for caching and logging purposes. Most traffic is forwarded to another proxy which fulfills the request and has external resolution capacity. Some requests from users need to be directed directly to their internal destination rather than to the upstream proxy and hence the rules engine is active and the problem occurs. As mentioned in the article without external DNS resolution on the ISA the HTTP requests for external webs that should be sent upstream are v.slow. Rgds Reuben -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 08 April 2003 01:52 Hi Reuben, Why is this not an acceptable solution? This is the solution I recommend and enforce at all sites. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: reuben.hecquet@xxxxxxxxxxxxxxxxxxxxxxxx [mailto:reuben.hecquet@xxxxxxxxxxxxxxxxxxxxxxxx] Sent: Monday, April 07, 2003 8:38 AM To: [ISAserver.org Discussion List] Subject: [isalist] Issues relating to MS article Q292018 http://www.ISAserver.org We have problems as detailed in http://support.microsoft.com/?kbid=292018. The problem is fine if we allow external DNS resolution on the 1st ISA but this is not an acceptable resolution. The article mentions getting hold of a MS fix and that one should then have a W3proxy.exe version 3.0.1200.57 . However as I already have SP1 for ISA applied I have W3proxy version 3.0.1200.166. Does anyone know whether the fix I mention is supposed to be included in SP1 as the problem still seems to be there. Does anyone have the MS fix or know where I can get it. Free Trial Software: Monitor & Manage Web Use with SurfControl Web Filter for MS ISA Server http://www.surfcontrol.com/go/zisadl1 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to Free Trial Software: Monitor & Manage Web Use with SurfControl Web Filter for MS ISA Server http://www.surfcontrol.com/go/zisadl1 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') Free Trial Software: Monitor & Manage Web Use with SurfControl Web Filter for MS ISA Server http://www.surfcontrol.com/go/zisadl1 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')