[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 439
  • Last Modified:

Outbound DNS from ISA 2004 Server being denied to ISP...Please help configure, customer down!

I have a customer who we have upgraded to SBS 2003 prem and ISA 2004.  The server works fine upon reboot, inbound and outbound smtp flows but after about 20-30 minutes it dies.  I am seeing outbound dns requests from the Exchange server (same box as ISA 2K4) being denied.  I have a DNS oubound rule that looks correct and the server still does not pass the DNS requests to the ISP...Any thoughts?
0
aungelbach
Asked:
aungelbach
  • 14
  • 11
1 Solution
 
Keith AlabasterCommented:
Have you added 'local host' to the FROM box in the rule?
0
 
aungelbachAuthor Commented:
yes i do, i have internal/local host/vpn clients although vpn is not active.  I have a pix 501 in place as an edge firewall and it is configured and working properly so i dont need isa for security...
0
 
Keith AlabasterCommented:
Can you post the exact deny message? Is the deny coming from a client or the sbs server itself in respect to the denied IP source address?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
aungelbachAuthor Commented:
The logging shows that the server 10.0.0.2 (internal server) is sending DNS requests to the DNS server IP's provided by the ISP and then there is a second log event directly under that that says denied.  Initiation attempt (first entry) shows that the server is using "Allow DNS from ISA server to selected servers" rule.
0
 
Keith AlabasterCommented:
Have you actually added dns to one of the outgoing access rules?
The allow DNS from ISA to selected server is for when ISA is the DNS server.
0
 
aungelbachAuthor Commented:
I believe the outbound rule has all traffic allowed to go outbound.
0
 
aungelbachAuthor Commented:
I am emailing you a screenshot of the firewall policy to your ee address
0
 
aungelbachAuthor Commented:
Is there a way i can just tell ISA to allow EVERYTHING inbound and EVERYTHING outbound and let my PIX worry about the rest?
0
 
Keith AlabasterCommented:
Hi Adam.

Yep, got them. Just reviewing them now.
0
 
aungelbachAuthor Commented:
Great, I would love to get this outbound DNS flowing before i leave...I have about 45 minutes until my next appointment.  I think we will be all good if we can get this outbound email flowing.
0
 
aungelbachAuthor Commented:
Hello Keith;

Any thoughts yet?
0
 
Keith AlabasterCommented:
Your rules 2 & 3 are likely your problem.

Rule 2 (from what I can see) allows ALL traffic to the SBS box from outside and inside?
Rule 4 overrides rule 3
Can't see that rule 8 (DNS) would ever get used.
ISA2004 uses a top-down application of the rule set unlike isa2000 that used to perform the denies then the allows.
Save your current config

Can you create a new access rule at position 1

Allow_All_Outbound
allow
all protocols
from - internal/local host/vpn clients
to     - external
all users
always

remove your outbound dns rule
disable your two SBS Outbound rules (right-click - disable)
0
 
aungelbachAuthor Commented:
I will have the client reboot in the morning and i will try these.  Thanks Keith!
0
 
Keith AlabasterCommented:
Welcome Adam. Do you see the logic though?
0
 
aungelbachAuthor Commented:
I am getting the following configuration error...it has been apearing for days...

Description: ISA Server detected routes through adapter Server Local Area Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.)  The address ranges in conflict are: 0.0.0.1-9.255.255.255;11.0.0.0-69.212.175.71;69.212.175.80-69.255.255.254;70.0.0.0-126.255.255.255;128.0.0.0-223.255.255.255;240.0.0.0-255.255.255.254;.

I also emailed you a new screenshot of the config


0
 
Keith AlabasterCommented:
Yep, just got it but it is too small for me to read... I'm an old git of 46 and my sight is not what it was. Can you do a shot as big as the previous ones?

Also, what networks do you have (as in interfaces on the ISA)? have you setup VPN access or something or a DMZ/perimiter?

There should only be one entry in the addresses tab. (configuration - networks - internal - addresses)
That error message looks like someone has clicked on the add adaptors; this will add in all of the addresses it can see plus all of the other private address ranges. Can you send a shot of the networks page? If you don't feel comfortable with that, its OK.
0
 
aungelbachAuthor Commented:
Can I call you for this type of security question and we can post our outcome to EE?  
0
 
Keith AlabasterCommented:
No offence but

A) that is not allowed by EE rules (we are bending them slightly already)
B) I cannot give out my home telephone number really.

0
 
aungelbachAuthor Commented:
No problem, i just figured we could pound this out really fast.  The system still does not allow the DNS...I will redo screenshots after client reboots and email them over.
0
 
aungelbachAuthor Commented:
Just sent over new screenshots.
0
 
Keith AlabasterCommented:
OK

Rule 1. Shouldn't have allow everything from external to external (not necessary)
Rule 2. You have put DNS in as an access rule. Should be a publishing rule.
Rule 3. No problem although I only allow smtp in from external on mine; nothing else.
Rule 4. For me, thats a no-no. Thats allowing everything outside get access to your ISA box.
Rule 5. & Rule 6. Disabled
Rule 7. Unnecessary. Should deal with this within the System policy. Will confuse ISA
Rule 8. & Rule 9. perfect.

0
 
aungelbachAuthor Commented:
Hello Keith;

Thank you for the notes, what should i change these rules to?
0
 
Keith AlabasterCommented:
You don't 'have' to change any of them; its just my view.

However,
point 1 speaks for itself as does 3, 5, 6, 8 & 9

Point 2. Anything coming in from external to internal (such as the DNS queries) should be dealt with as a publishing rule. Publish a server for port 53 incoming udp.
I use access rules for traffic leaving the ISA (and responses) and publishing rules for all traffic coming in from the outside to the inside.

point 4. I would disable this rule as it allows all traffic from the internet to get to the ISA server and as it is SBS, this means your domain controller.

Point 7 is no big deal. Hoever, you can edit the system policy to allow ISA to talk to the internal networks over DHCP rather than having an access rule but it should work either way.

0
 
aungelbachAuthor Commented:
We figured out that the server had further issues and we are replacing the server...I want to award points but not sure which post to award.  Keith did a great job diagnosing this ISA config and i want to give him credit.
0
 
Keith AlabasterCommented:
Thats kind of you.
Comment from keith_alabaster
Date: 06/18/2006 10:50AM GMT
ID: 16929243

regards
Keith
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 14
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now