Andornagy
asked on
ISA Server 2006 randomly denies unauthenticated (NAT) access
We have one ISA Server 2006 SP1 with 3 NIC (internal, external, DMZ). Randomly ISA server denies all new requests from NAT clients to Internet and DMZ. It lasts from few seconds to several hours and depends on the amout of traffic.
Winsock clients works but Exchange cannot send mails and VPNs doesn't connect. When ISA Server in this state the login to the console takes more than one minute.
It looks like DNS problem. On the internal NIC the internal DNS servers, on the external NIC the Internet provider's DSN servers are configured. ISA Server has access rule itself on DNS.
Thanks
Winsock clients works but Exchange cannot send mails and VPNs doesn't connect. When ISA Server in this state the login to the console takes more than one minute.
It looks like DNS problem. On the internal NIC the internal DNS servers, on the external NIC the Internet provider's DSN servers are configured. ISA Server has access rule itself on DNS.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you added an access rule allowing dns from localhost and dmz to internal?
ASKER
The localhost has access to internel DNS by system policy.
Our DMZ has different address range than internal but not from our public address range. There is a NAT relationship between internal and DMZ and also between external and DMZ. The DMZ has own DNS without forwarders because not requried to access any internal or external resources.
After all rules disabled the the blocking was stopped. Currently only the most important rules turned (included access to DMZ) and ISA works normally than one weeks ago.
Now I turning on rules one by one.
Our DMZ has different address range than internal but not from our public address range. There is a NAT relationship between internal and DMZ and also between external and DMZ. The DMZ has own DNS without forwarders because not requried to access any internal or external resources.
After all rules disabled the the blocking was stopped. Currently only the most important rules turned (included access to DMZ) and ISA works normally than one weeks ago.
Now I turning on rules one by one.
Why would their be a nat relationship between external and dmz if they are both on the same subnet?
ASKER
Our address ranges:
Internal: 158.249.0.0 - 158.249.255.255 (this address range reserved for as long time ago but never router via ISP)
DMZ: 192.168.0.0 - 192.168.0.255
Our public addres range: 195.228.140.128-143 (most of these addresses are set in external NIC)
Complete Sharepoint infrastructure located in DMZ (Active Directory, SQL Server, WSS 3).
We use NAT to publish SharePoint server to Internet. Also we using Publish rules to publish Exchange SMTP to DMZ (sending alerts).
It's worked one year ago but I see that is not the prfect configuration.
Internal: 158.249.0.0 - 158.249.255.255 (this address range reserved for as long time ago but never router via ISP)
DMZ: 192.168.0.0 - 192.168.0.255
Our public addres range: 195.228.140.128-143 (most of these addresses are set in external NIC)
Complete Sharepoint infrastructure located in DMZ (Active Directory, SQL Server, WSS 3).
We use NAT to publish SharePoint server to Internet. Also we using Publish rules to publish Exchange SMTP to DMZ (sending alerts).
It's worked one year ago but I see that is not the prfect configuration.
ASKER
No I enabled most of rules without deny. The question is when it's come back. I hope never.
Thanks
Thanks
ASKER
Unfortunately the problem doesnt solved moreover the winsock proxy users also cannot access new internet sites because the internal DNS server denied by ISA.
DMZ nic also not have any DNS entry.
Publishing rules and winsock rules works but NAT clients doesn't. Last week this problem was randomly today doesn't stop denying.