Thanks Jim, What a fantastic document. As it turns out, my DNS is set up as per your scenario 2 "External-Only DNS". The key to my problem was the local DNS cache which I was completely unaware of. There was no problem externally all along. Had I issued "ipconfig /flushdns" on my internal testing machine, I would have found that all was OK. I now have SSL Bridging for both internal and external clients, as configured according to your document; "DNS for ISA Server", and Shobha Sharma's document; "Configuring SSL Bridging". I'd like to present you guys with the award of "Legend". Please accept with my gratitude :) Thanks heaps, Tony Lou -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, 16 July 2002 11:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: SSL Bridging Fun http://www.ISAserver.org RE: [isalist] Re: SSL Bridging FunActually, you already have my favorite choice in place; the internal domain name is based on the public domain name. This allows you to register only one name and still have two different cakes to eat.. http://isaserver.org/pages/articles.asp?art=64 should get you started on the split DNS question. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: Tony Lou To: [ISAserver.org Discussion List] Sent: Monday, July 15, 2002 5:24 PM Subject: [isalist] Re: SSL Bridging Fun http://www.ISAserver.org Hi Jim, Thanks for your response. In answer to your question, sort of. Our external domain name is "fpa.asn.au", Our internal is "nt.fpa.asn.au". Also, I do have an entry in the hosts file on the ISA server pointing to the internal address of the web server. A ping from the command prompt on the ISA server confirms that it resolves to the internal address. Thinking about it last night, I've come to realise that it may in fact be working for the outside world, but not for us internally because all of our clients point to the ISA server for DNS, (which then forwards external bound to our ISP's DNS servers). Therefore an internal client will see the "loop" error, whereas the outside presumably wouldn't? This is what I'll be testing in the next hour. Would appreciate a pointer to information on "split DNS structures". Particularly as we'll be moving to active directory and Exchange 2000 soon which, as I understand it, will require the use of our external domain name internally as well. Cheers, and Thanks, Tony Lou This message contains privileged and confidential information. If you are not the intended recipient you must not disseminate, copy or take any action in reliance on it, and we request that you notify the FPA immediately. Any views expressed in this message are those of the individual sender, except where they are specifically stated to be the views of the FPA. For information about how the FPA deals with personal information see the FPA Statement of Privacy Policy on www.fpa.asn.au This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal For more information please visit www.marshalsoftware.com