RE: PIX 515e and ISA 2000 (I know, I know)

  • From: sbradcpa@xxxxxxxxxxx
  • To: isalist@xxxxxxxxxxxxx
  • Date: Thu, 9 Mar 2006 00:38:05 -0700

On SBS 2003 pre sp1 when we had ISA 2000... If ISA 2000 can handle
chugging along just fine with all the crap and crud we have on our SBS
boxes and yes, we do DNS forwarders, the problem doesn't sound like it's
ISA at all.

I mean come on... if it works on SBS... on a DC no less... 

What's in the log files?

What happened when DNS stopped functioning?

Don't assume that your hardware isn't malfunctioning as well.  Nics,
switches...

And ISA also means no patches and no guy at Blackhat giving a talk about
security issues... ;-)

In our setups anyway you don't put "any" external ISP's DNS on a NIC and
you only enter in either forwarders or settings for root hints in the DNS
snapin.

You did an DNSdiag?

Your ISP's DNS are good and solid?

No black hole routers?
http://support.microsoft.com/kb/q159211/


> Do not use forwarders. Remove the forwarders, that is most likely your
> issue. Create a rule to allow your internal DNS servers to query the
> internet and your troubles will likely disappear.
> 
> If you don't believe me, try it for a day or two. There is no need nor
> requirement to use dns forwarders...unless...your internal domain isn't
> a .local is it?
> 
> S=20
> 
> -----Original Message-----
> From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=20
> Sent: Wednesday, March 08, 2006 11:26 AM
> To: ISA Mailing List
> Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> 
> http://www.ISAserver.org
> 
> Yes I am Steve. Im using my local DNS server on my internal NIC with no
> DNS on my external (well with the problems Ive been having today, Ive
> added an external DNS to my external but that is not my normal setup). I
> think I will read through the article Tom linked for me and see if I can
> find out what is going on.
> 
> Thanks.
> > Aare you using DNS forwarders on any of your internal dns =
> servers?=3D20
> >=20
> > -----Original Message-----
> > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D20
> > Sent: Wednesday, March 08, 2006 11:07 AM
> > To: ISA Mailing List
> > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> >=20
> > http://www.ISAserver.org
> >=20
> > Thats the annoying thing. Neither of them say anthing is wrong. The OS
> 
> > logs including DNS have no errors. ISA logs have no errors. When=20
> > things like this happen my boss gets angry with me and says "but there
> 
> > must be a reason" and all I can say to him is yes, but since I have=20
> > nothing in the logs and nothing has changed (as far as I know) what
> can I say.
> >=20
> > Anyway to be honest, going back to my original question, I just wanted
> 
> > to know peoples experiences on the board. How do you combine the=20
> > excellent SMTP filtering, OWA publishing etc features of ISA with PIX=20
> > raw power and stability. I would like to use the PIX as the Internet=20
> > firewall. I will turn off message guard and maybe a few others if=20
> > necessary. I would like to use the PIX VPN and still use WinXP clients
> 
> > to connect to it(I have already tested this). I want for example to to
> 
> > exchange over HTTP but for that I either need to upgrade to 2004 or=20
> > remove ISA and just open the relevant ports on PIX. Can I do this with
> 
> > ISA 2000 in place for  example.
> >=20
> > I am no longer in troubleshooting mode. I just want a solution that is
> 
> > "stable" even if it means a little more complication on the way. The=20
> > easiest solution would be to remove ISA completely and it is tempting=20
> > but I do know the advantages of ISA.
> > > What do the logs say??  Both ISA and event.=3D3D20 =3D20  =
> -----Original=20
> > >Message-----
> > > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D3D20
> > > Sent: Wednesday, March 08, 2006 10:44 AM
> > > To: ISA Mailing List
> > > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know) =3D20  =
> 
> > >http://www.ISAserver.org =3D20  Ok here goes
> > > Steve: in answer to your question. I have nothing else installed on=20
> > >my
> >=20
> > > ISA box. Ive been configuring ISA for 3 years now. I bought both=20
> > >of=3D20  Toms books so I have some idea of what I am doing.
> > >=3D20
> > > Tom: You surprise me. I know you are busy so I will forgive for=3D20 =
> =20
> > >completely missing the point. I dont have the PIX installed yet.=20
> > >Just=3D20  ISA.
> > >=3D20
> > > Alex: Me too. I think that maybe they are so used to being bashed=20
> > >over
> >=20
> > > the head with the software firewall thing that its just a=20
> > >conditioned=3D20  reaction triggered by certain keywords eg: PIX. I=20
> > >want to use ISA I=3D20  just realise it has its own limitations. Im=20
> > >sure 2004 overcomes many=3D20  of them but in the end its still on a =
> PC
> 
> > >running on a general purpose=3D20  OS. So I wanted to combine the =
> best
> of both.
> > >=3D20
> > > Ho hum
> > >=3D20
> > > > ... uh.. .what?
> > > >=3D3D20
> > > > I fail to see how a PIX is easier to use than ISA... and I =
> also=3D20
> 
> > > >fail=3D3D20  to =3D3D3D understand the whole point, in general. I =
> fail=20
> > > >at =3D
> > a=3D20
> > > >lot of =3D3D
> > > things
> > >=3D20
> > > > today. =3D3D3D May I ask for enlightenment?
> > > >=3D3D20
> > > > -----Message d'origine-----
> > > > De=3D3D3DA0: Thomas W Shinder =
> [mailto:tshinder@xxxxxxxxxxx]=3D3D3D20
> > > > Envoy=3D3D3DE9=3D3D3DA0: 8 mars 2006 08:18
> > > > =3D3D3DC0=3D3D3DA0: [ISAserver.org Discussion List]
> > > > Objet=3D3D3DA0: [isalist] RE: PIX 515e and ISA 2000 (I know, I =
> know)
> 
> > > >=3D
> > =3D3D20
> >=20
> > > >http://www.ISAserver.org =3D3D20  Here's a core fact you can take =
> to=20
> > > >=3D
> > the=3D20
> > > >dopes who think a hardware=3D3D20  firewall is more secure:
> > > >=3D3D20
> > > > Security is inversely proportional to ease of use and=20
> > > >accessbility=3D20 =3D3D20  Therefore, if you can understand the PIX =
> and
> 
> > > >make it access=3D20 the=3D3D20  content your users want, you've =
> proven=20
> > > >the PIX is nothing =3D
> > but
> >=20
> > > >a=3D3D20  security illusion and you're doing your company a=20
> > > >disservice =3D
> > if
> >=20
> > > >you=3D3D20  can't prove that I'm incorrect.
> > > >=3D3D20
> > > > BTW -- you have done *nothing* to demonstate that the ISA=20
> > > >firewall=3D20 is=3D3D20  the problem here.  At this point, I have =
> as=20
> > > >much positive=3D20 proof that=3D3D20  the pix server is the=20
> > > >problem.=3D3D3D20 =3D3D20 =3D3D20  =3D
> > Thomas W=3D20
> > > >Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >=3D3D20
> > > >=3D3D20
> > > > -----Original Message-----
> > > > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D3D3D20
> > > > Sent: Wednesday, March 08, 2006 1:03 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)=20
> > > >=3D3D20  =3D
> >=20
> > > >http://www.ISAserver.org =3D3D20  Now Im really tempted to just=20
> > > >remove=3D20 ISA completely (see below). I=3D3D20  currently have =
> ISA=20
> > > >running on=3D20
> > > >win2k3 sp1. Should I downgrade to win2k?
> > > > It
> > > > seemed to be a little more stable on that OS.
> > > >=3D3D20
> > > > Again this morning, for no reason DNS stopped responding. I=3D20=20
> > > >restarted=3D3D20  the DNS service and nothing happened. I checked=20
> > > >the=3D20 ISPs DNS and=3D3D20  everything was fine. I rebooted ISA =
> and=20
> > > >everything =3D
> >=20
> > > >came back. Im quite
> > >=3D20
> > > > frankly fed up with this. I know 2004 is supposed to be more=3D20=20
> > > >stable=3D3D20  but I cant justify the extra spend especially as=20
> > > >most=3D20 people still=3D3D20  think hardware firewall equals more=20
> > > >secure and=3D20 Microsoft Firewall=3D3D20  equals reboot (in the =
> case=20
> > > >of ISA 2000 I
> > agree).
> > > >=3D3D20
> > > > > In that case, please proceed. :)=3D3D3D3D20 =3D3D3D20 =3D3D3D20  =
> 
> > > > > Thomas =3D
> > W =3D3D
> > > Shinder,=3D3D20
> > > > >M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- ISA Firewalls
> > > > >=3D3D3D20
> > > > >=3D3D3D20
> > > > > -----Original Message-----
> > > > > From: Alexandre Gauthier=3D20
> > > > >[mailto:gauthiera@xxxxxxxxxxxxxxxxx]=3D3D3D3D20
> > > > > Sent: Tuesday, March 07, 2006 8:31 AM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I =
> know)=3D20
> 
> > > > >=3D3D3D20  =3D3D
> > >=3D20
> > > > >http://www.ISAserver.org =3D3D3D20  Well, unless I misread, he=20
> > > > >asked=3D20 how =3D3D
> > > to
> > >=3D20
> > > > >make ISA 2000 and and PIX play
> > > > =3D3D3D3D
> > > > > nice, so it is not entirely irrelevant...
> > > > >=3D3D3D20
> > > > > -----Message d'origine-----
> > > > > De=3D3D3D3DA0: Thomas W Shinder =3D
> > [mailto:tshinder@xxxxxxxxxxx]=3D3D3D3D20
> > > > > Envoy=3D3D3D3DE9=3D3D3D3DA0: 7 mars 2006 09:25
> > > > > =3D3D3D3DC0=3D3D3D3DA0: [ISAserver.org Discussion List]
> > > > > Objet=3D3D3D3DA0: [isalist] RE: PIX 515e and ISA 2000 (I know, I =
> =3D
> > know)
> >=20
> > > > >=3D3D
> > > =3D3D3D20
> > >=3D20
> > > > >http://www.ISAserver.org =3D3D3D20  You're asking how to =
> configure=20
> > > > >=3D
> > a=3D3D20
> >=20
> > > > >dreaded PIX here?=3D3D3D3D20 =3D3D3D20 =3D3D3D20  Thomas W =
> Shinder,
> M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- ISA Firewalls
> > > > >=3D3D3D20
> > > > >=3D3D3D20
> > > > > -----Original Message-----
> > > > > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D3D3D3D20
> > > > > Sent: Tuesday, March 07, 2006 8:11 AM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] PIX 515e and ISA 2000 (I know, I know)=20
> > > > >=3D3D3D20=3D20 =3D3D20 http://www.ISAserver.org =3D3D3D20  Hi all =
> =3D3D3D20
> 
> > > > >I didnt =3D
> > really=3D20
> > > > >get any=3D3D20 answers to my ISA VPN question so I just gave
> > > > up
> > > > > and I will install a PIX. For some reason the ISA VPN connects=20
> > > > > but
> >=20
> > > > > I
> > >=3D20
> > > > > cant see the internal lan. Im not sure if I need a static=20
> > > > > route=3D20 on=3D3D20 the ISA box or not. But to be honest this =
> is=20
> > > > > the last =3D
> > straw.
> >=20
> > > > > Ive=3D3D20 been using ISA
> > > > for
> > > > > 3
> > > > > years. Feature wise very good. Configuration very easy.
> > > > Stability.......
> > > > > Anyway I would like to combine the advantages of the PIX =
> (we=3D20=20
> > > > > already
> > >=3D20
> > > > > have sitting here doing nothing) i.e. hardware VPN,=20
> > > > > stability,=3D20 speed
> > >=3D20
> > > > > and
> > > > ISA
> > > > > 2000 exchange publishing , SMTP protection etc. I want to=3D20=20
> > > > > configure=3D3D20 in the simple back to back configuration.=20
> > > > > Besides=3D20 turning off=3D3D20 Message Guard
> > > > on
> > > > > the PIX how do I get OWA/OMA through the PIX? Any other gotyas'=20
> > > > > I
> > > > should
> > > > > know about.
> > > > >=3D3D3D20
> > > > > ------------------------------------------------------
> > > > > List Archives:=3D3D20
> > > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3D3Disalist
> > > > > ISA Server Newsletter:=3D20
> > > > >http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ: =3D3D3D
> > > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3D3D3DFAQ
> > > > > ------------------------------------------------------
> > > > > Visit TechGenix.com for more information about our other sites:
> > > > > http://www.techgenix.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion=20
> > > > > List
> > > as:
> > > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > > To unsubscribe visit =3D3D3D3D
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3D3Disalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D3D3D20 =3D3D3D20 =
> =3D3D3D20
> > > > > ------------------------------------------------------
> > > > > List Archives:=3D3D20
> > > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3D3Disalist
> > > > > ISA Server Newsletter:=3D20
> > > > >http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ: =3D3D3D
> > > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3D3D3DFAQ
> > > > > ------------------------------------------------------
> > > > > Visit TechGenix.com for more information about our other sites:
> > > > > http://www.techgenix.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion=20
> > > > > List
> > > as:
> > > > =3D3D3D3D
> > > > > gauthiera@xxxxxxxxxxxxxxxxx
> > > > > To unsubscribe visit =3D3D3D3D
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3D3Disalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D3D3D20 =3D3D3D20
> > > > > ------------------------------------------------------
> > > > > List Archives:=3D3D20
> > > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3D3Disalist
> > > > > ISA Server Newsletter:=3D20
> > > > >http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ: =3D3D3D
> > > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3D3D3DFAQ
> > > > > ------------------------------------------------------
> > > > > Visit TechGenix.com for more information about our other sites:
> > > > > http://www.techgenix.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org Discussion=20
> > > > > List
> > > as:
> > > > =3D3D3D3D
> > > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > > To unsubscribe visit =3D3D3D3D
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3D3Disalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >=3D3D20
> > > > ------------------------------------------------------
> > > > List Archives:=3D20
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > ISA Server Newsletter:=20
> > > >http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =3D3D
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3D3DFAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List
> > as:
> > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit =3D3D3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D3D20 =3D3D20 =3D3D20
> > > > ------------------------------------------------------
> > > > List Archives:=3D20
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > ISA Server Newsletter:=20
> > > >http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =3D3D
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3D3DFAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List
> > as:
> > >=3D20
> > > > =3D3D3D gauthiera@xxxxxxxxxxxxxxxxx To unsubscribe visit=20
> > > > =3D3D3D=3D3D20=3D20=20
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >=3D20
> > > ------------------------------------------------------
> > > List Archives:=20
> > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: =3D
> > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > isalist@xxxxxxxxxx To unsubscribe visit=3D20=20
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >=20
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: =
> http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > isalist@xxxxxxxxxx To unsubscribe visit=20
> > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> isalist@xxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: