Tom, The Perimeter Configuration Network Rule that governed traffic between Internal, Quarantined VPN Clients, VPN Clients and Perimeter had been specified as a NAT relationship. Changing that to Route solved the issue. Note that this was set this way by default - it wasn't something I created. The only NAT relationships I have are between the Perimeter and External networks (since the Perimeter is a 10 dot address space my corporate internal network knows nothing about) and between the Internal, Quarantined VPN Clients, VPN Clients and External networks. On 8/22/08, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > Hi Jerry, > > Make sure that all networks have ROUTE relationships -- no NAT > relationships in this scenario. > > > > HTH, > > Tom > > > > *Thomas W. Shinder, M.D., MCSE** **||** **Sr. Consultant / Technical > Writer*** > > *shinder@xxxxxxxxxxxxxxxxxxxxx **||** www.prowessconsulting.com* > > *Mobile: Pending **||** Phone: Pending** ** **||** Fax (206) 443.1119* > > *Blog: http://blogs.isaserver.org/shinder **||** Books: > http://tinyurl.com/2gpoo8 * > > * * > > *PROWESS CONSULTING** ** ||** documentation ** ||** integration **||** > virtualization* > > * * > > > > *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > *On Behalf Of *Jerry Young > *Sent:* Friday, August 22, 2008 7:13 AM > *To:* isalist@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx > *Subject:* [isalist] ISA Server 2006 - Perimeter <-> Internal Intradomain > Communication > > > > All, > > > > I'm trying to enable intradomain communcation between the perimeter and > internal networks in my virtual environment. > > > > The basic topology of the environment looks like the following: > > > > Corporate Network (treating as ISA external) > > | > > .---------. > > | ISA | --- Perimeter Network (treating as ISA perimeter) > > '---------" > > | > > Internal Network (treating as ISA internal) > > > > The Corporate Network is the corporate internal network, which I am using > to simulate the "Internet". > > > > I followed the documented procedures at the following link (thanks again, > Tom!) to facilitate this communication. > > > > > http://www.isaserver.org/tutorials/Configuring-Domain-Members-Back-to-Back-ISA-Firewall-DMZ-Part2.html > # > > > > However, the server that I have in the perimeter network is not able to > query the DC for DNS that I have in the internal network. Below are the log > entries and by the look of it, this appears to be a network rule issue as > opposed to a firewall rule issue. > > > > 10.3.0.40 - UDP - - - 8/22/2008 11:53:05 > AM 1031 0 0 0 0x0 0x0 - 8/22/2008 7:53:05 AM 10.3.0.40 10.2.0.20 53 DNS Denied > Connection 0xc0040012 > FWX_E_NETWORK_RULES_DENIED Perimeter Internal - HVW2K3ISA01 Firewall > 10.3.0.40 - UDP - - - 8/22/2008 11:53:07 > AM 1032 0 0 0 0x0 0x0 - 8/22/2008 7:53:07 AM 10.3.0.40 10.2.0.20 53 DNS Denied > Connection 0xc0040012 > FWX_E_NETWORK_RULES_DENIED Perimeter Internal - HVW2K3ISA01 Firewall > > > The Internal Network Element in ISA has the range 10.2.0.0 - > 10.2.0.255defined. The Perimeter Network Element in ISA has the range > 10.3.0.0 - 10.3.0.255 defined. > > > > The Network Rule is listed as rule 4, has a routing relationship between > the source network Perimeter and the destination network Internal. > > > > Any thoughts on what I am missing? > -- > Cordially yours, > Jerry G. Young II > Microsoft Certified Systems Engineer > -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer