Solved

Outbound DNS from ISA 2004 Server being denied to ISP...Please help configure, customer down!

Posted on 2006-06-14
28
431 Views
Last Modified: 2013-11-16
I have a customer who we have upgraded to SBS 2003 prem and ISA 2004.  The server works fine upon reboot, inbound and outbound smtp flows but after about 20-30 minutes it dies.  I am seeing outbound dns requests from the Exchange server (same box as ISA 2K4) being denied.  I have a DNS oubound rule that looks correct and the server still does not pass the DNS requests to the ISP...Any thoughts?
0
Comment
Question by:aungelbach
  • 14
  • 11
28 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16905250
Have you added 'local host' to the FROM box in the rule?
0
 

Author Comment

by:aungelbach
ID: 16905539
yes i do, i have internal/local host/vpn clients although vpn is not active.  I have a pix 501 in place as an edge firewall and it is configured and working properly so i dont need isa for security...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16909199
Can you post the exact deny message? Is the deny coming from a client or the sbs server itself in respect to the denied IP source address?
0
 

Author Comment

by:aungelbach
ID: 16912790
The logging shows that the server 10.0.0.2 (internal server) is sending DNS requests to the DNS server IP's provided by the ISP and then there is a second log event directly under that that says denied.  Initiation attempt (first entry) shows that the server is using "Allow DNS from ISA server to selected servers" rule.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16913225
Have you actually added dns to one of the outgoing access rules?
The allow DNS from ISA to selected server is for when ISA is the DNS server.
0
 

Author Comment

by:aungelbach
ID: 16913268
I believe the outbound rule has all traffic allowed to go outbound.
0
 

Author Comment

by:aungelbach
ID: 16913677
I am emailing you a screenshot of the firewall policy to your ee address
0
 

Author Comment

by:aungelbach
ID: 16914496
Is there a way i can just tell ISA to allow EVERYTHING inbound and EVERYTHING outbound and let my PIX worry about the rest?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16914748
Hi Adam.

Yep, got them. Just reviewing them now.
0
 

Author Comment

by:aungelbach
ID: 16914839
Great, I would love to get this outbound DNS flowing before i leave...I have about 45 minutes until my next appointment.  I think we will be all good if we can get this outbound email flowing.
0
 

Author Comment

by:aungelbach
ID: 16915815
Hello Keith;

Any thoughts yet?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16918099
Your rules 2 & 3 are likely your problem.

Rule 2 (from what I can see) allows ALL traffic to the SBS box from outside and inside?
Rule 4 overrides rule 3
Can't see that rule 8 (DNS) would ever get used.
ISA2004 uses a top-down application of the rule set unlike isa2000 that used to perform the denies then the allows.
Save your current config

Can you create a new access rule at position 1

Allow_All_Outbound
allow
all protocols
from - internal/local host/vpn clients
to     - external
all users
always

remove your outbound dns rule
disable your two SBS Outbound rules (right-click - disable)
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:aungelbach
ID: 16918175
I will have the client reboot in the morning and i will try these.  Thanks Keith!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16922134
Welcome Adam. Do you see the logic though?
0
 

Author Comment

by:aungelbach
ID: 16922675
I am getting the following configuration error...it has been apearing for days...

Description: ISA Server detected routes through adapter Server Local Area Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.)  The address ranges in conflict are: 0.0.0.1-9.255.255.255;11.0.0.0-69.212.175.71;69.212.175.80-69.255.255.254;70.0.0.0-126.255.255.255;128.0.0.0-223.255.255.255;240.0.0.0-255.255.255.254;.

I also emailed you a new screenshot of the config


0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16922737
Yep, just got it but it is too small for me to read... I'm an old git of 46 and my sight is not what it was. Can you do a shot as big as the previous ones?

Also, what networks do you have (as in interfaces on the ISA)? have you setup VPN access or something or a DMZ/perimiter?

There should only be one entry in the addresses tab. (configuration - networks - internal - addresses)
That error message looks like someone has clicked on the add adaptors; this will add in all of the addresses it can see plus all of the other private address ranges. Can you send a shot of the networks page? If you don't feel comfortable with that, its OK.
0
 

Author Comment

by:aungelbach
ID: 16922944
Can I call you for this type of security question and we can post our outcome to EE?  
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16922998
No offence but

A) that is not allowed by EE rules (we are bending them slightly already)
B) I cannot give out my home telephone number really.

0
 

Author Comment

by:aungelbach
ID: 16923513
No problem, i just figured we could pound this out really fast.  The system still does not allow the DNS...I will redo screenshots after client reboots and email them over.
0
 

Author Comment

by:aungelbach
ID: 16923672
Just sent over new screenshots.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 16929243
OK

Rule 1. Shouldn't have allow everything from external to external (not necessary)
Rule 2. You have put DNS in as an access rule. Should be a publishing rule.
Rule 3. No problem although I only allow smtp in from external on mine; nothing else.
Rule 4. For me, thats a no-no. Thats allowing everything outside get access to your ISA box.
Rule 5. & Rule 6. Disabled
Rule 7. Unnecessary. Should deal with this within the System policy. Will confuse ISA
Rule 8. & Rule 9. perfect.

0
 

Author Comment

by:aungelbach
ID: 16935064
Hello Keith;

Thank you for the notes, what should i change these rules to?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16994873
You don't 'have' to change any of them; its just my view.

However,
point 1 speaks for itself as does 3, 5, 6, 8 & 9

Point 2. Anything coming in from external to internal (such as the DNS queries) should be dealt with as a publishing rule. Publish a server for port 53 incoming udp.
I use access rules for traffic leaving the ISA (and responses) and publishing rules for all traffic coming in from the outside to the inside.

point 4. I would disable this rule as it allows all traffic from the internet to get to the ISA server and as it is SBS, this means your domain controller.

Point 7 is no big deal. Hoever, you can edit the system policy to allow ISA to talk to the internal networks over DHCP rather than having an access rule but it should work either way.

0
 

Author Comment

by:aungelbach
ID: 17186151
We figured out that the server had further issues and we are replacing the server...I want to award points but not sure which post to award.  Keith did a great job diagnosing this ISA config and i want to give him credit.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17186690
Thats kind of you.
Comment from keith_alabaster
Date: 06/18/2006 10:50AM GMT
ID: 16929243

regards
Keith
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now