Solved

ISA Server 2006 randomly denies unauthenticated (NAT) access

Posted on 2008-10-19
7
686 Views
Last Modified: 2012-05-05
We have one ISA Server 2006 SP1 with 3 NIC (internal, external, DMZ). Randomly ISA server denies all new requests from NAT clients to Internet and DMZ. It lasts from few seconds to several hours and depends on the amout of traffic.
Winsock clients works but Exchange cannot send mails and VPNs doesn't connect. When ISA Server in this state the login to the console takes more than one minute.
It looks like DNS problem. On the internal NIC the internal DNS servers, on the external NIC the Internet provider's DSN servers are configured. ISA Server has access rule itself on DNS.
Thanks
0
Comment
Question by:Andornagy
  • 4
  • 3
7 Comments
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 22753172
The external nic should not have a dns entry at all - it should be blank.
The dmz should use the internal DNS 9which in turn uses its forwarders to get name resolution carried out).
0
 
LVL 6

Author Comment

by:Andornagy
ID: 22755928
Thanks, DNS entry of external nic deleted.
Unfortunately the problem doesnt solved moreover the winsock proxy users also cannot access new internet sites because the internal DNS server denied by ISA.
DMZ nic also not have any DNS entry.
Publishing rules and winsock rules works but NAT clients doesn't. Last week this problem was randomly today doesn't stop denying.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22760026
Have you added an access rule allowing dns from localhost and dmz to internal?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 6

Author Comment

by:Andornagy
ID: 22762030
The localhost has access to internel DNS by system policy.
Our DMZ has different address range than internal but not from our public address range. There is a NAT relationship between internal and DMZ and also between external and DMZ. The DMZ has own DNS without forwarders because not requried to access any internal or external resources.

After all rules disabled the the blocking was stopped. Currently only the most important rules turned (included access to DMZ) and ISA works normally than one weeks ago.
Now I turning on rules one by one.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22762083
Why would their be a nat relationship between external and dmz if they are both on the same subnet?
0
 
LVL 6

Author Comment

by:Andornagy
ID: 22765112
Our address ranges:
Internal: 158.249.0.0 - 158.249.255.255 (this address range reserved for as long time ago but never router via ISP)

DMZ: 192.168.0.0 - 192.168.0.255
Our public addres range: 195.228.140.128-143 (most of these addresses are set in external NIC)

Complete Sharepoint infrastructure located in DMZ (Active Directory, SQL Server, WSS 3).
We use NAT to publish SharePoint server to Internet. Also we using Publish rules to publish Exchange SMTP to DMZ (sending alerts).

It's worked one year ago but I see that is not the prfect configuration.
0
 
LVL 6

Author Closing Comment

by:Andornagy
ID: 31507628
No I enabled most of rules without deny. The question is when it's come back. I hope never.
Thanks
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now