Solved

ISA Server 2006 randomly denies unauthenticated (NAT) access

Posted on 2008-10-19
7
741 Views
Last Modified: 2012-05-05
We have one ISA Server 2006 SP1 with 3 NIC (internal, external, DMZ). Randomly ISA server denies all new requests from NAT clients to Internet and DMZ. It lasts from few seconds to several hours and depends on the amout of traffic.
Winsock clients works but Exchange cannot send mails and VPNs doesn't connect. When ISA Server in this state the login to the console takes more than one minute.
It looks like DNS problem. On the internal NIC the internal DNS servers, on the external NIC the Internet provider's DSN servers are configured. ISA Server has access rule itself on DNS.
Thanks
0
Comment
Question by:Andornagy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 22753172
The external nic should not have a dns entry at all - it should be blank.
The dmz should use the internal DNS 9which in turn uses its forwarders to get name resolution carried out).
0
 
LVL 6

Author Comment

by:Andornagy
ID: 22755928
Thanks, DNS entry of external nic deleted.
Unfortunately the problem doesnt solved moreover the winsock proxy users also cannot access new internet sites because the internal DNS server denied by ISA.
DMZ nic also not have any DNS entry.
Publishing rules and winsock rules works but NAT clients doesn't. Last week this problem was randomly today doesn't stop denying.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22760026
Have you added an access rule allowing dns from localhost and dmz to internal?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Author Comment

by:Andornagy
ID: 22762030
The localhost has access to internel DNS by system policy.
Our DMZ has different address range than internal but not from our public address range. There is a NAT relationship between internal and DMZ and also between external and DMZ. The DMZ has own DNS without forwarders because not requried to access any internal or external resources.

After all rules disabled the the blocking was stopped. Currently only the most important rules turned (included access to DMZ) and ISA works normally than one weeks ago.
Now I turning on rules one by one.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22762083
Why would their be a nat relationship between external and dmz if they are both on the same subnet?
0
 
LVL 6

Author Comment

by:Andornagy
ID: 22765112
Our address ranges:
Internal: 158.249.0.0 - 158.249.255.255 (this address range reserved for as long time ago but never router via ISP)

DMZ: 192.168.0.0 - 192.168.0.255
Our public addres range: 195.228.140.128-143 (most of these addresses are set in external NIC)

Complete Sharepoint infrastructure located in DMZ (Active Directory, SQL Server, WSS 3).
We use NAT to publish SharePoint server to Internet. Also we using Publish rules to publish Exchange SMTP to DMZ (sending alerts).

It's worked one year ago but I see that is not the prfect configuration.
0
 
LVL 6

Author Closing Comment

by:Andornagy
ID: 31507628
No I enabled most of rules without deny. The question is when it's come back. I hope never.
Thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question