http://www.ISAserver.org ------------------------------------------------------- T'is true. With intentionally rare exceptions, hosts within MS can't reach the outside except via Web Proxy or FWC requests. The do get a default gateway, but internal routers are "'blackhole"; that is, if they see a packet for a non-local network, they pass it to the bitbucket which has a large hole in the bottom. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Thursday, August 31, 2006 10:38 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry I've done it in many deployments, and IIRC, that's how they do it at MS. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Thursday, August 31, 2006 12:26 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry We had briefly touched upon this topic about a year or so ago, but I wasn't aware that it was an actual common practice... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Thursday, August 31, 2006 12:18 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry Hi Dan, In most secure environments you don't give the clients a default gateway and use the Firewall and Web proxy client configurations to enfroce security. So, this might work fine using RR DNS. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Thursday, August 31, 2006 11:02 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry I'd have to say no... - External sites are resolved by DNS server. - Resolved sites are referenced then by IP address. - Since an external site is resolved to an IP that is not a "local" address, it resorts to using the default gateway to connect. - Default gateways are entered by IP, not hostname, nullifying the round-robin DNS abilities. The exception to this might be if you use the FWC, then you might be able to redirect all connections via DNS entries. You might be able to share the proxy address too, but that default gateway is a kicker... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Thursday, August 31, 2006 10:00 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry Hm... You have two ISA SE, let say its internal interface IP address is 192.168.0.1/24 and 192.168.0.2/24. You creat two a record in DNS, isa.dan.local -> 192.168.0.1 and isa.dan.local -> 192.168.0.2 Then by DNS round robin, your internal client (except SNAT) would enjoy the connection to either of the ISA SE server for ounbound connection, make sense? ----- Original Message ----- From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Thursday, August 31, 2006 9:01 PM Subject: [isalist] Re: wpad.dat DNS entry I think that would only work on inbound connections. You can't define round-robin DNS entries for someone else's server! ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Thursday, August 31, 2006 8:42 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry Surely about outbound connection! ----- Original Message ----- From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Thursday, August 31, 2006 8:34 PM Subject: [isalist] Re: wpad.dat DNS entry You referring to incoming or outgoing connections? ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Thursday, August 31, 2006 8:28 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry Dan, Suppose you have two external line provided by different ISP, normally two ISA EE is needed but by using DNS round robin, you can deploy two ISA SE for load balancing..., that's my point. HTH, Roy ----- Original Message ----- From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Thursday, August 31, 2006 8:19 PM Subject: [isalist] Re: wpad.dat DNS entry No, you would still have that "one default gateway" problem... Besides, that feature is only for DNS entries that "you" control, not external. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Thursday, August 31, 2006 4:36 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry Dan, Your problem is due to DNS round robin feature, and it shall be solved by Stefaan's great guidance. On the other hand, don't you think we can utilize such round rodin as a good feature to implement NLB to balance connection to multi external interface by using ISA STD version only? HTH, Roy Tsao ----- Original Message ----- From: Stefaan Pouseele <mailto:stefaan.pouseele@xxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Thursday, August 31, 2006 4:08 PM Subject: [isalist] Re: wpad.dat DNS entry you might check out http://support.microsoft.com/?kbid=842197. HTH, Stefaan ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: donderdag 31 augustus 2006 3:28 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry Good article, it sounds very similar to my scenario. I already had the "enable netmask ordering" option enabled, so that is not the problem. Do you think it might be because each of the 10.6.x.x subnets have a mask of 255.255.255.0? ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele Sent: Wednesday, August 30, 2006 3:57 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: wpad.dat DNS entry Hi Dan, check out my blog http://blogs.isaserver.org/pouseele/2006/06/30/multi-networking-wpad-support-in-isa-2004/. HTH, Stefaan ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: woensdag 30 augustus 2006 21:47 To: isalist@xxxxxxxxxxxxx Subject: [isalist] wpad.dat DNS entry I'm having a serious problem here with the wpad name resolution. I moved it from being sent out via DHCP to DNS per Jim's recommendation, which seems to have speeded up some things, but is now unreliable and causing problems. The problem appears to be the multiple internal subnets... Here is a diagram of how it is laid out: Internet | ISA Server --- Internal Network 1 (10.20.1.1) | Internal Network 2 (10.6.254.90)---- 10.6.8.x Subnet |-- 10.6.9.x Subnet |-- 10.6.10.x Subnet |-- 10.6.12.x Subnet |-- 10.6.14.x Subnet |-- 10.6.15.x Subnet I entered two Host (A) records for wpad, one for 10.20.1.1, and another for 10.6.254.90. Frequently I run across computers on the 10.6.x.x subnet where the FWC cannot automatically detect the ISA server, so I ping wpad and it resolves to the 10.20.1.1 address instead of the 10.6.254.90 address that it is supposed to get. I try repairs and such, it keeps resolving to the wrong one. When I reboot the computer, it resolves to the correct IP and works properly. I reboot the computer several times, and it gets the correct address. But, I'll hear of another computer having problems, and I'll check and it is the same problem. This is not going to be pretty over the next few days as teacher come back to work after summer vacation. What is the best way to resolve this? Change it back to DHCP, customize host files, etc? All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx