ISA Server 2006 randomly denies unauthenticated (NAT) access

Posted on 2008-10-19
Last Modified: 2012-05-05
We have one ISA Server 2006 SP1 with 3 NIC (internal, external, DMZ). Randomly ISA server denies all new requests from NAT clients to Internet and DMZ. It lasts from few seconds to several hours and depends on the amout of traffic.
Winsock clients works but Exchange cannot send mails and VPNs doesn't connect. When ISA Server in this state the login to the console takes more than one minute.
It looks like DNS problem. On the internal NIC the internal DNS servers, on the external NIC the Internet provider's DSN servers are configured. ISA Server has access rule itself on DNS.
Question by:Andornagy
  • 4
  • 3
LVL 51

Accepted Solution

Keith Alabaster earned 250 total points
ID: 22753172
The external nic should not have a dns entry at all - it should be blank.
The dmz should use the internal DNS 9which in turn uses its forwarders to get name resolution carried out).

Author Comment

ID: 22755928
Thanks, DNS entry of external nic deleted.
Unfortunately the problem doesnt solved moreover the winsock proxy users also cannot access new internet sites because the internal DNS server denied by ISA.
DMZ nic also not have any DNS entry.
Publishing rules and winsock rules works but NAT clients doesn't. Last week this problem was randomly today doesn't stop denying.

LVL 51

Expert Comment

by:Keith Alabaster
ID: 22760026
Have you added an access rule allowing dns from localhost and dmz to internal?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22762030
The localhost has access to internel DNS by system policy.
Our DMZ has different address range than internal but not from our public address range. There is a NAT relationship between internal and DMZ and also between external and DMZ. The DMZ has own DNS without forwarders because not requried to access any internal or external resources.

After all rules disabled the the blocking was stopped. Currently only the most important rules turned (included access to DMZ) and ISA works normally than one weeks ago.
Now I turning on rules one by one.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22762083
Why would their be a nat relationship between external and dmz if they are both on the same subnet?

Author Comment

ID: 22765112
Our address ranges:
Internal: - (this address range reserved for as long time ago but never router via ISP)

DMZ: -
Our public addres range: (most of these addresses are set in external NIC)

Complete Sharepoint infrastructure located in DMZ (Active Directory, SQL Server, WSS 3).
We use NAT to publish SharePoint server to Internet. Also we using Publish rules to publish Exchange SMTP to DMZ (sending alerts).

It's worked one year ago but I see that is not the prfect configuration.

Author Closing Comment

ID: 31507628
No I enabled most of rules without deny. The question is when it's come back. I hope never.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Forefront TMG Client Connection Failes with Checksum Error 7 172
Exchange 2003 Dirty Shutdown 6 130
isa 2006 2 561
Exchange 2010 - SPAM using organization internal addresses 6 114
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question