Hi Rick, You want the ISA Server firewall to use the internal zones ONLY. You *never* want the ISA Server firewall to resolve internal resources to a public address. Its OK to public your public DNS server, but the public DNS server needs to advertise ONLY, it should never resolve for other domains. Make sure you disable recursion on those servers. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] Sent: Monday, October 27, 2003 3:21 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: pinging wrong ip address http://www.ISAserver.org Hi Tom, I agree, it is best not to have DNS settings on the external NIC, I recall that from your book and other articles but I thought I'd give the other route a whirl...<g>. I just read Jim's article again, so with having split DNS servers that I could place, on the internal NIC, the inside DNS server IP first and then the external DNS server IP second? The external DNS server IP would use a 10. address, not the external public address. So I would need to make sure the external DNS server IP segment address is in the LAT table to make sure ISA still routes local? I've had it set the normal way, the inside NIC set to the internal DNS servers for both first and second selection but if there is a better way I'm all for trying it. And of course once we switch the domain from NT to AD I'll have to think of it all over again...<g> Thanks again!!, Rick -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, October 21, 2003 4:52 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: pinging wrong ip address http://www.ISAserver.org Hi Rick, Unless you're using a dial up connection, don't set a DNS server on the external interface. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] Sent: Tuesday, October 21, 2003 2:07 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: pinging wrong ip address http://www.ISAserver.org Jim, Thank you for the direction, I've been working on something similar. One question though, there's always that one question..... Lets say we have a public website "www.our_domain.com" but we want our users to use the internal 10. IP addresses to get to the website and bypass proxy. We set the IE clients to "Bypass proxy for local addresses" and in the advanced we specify "10.*; our_domain.com". This will ensure that the internal users get routed directly to the internal server without going through ISA. Now for the rub......If I were to set the DNS as you mentioned in the article "Configuring DNS Settings" on that great website www.isaserver.org, being that the internal NIC is set for the internal DNS server and the outside NIC is set for the outside DNS server, would it cause a problem if: 1) The users deselected the "Bypass proxy for local addresses". 2) The users go to the ourdomain.com website. 3) The internal DNS is off line. 4) The external DNS server is used to resolve the name. 5) The users receive the external IP, which ISA sees as external, to get to the website. Wouldn't that just send the user through the ISA server? Possibly causing a problem with authentication? Don't laugh, I really have to field this question.... Thank you, Rick -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, October 21, 2003 8:52 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: pinging wrong ip address http://www.ISAserver.org Stop / restart the Firewall service. The FW and Web Proxy services maintain their own DNS caches and these maintain entries for ~6 hours. Take a read in the client articles I left on www.isserver.org; it's much too detailed for an email posting. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Tue, 21 Oct 2003 13:05:15 +0200 "Luqman Achmat" <luqman@xxxxxxxxx> wrote: http://www.ISAserver.org Hi everyone A service provider recently changed their ip address of a telnet server outside of our network and since then I cannot connect/telnet to this server. Problem - With my MS firewall client enabled: When I do an nslookup of the dns name, I get the correct resolution to ip address. But when I do a ping of the dns name, it still tries to ping the OLD ip address. Any ideas why the ping would still try and ping the old ip address with my FWClient enabled? Luq p.s. With my MS firewall client disabled: When I do an nslookup of the dns name, I get the correct resolution to ip address. When I do a ping of the dns name, it pings the correct ip address. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rick_kincer@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rick_kincer@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')