Solved

Upgraded to ISA Firewalls, Issues with loopback and .NET debugging

Posted on 2003-12-04
6
380 Views
Last Modified: 2012-06-27
Hey,

We just upgraded to ISA Firewalls. Here's the network config:

Server: ISASERVER (Windows 2003 Server running ISA) / 2 NICs
External IP: 10.1.128.11 (gets translated to public internet IP through router in front of it)
Internal IP: 192.168.1.6

Server: PDC (Windows 2003 Server running ISA) / 2 NICs
External IP: 10.1.128.11
Internal IP: 192.168.1.4
(This server functions as domain controller, DNS, WINS, and mail server as well as a separate firewall for our developers -- the rest of the end-users go through the ISASERVER firewall, and yes I'm aware of the security involved in running ISA on domain controller, so there is a Cisco PIX in front of this server as well.)

Server: RUFUS (Windows 2003 Server) / 1 NIC - This is our web server running ASP.NET & SQL 2000.
Internal IP: 192.168.1.3
Gateway: 192.168.1.6 (ISASERVER Internal NIC)

My Workstation: Windows XP
IP: 192.168.1.10
Gateway: 192.168.1.4 (PDC Internal NIC)

Now, the question...

I have internal network DNS entries for "sql.mydomain.com" pointing to 192.168.1.3. In our web applications we always use "sql.mydomain.com" for the SQL server address. This worked wonderfully until we installed the ISA servers.

Now, the applications running on RUFUS reports that they cannot find the SQL server. nslookup says it resolves fine (192.168.1.3) but for some reason RUFUS will not loopback to itself when connecting.

I changed the DNS entry for "sql.mydomain.com" to 127.0.0.1 in Active Directory DNS, and now RUFUS is fine. Why the loopback issue and how to resolve?

Also, since the change to ISA, my Visual Studio .NET will not debug ASP.NET applications (getting "please reinstall remote debugging" error message -- not sure if this is related to the above problem!)

Thanks,
Brandon
0
Comment
Question by:BrandonPotter
  • 3
  • 2
6 Comments
 
LVL 35

Expert Comment

by:ShineOn
ID: 9874973
I would be half-bald by now if I were in your shoes.  I like your server name, RUFUS.  I once worked at a place where we had a server named BART and another named HOMER.  It was suggested that we use dead porn-star names, but all we could think of was John Holmes...

Anyway,

The internal DNS had not changed, but you added the ISA box, and suddenly your access to RUFUS went awry?

It doesn't make sense to me.  All of your private IP's, including RUFUS, are on the same class C network, so it shouldn't be a matter of routing.  The differences in default gateway shouldn't have an effect.

Is the RUFUS server physically segregated from the rest of the network, and only accessible throug the ISA server?  (grasping at straws...)  
0
 

Author Comment

by:BrandonPotter
ID: 9875026
ShineOn,

After I added the ISA box, all the other servers can access RUFUS just fine, but the applications on RUFUS say "go look for SQL!" and it resolves the DNS of the SQL server to it's own NIC, 192.168.1.3, as it should. But for some reason it can't connect to "itself".

Yes, we have RYU, RUFUS, ZEUS, LARRY, EINSTEIN, and MORPHEUS as some of our server names. The names like SRV0362 just didn't work for me.

Brandon
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9875381
So Rufus has both the app and the database.

Why it would change between no-ISA and yes-ISA is beyond me.  Maybe someone else has encountered this.  It does make some degree of sense that if you are using DNS to resolve a resource that is local to a server, that the loopback address be used, but why it worked the the other way before, but not now, I can't say.

Anyone???.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:hangman
ID: 9880426
Am I the only one who noticed this but  ISASERVER and PDC have both the same external IP address of 10.1.128.11. That can't be good. Also , what is the point of putting ISA firewall, a hugely complex and buggy software ontop of an already hugely complex and buggy software, ie 2003, when you already have a router running. A router has 'less moving parts' and so less chances of something going wrong. Your best bet is to make your network as simple as possible. Also is it just me but what are you doing "I changed the DNS entry for "sql.mydomain.com" to 127.0.0.1 in Active Directory DNS" This is the loopback address used for internal testing purposes only and should not be included in the DNS. There must be some other problem.
0
 

Author Comment

by:BrandonPotter
ID: 9880505
Sorry, my mistake. PDC has external of 10.1.128.15, typo on my part in getting confused between external NICs on the 2 servers and forgetting to update one of them.

We put ISA on primarily as Exchange RPC proxy and logging tool. Using the Cisco PIX for our rudimentary port changes, etc. isn't an option as we can't make changes to it except in the mornings. (Don't ask - political BS).

Changing the sql.mydomain.com entry to 127.0.0.1 is acceptable in this case because all the applications reside on RUFUS and when it resolves to 127.0.0.1 points back to itself. But herein lies the whole problem I'm having, I should be able to enter the DNS entry as 192.168.1.3 and it should work. But for some reason it won't.

Thanks,
Brandon
0
 
LVL 35

Accepted Solution

by:
ShineOn earned 200 total points
ID: 9880690
I don't know.

Knowing how Microsoft likes to make things difficult for techies, at this point if I were in your shoes I'd start suspecting that something with the installation of ISA in your environment made changes to DNS and routing.

However, if you think about it, having a service that is local to a server accessed via loopback is not out of the ordinary.  Maybe it was working when it shouldn't have, before putting in ISA.

That may seem a tad paranoid, but it is worth considering, IMHO.  I assume you have already searched the Microsoft knowledgebase as best you can, and came up empty?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now