Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Upgraded to ISA Firewalls, Issues with loopback and .NET debugging

Posted on 2003-12-04
6
Medium Priority
?
388 Views
Last Modified: 2012-06-27
Hey,

We just upgraded to ISA Firewalls. Here's the network config:

Server: ISASERVER (Windows 2003 Server running ISA) / 2 NICs
External IP: 10.1.128.11 (gets translated to public internet IP through router in front of it)
Internal IP: 192.168.1.6

Server: PDC (Windows 2003 Server running ISA) / 2 NICs
External IP: 10.1.128.11
Internal IP: 192.168.1.4
(This server functions as domain controller, DNS, WINS, and mail server as well as a separate firewall for our developers -- the rest of the end-users go through the ISASERVER firewall, and yes I'm aware of the security involved in running ISA on domain controller, so there is a Cisco PIX in front of this server as well.)

Server: RUFUS (Windows 2003 Server) / 1 NIC - This is our web server running ASP.NET & SQL 2000.
Internal IP: 192.168.1.3
Gateway: 192.168.1.6 (ISASERVER Internal NIC)

My Workstation: Windows XP
IP: 192.168.1.10
Gateway: 192.168.1.4 (PDC Internal NIC)

Now, the question...

I have internal network DNS entries for "sql.mydomain.com" pointing to 192.168.1.3. In our web applications we always use "sql.mydomain.com" for the SQL server address. This worked wonderfully until we installed the ISA servers.

Now, the applications running on RUFUS reports that they cannot find the SQL server. nslookup says it resolves fine (192.168.1.3) but for some reason RUFUS will not loopback to itself when connecting.

I changed the DNS entry for "sql.mydomain.com" to 127.0.0.1 in Active Directory DNS, and now RUFUS is fine. Why the loopback issue and how to resolve?

Also, since the change to ISA, my Visual Studio .NET will not debug ASP.NET applications (getting "please reinstall remote debugging" error message -- not sure if this is related to the above problem!)

Thanks,
Brandon
0
Comment
Question by:BrandonPotter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 9874973
I would be half-bald by now if I were in your shoes.  I like your server name, RUFUS.  I once worked at a place where we had a server named BART and another named HOMER.  It was suggested that we use dead porn-star names, but all we could think of was John Holmes...

Anyway,

The internal DNS had not changed, but you added the ISA box, and suddenly your access to RUFUS went awry?

It doesn't make sense to me.  All of your private IP's, including RUFUS, are on the same class C network, so it shouldn't be a matter of routing.  The differences in default gateway shouldn't have an effect.

Is the RUFUS server physically segregated from the rest of the network, and only accessible throug the ISA server?  (grasping at straws...)  
0
 

Author Comment

by:BrandonPotter
ID: 9875026
ShineOn,

After I added the ISA box, all the other servers can access RUFUS just fine, but the applications on RUFUS say "go look for SQL!" and it resolves the DNS of the SQL server to it's own NIC, 192.168.1.3, as it should. But for some reason it can't connect to "itself".

Yes, we have RYU, RUFUS, ZEUS, LARRY, EINSTEIN, and MORPHEUS as some of our server names. The names like SRV0362 just didn't work for me.

Brandon
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9875381
So Rufus has both the app and the database.

Why it would change between no-ISA and yes-ISA is beyond me.  Maybe someone else has encountered this.  It does make some degree of sense that if you are using DNS to resolve a resource that is local to a server, that the loopback address be used, but why it worked the the other way before, but not now, I can't say.

Anyone???.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 2

Expert Comment

by:hangman
ID: 9880426
Am I the only one who noticed this but  ISASERVER and PDC have both the same external IP address of 10.1.128.11. That can't be good. Also , what is the point of putting ISA firewall, a hugely complex and buggy software ontop of an already hugely complex and buggy software, ie 2003, when you already have a router running. A router has 'less moving parts' and so less chances of something going wrong. Your best bet is to make your network as simple as possible. Also is it just me but what are you doing "I changed the DNS entry for "sql.mydomain.com" to 127.0.0.1 in Active Directory DNS" This is the loopback address used for internal testing purposes only and should not be included in the DNS. There must be some other problem.
0
 

Author Comment

by:BrandonPotter
ID: 9880505
Sorry, my mistake. PDC has external of 10.1.128.15, typo on my part in getting confused between external NICs on the 2 servers and forgetting to update one of them.

We put ISA on primarily as Exchange RPC proxy and logging tool. Using the Cisco PIX for our rudimentary port changes, etc. isn't an option as we can't make changes to it except in the mornings. (Don't ask - political BS).

Changing the sql.mydomain.com entry to 127.0.0.1 is acceptable in this case because all the applications reside on RUFUS and when it resolves to 127.0.0.1 points back to itself. But herein lies the whole problem I'm having, I should be able to enter the DNS entry as 192.168.1.3 and it should work. But for some reason it won't.

Thanks,
Brandon
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 800 total points
ID: 9880690
I don't know.

Knowing how Microsoft likes to make things difficult for techies, at this point if I were in your shoes I'd start suspecting that something with the installation of ISA in your environment made changes to DNS and routing.

However, if you think about it, having a service that is local to a server accessed via loopback is not out of the ordinary.  Maybe it was working when it shouldn't have, before putting in ISA.

That may seem a tad paranoid, but it is worth considering, IMHO.  I assume you have already searched the Microsoft knowledgebase as best you can, and came up empty?
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question