Can't get internet access through ISA 2004 server
I set up a testing environment for preparation of upgrading our ISA 2000 server.
A new domain with two windows 2003 servers, one is domain controller with DNS function. The other one is specific for ISA 2004 which has two NICs, it is also joined in the same domain as the first server.
After I fresh installed the ISA 2004 on my server, i tried to create a "Allow all" firewall policy to let go all the trafics. However, even with this rule, i couldn't open any web sites from my IE 6 on my ISA 2004 server, neither does my anohter DC server. I tried to read a book by Dr. TOm Shinder on how to configuring ISA server, he says i need install a cached DNS server on my ISA 2004. I was wondering since have already had a dedicated DNS server which point to outside uplevel DNS server, do i need anohter cashed DNS on my ISA server?
If so, how to set it up, or can i just go ahead and bypass seting up a cached DNS server on ISA 2004.
Any help will be great appreciated. Thank you guys.
The rule i created is according to this table.
Table 6.12: All Open Name
All Open
Action
Allow
Protocols
All Outbound Traffic
From
Internal
To
External
Users
All Users
Schedule
Always
Content Types
All content types
Purpose
This rule allows Internal network clients access to all protocols and sites on the Internet.
Warning This last rule, All Open, is used only to get you up and running. This All Open rule allows you to test the ISA firewall's basic Internet connection ability, but does not provide any outbound access control in a manner similar to most hardware packet-filter firewalls. The ISA firewall provides advanced inbound and outbound protection, so you want to be sure to disable the All Open rule and create per user/group, per protocol and per site rules after your basic Internet connections through the ISA firewall are successful.
rule-all-open.JPG
A new domain with two windows 2003 servers, one is domain controller with DNS function. The other one is specific for ISA 2004 which has two NICs, it is also joined in the same domain as the first server.
After I fresh installed the ISA 2004 on my server, i tried to create a "Allow all" firewall policy to let go all the trafics. However, even with this rule, i couldn't open any web sites from my IE 6 on my ISA 2004 server, neither does my anohter DC server. I tried to read a book by Dr. TOm Shinder on how to configuring ISA server, he says i need install a cached DNS server on my ISA 2004. I was wondering since have already had a dedicated DNS server which point to outside uplevel DNS server, do i need anohter cashed DNS on my ISA server?
If so, how to set it up, or can i just go ahead and bypass seting up a cached DNS server on ISA 2004.
Any help will be great appreciated. Thank you guys.
The rule i created is according to this table.
Table 6.12: All Open Name
All Open
Action
Allow
Protocols
All Outbound Traffic
From
Internal
To
External
Users
All Users
Schedule
Always
Content Types
All content types
Purpose
This rule allows Internal network clients access to all protocols and sites on the Internet.
Warning This last rule, All Open, is used only to get you up and running. This All Open rule allows you to test the ISA firewall's basic Internet connection ability, but does not provide any outbound access control in a manner similar to most hardware packet-filter firewalls. The ISA firewall provides advanced inbound and outbound protection, so you want to be sure to disable the All Open rule and create per user/group, per protocol and per site rules after your basic Internet connections through the ISA firewall are successful.
rule-all-open.JPG
no, you don't need a cache server.
Make sure that only the internal isa nic has a dns entry pointing to your internal dns server. Also make sure that in the binding order, your internal nic is at the top.
remember in the internet explorer proxy settings to put inm the isa internal ip and port 8080
Make sure that only the internal isa nic has a dns entry pointing to your internal dns server. Also make sure that in the binding order, your internal nic is at the top.
remember in the internet explorer proxy settings to put inm the isa internal ip and port 8080
ASKER
I did what you said on my ISA server, but it failed. I can get online on my DNS server, but can not with my ISA server 2004. When i tried to open a brower to surf online, it gives me error message as follows:
Error Code: 403 Forbidden. The ISA server denied the specified uniform resource locator (URL) (12202).
Would you please give me more detailed instruction, thans.
Error Code: 403 Forbidden. The ISA server denied the specified uniform resource locator (URL) (12202).
Would you please give me more detailed instruction, thans.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Genius, you are so smart, i added it and it turns to work.
Thank you very much. I appreciate your help very much.
If I want to improve my skill on ISA server, would you recommend a book or article to me.
Thank you very much. I appreciate your help very much.
If I want to improve my skill on ISA server, would you recommend a book or article to me.
Welcome-
This is the best one I know of
http://www.amazon.com/MCSA-Self-Paced-Training-70-350-Pro-Certification/dp/0735621691/ref=pd_sim_b_img_5
This is the best one I know of
http://www.amazon.com/MCSA-Self-Paced-Training-70-350-Pro-Certification/dp/0735621691/ref=pd_sim_b_img_5
ASKER
We will install a caching-only DNS server on the ISA firewall. This will allow machines on the Internal Network and the ISA firewall to resolve Internet host names. Note that you do not need to perform this step if you already have a DNS server on your Internal network. Even if you already have a DNS server located on the Internal network, you might consider configuring the ISA firewall computer as a caching-only DNS server and then configure computers on the internal network to use the ISA Server 2004 machine as their DNS server or configure the Internal Network computers to use your Internal Network DNS server and configure the Internal Network DNS server to use the ISA firewall as a DNS forwarder.
Installing the DNS Service
The DNS Server service is not installed by default on Windows server operating systems. The first step is to install the DNS Server service on the Windows Server 2003 machine that will be the ISA firewall.
Installing the DNS Server Service on Windows Server 2003
Perform the following steps to install the DNS Server service on a Windows Server 2003 computer:
Click Start, point to Control Panel, and click Add or Remove Programs.
In the Add or Remove Programs window, click Add/Remove Windows Components.
In the Windows Components Wizard dialog box, select Networking Services from the list of Components. Do not put a checkmark in the checkbox! After highlighting the Networking Services entry, click the Details button.
In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox, and click OK.
Click Next in the Windows Components dialog box.
Click OK in the Insert Disk dialog box. In the Files Needed dialog box, provide a path to the i386 folder from the Windows Server 2003 installation CD in the Copy files from text box, then click OK.
Click Finish on the Completing the Windows Components Wizard page.
Close the Add or Remove Programs window.
Configuring the DNS Service on the ISA Firewall
The DNS Server on the ISA firewall machine performs DNS queries for Internet host names on behalf of computers on the internal network. The DNS Server on the ISA firewall is configured as a caching-only DNS server. A caching-only DNS Server does not contain information about your public or private DNS names and domains. The caching-only DNS Server resolves Internet host names and caches the results; it does not answer DNS queries for names on your private internal network DNS zone or your public DNS zone.
Note DNS is an inherently complex topic. Do not be concerned if you do not completely understand the details of DNS operations. The DNS service will be correctly configured to resolve Internet host names when you complete the steps in this section.
If you have an internal network DNS server supporting an Active Directory domain, you can configure the caching-only DNS server located on the ISA firewall to refer client requests to your internal network domain to the DNS server on your internal network. The end result is that the caching-only DNS server on the ISA Server 2004 firewall computer will not interfere with your current DNS server setup.
Configuring the DNS Service in Windows Server 2003
Perform the following steps to configure the DNS service on the Windows Server 2003 computer:
Click Start and point to Administrative Tools. Click the DNS entry.
Right-click the server name in the left pane of the console, point to View, and click Advanced.
Expand all nodes in the left pane of the DNS console.
Right-click the server name in the left pane of the DNS console, and click the Properties option.
In the server's Properties dialog box, click Interfaces. Select Only the following IP addresses. Click any IP address that is not an IP address bound to the internal interface of the computer. After highlighting the non-internal IP address, click Remove. Click Apply.
Click the Forwarders tab, as shown in Figure 6.16. Enter the IP address of your ISP's DNS server in the Selected domain's forwarder IP address list text box, and then click Add. Put a checkmark in the Do not use recursion for this domain checkbox. This Do not use recursion option prevents the DNS server on the ISA firewall from trying to perform name resolution itself. The end result is if the forwarder is unable to resolve the name, the name resolution request stops. Click Apply.
Figure 6.16: The Forwarders Tab
Tip If you find that name resolution performance isn't as good as you expect, disable the Forwarders entry. While a well-managed ISP DNS server can significantly improve name resolution performance, a poorly-managed ISP DNS server can slow down your ISA firewall's ability to resolve Internet host names. In most instances, you'll get better performance using your ISP's DNS server because it will have a larger cache of resolved host names than your ISA firewall's caching-only DNS server.
Click OK in the server's Properties dialog box.
Right-click the server name; point to All Tasks, and click Restart.
Perform the following steps only if you have an internal network DNS server that you are using to support an Active Directory domain. If you do not have an internal network DNS server and you do not need to resolve internal network DNS names, then bypass the following section on configuring a stub zone.
Warning DO NOT perform the following steps if you do not already have a DNS server on your internal network. These steps are only for those networks already using Windows 2000 Server or Windows Server 2003 Active Directory domains.
The first step is to create the reverse lookup zone for the Internal Network where the Internal DNS server ID is located. Right-click the Reverse Lookup Zones node in the left pane of the console, and click New Zone.
Click Next on the Welcome to the New Zone Wizard page.
On the Zone Type page, select Stub zone, and click Next.
Select Network ID. On the Reverse Lookup Zone Name page, enter into the Network ID text box the ID for the network where the internal network DNS server is located, as shown in Figure 6.17. Click Next.
Figure 6.17: The Reverse Lookup Zone Name Page
Accept the default file name on the Zone File page, and click Next.
On the Master DNS Servers page, enter the IP address of your internal network DNS server, and click Add. Click Next.
Click Finish on the Completing the New Zone Wizard page.
The next step is to create the forward lookup zone for the stub zone. Right-click the Forward Lookup Zones node in the left pane of the console, and click the New Zone command.
Click Next on the Welcome to the New Zone Wizard page.
On the Zone Type page, select Stub zone, and click Next.
On the Zone name page, type the name of your internal network domain in the Zone name text box. Click Next.
On the Zone File page (Figure 6.18), accept the default name for the zone file, and click Next.
Figure 6.18: The Zone File Page
On the Master DNS Servers page, enter the IP address of your internal network's DNS server, and click Add. Click Next.
Click Finish on the Completing the New Zone Wizard page.
Right-click the server name in the left pane of the console; point to All Tasks, and click Restart.