Solved

ISA Server 2006 randomly denies unauthenticated (NAT) access

Posted on 2008-10-19
7
703 Views
Last Modified: 2012-05-05
We have one ISA Server 2006 SP1 with 3 NIC (internal, external, DMZ). Randomly ISA server denies all new requests from NAT clients to Internet and DMZ. It lasts from few seconds to several hours and depends on the amout of traffic.
Winsock clients works but Exchange cannot send mails and VPNs doesn't connect. When ISA Server in this state the login to the console takes more than one minute.
It looks like DNS problem. On the internal NIC the internal DNS servers, on the external NIC the Internet provider's DSN servers are configured. ISA Server has access rule itself on DNS.
Thanks
0
Comment
Question by:Andornagy
  • 4
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 22753172
The external nic should not have a dns entry at all - it should be blank.
The dmz should use the internal DNS 9which in turn uses its forwarders to get name resolution carried out).
0
 
LVL 6

Author Comment

by:Andornagy
ID: 22755928
Thanks, DNS entry of external nic deleted.
Unfortunately the problem doesnt solved moreover the winsock proxy users also cannot access new internet sites because the internal DNS server denied by ISA.
DMZ nic also not have any DNS entry.
Publishing rules and winsock rules works but NAT clients doesn't. Last week this problem was randomly today doesn't stop denying.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22760026
Have you added an access rule allowing dns from localhost and dmz to internal?
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 6

Author Comment

by:Andornagy
ID: 22762030
The localhost has access to internel DNS by system policy.
Our DMZ has different address range than internal but not from our public address range. There is a NAT relationship between internal and DMZ and also between external and DMZ. The DMZ has own DNS without forwarders because not requried to access any internal or external resources.

After all rules disabled the the blocking was stopped. Currently only the most important rules turned (included access to DMZ) and ISA works normally than one weeks ago.
Now I turning on rules one by one.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22762083
Why would their be a nat relationship between external and dmz if they are both on the same subnet?
0
 
LVL 6

Author Comment

by:Andornagy
ID: 22765112
Our address ranges:
Internal: 158.249.0.0 - 158.249.255.255 (this address range reserved for as long time ago but never router via ISP)

DMZ: 192.168.0.0 - 192.168.0.255
Our public addres range: 195.228.140.128-143 (most of these addresses are set in external NIC)

Complete Sharepoint infrastructure located in DMZ (Active Directory, SQL Server, WSS 3).
We use NAT to publish SharePoint server to Internet. Also we using Publish rules to publish Exchange SMTP to DMZ (sending alerts).

It's worked one year ago but I see that is not the prfect configuration.
0
 
LVL 6

Author Closing Comment

by:Andornagy
ID: 31507628
No I enabled most of rules without deny. The question is when it's come back. I hope never.
Thanks
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
tmg evaluation 10 543
RDP to TMG Firewall 6 289
Web Filtering software, alternative to Bloxx/WebMarshal 4 676
Dynamic CRM config with outlook 4 100
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now