Posted on 2006-06-02
Last Modified: 2010-04-09
I would like to test run an ISA server running in integrated mode within a network.  Currently the network runs through a hardware firewall with 2 DC/DNS servers forwarding to ISP DNS.  Without going into to much detail, my thought was to install the ISA dual NIC (external/internal).  Create firewall rules and point everyones IE to the proxy servers internal IP.  Is there a problem running both DNS together or should I block the dns forwards from the DC/DNS servers at the firewall and only route via the ISA.  Can they both route out at the same time or will this cause issues?  
Question by:vivo123
    LVL 51

    Expert Comment

    by:Keith Alabaster
    This really depends on your end position.

    Firstly, I would point out that ISA2000 has been replaced by ISA2004 and ISA2006 is due for release quite soon. Its already available for a 6 month trial (in beta format) by download from MS.

    Anyway, to answer your questions with questions of my own:

    1.  Is there a problem running both DNS together or should I block the dns forwards from the DC/DNS servers at the firewall and only route via the ISA.

    Are you talking about DNS that will be used by the internet to resolve names/ip's for your domain or is this simply your internal DNS?

    You mention routing. Are you expecting to route traffic out through ISA or NAT it?

    2. Can they both route out at the same time or will this cause issues?  
    Isa will not care. It will treat the traffic as different streams as they will be coming from different source IP's. remember that DNS is not proxy traffic; it runs as udp port 53 for normal name resolution and tcp port 53 for zone transfers. The DNS boxes will either have to be SecureNAT clients whereby you point their default gateways at the internal NIC of the ISA server or standard boxes that must have an internal route that will get them to the ISA server so that DNS traffic can be sent out. Assuming you WANT to send DNS traffic out that is.

    Author Comment

    Thanks I will look into the latest versions.  We have a licensed copy of ISA 2000 which has never been used.

    1.  I am talking about DNS used to resolve Internet names.  Currently we use forwarders to IP DNS.  Local clients point there DNS to the Internal DC/DNS servers for local resolution and forward out to ISP for Internet resolution.

    I would like to perform tests with the ISA in the production network.  Maybe like conducting only on a group of computers within the domain (possibly 5 to 10).  This is where my question comes into play.

    I was going to install the ISA in integrated mode and perform a one to one NAT route on the firewall to the external interface.  

    2.  At this time I wanted to route Internet traffic on the non-testing computers through the normal method of the DC/DNS forwarders and the testing-clients through the ISA and out to the Internet and again I will have a NAT route at the HW firewall. On the ISA external Nic I will place the ISP DNS IP address.  Internal routing will still occur via the DC/DNS servers, but Internet traffic will flow through the ISA by means of proxy settings in IE.

    Can I test this way without experiencing resolutions problems?

    LVL 51

    Accepted Solution


    Whether you use ISA or not, your internal DNS servers can carry on providing their service exactly as they are now; you don't have to change this for ISA.
    Be aware that mainstream support from Microsoft ended for ISA2000 in April 2006. Extended supprt continues for a futher 5 years till 2011 but this will cost you.....

    I would strongly recommend you commenced your testing with 2004 or even 2006 as the experience is far superior and the whole process (of the way ISA operates, the gui etc) is completely different but naturally this has to be your call.

    If you are installing ISA in integrated mode you will need to have decided how the test clients are going to connect. Using the ISA firewall client, SecureNAT (where you point the pc's default gateway to be the ISA internal NIC), Web proxy (where you use IE browser proxy settings) or a combination.

    Up to you in respect to the NAT. If you route through ISA then thats fine, if you NAT then the traffic gets the ISA's external NIC address; nothing special there.


    Author Comment

    Excellent.  Thanks for the response
    LVL 51

    Expert Comment

    by:Keith Alabaster
    You're welcome :)
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Anything else i can tell you vivo or do you want to close the question?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now