Link to home
Start Free TrialLog in
Avatar of Andornagy
AndornagyFlag for Hungary

asked on

ISA Server 2006 randomly denies unauthenticated (NAT) access

We have one ISA Server 2006 SP1 with 3 NIC (internal, external, DMZ). Randomly ISA server denies all new requests from NAT clients to Internet and DMZ. It lasts from few seconds to several hours and depends on the amout of traffic.
Winsock clients works but Exchange cannot send mails and VPNs doesn't connect. When ISA Server in this state the login to the console takes more than one minute.
It looks like DNS problem. On the internal NIC the internal DNS servers, on the external NIC the Internet provider's DSN servers are configured. ISA Server has access rule itself on DNS.
Thanks
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Andornagy
Andornagy
Flag of Hungary image

ASKER

Thanks, DNS entry of external nic deleted.
Unfortunately the problem doesnt solved moreover the winsock proxy users also cannot access new internet sites because the internal DNS server denied by ISA.
DMZ nic also not have any DNS entry.
Publishing rules and winsock rules works but NAT clients doesn't. Last week this problem was randomly today doesn't stop denying.

Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image
Have you added an access rule allowing dns from localhost and dmz to internal?
Avatar of Andornagy
Andornagy
Flag of Hungary image

ASKER

The localhost has access to internel DNS by system policy.
Our DMZ has different address range than internal but not from our public address range. There is a NAT relationship between internal and DMZ and also between external and DMZ. The DMZ has own DNS without forwarders because not requried to access any internal or external resources.

After all rules disabled the the blocking was stopped. Currently only the most important rules turned (included access to DMZ) and ISA works normally than one weeks ago.
Now I turning on rules one by one.
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image
Why would their be a nat relationship between external and dmz if they are both on the same subnet?
Avatar of Andornagy
Andornagy
Flag of Hungary image

ASKER

Our address ranges:
Internal: 158.249.0.0 - 158.249.255.255 (this address range reserved for as long time ago but never router via ISP)

DMZ: 192.168.0.0 - 192.168.0.255
Our public addres range: 195.228.140.128-143 (most of these addresses are set in external NIC)

Complete Sharepoint infrastructure located in DMZ (Active Directory, SQL Server, WSS 3).
We use NAT to publish SharePoint server to Internet. Also we using Publish rules to publish Exchange SMTP to DMZ (sending alerts).

It's worked one year ago but I see that is not the prfect configuration.
Avatar of Andornagy
Andornagy
Flag of Hungary image

ASKER

No I enabled most of rules without deny. The question is when it's come back. I hope never.
Thanks