Troubleshooting / Configuring ISA server DNS lookup

Posted on 2008-11-10
Last Modified: 2013-11-16
I have a ISA 2006 server I need to troubleshoot. Clients on the inside cannot do DNS lookup nor can they reach external websites.

Policies are
- No enterprise policies is applied before array firewall policy
- One deny all policy is applied after array firewall policy
- A long list of policies is aplied as 'Firewall policy rules'

Which plocies needs to be in place to allow a client to perform a DNS lookup on an external DNS?

I've tried to monitor all traffic to the specific DNS. When doing a DNS lookup from the ISA itself I get a fine log entry.

When doing the lookup from a client I get no log entries. Any ideas?

Question by:tecit
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Sounds like a naff installation. please provide an ipconfig /all from the ISA server.

    Author Comment

    The ISA cluster worked just fine undtil last friday where it suddently started loosing 75% og ping packets to the internet.

    It's 3 servers running in as an ISA cluster with NLB on the outside interfaces. I've shutdown 2 of the servers and disabled NLB on the third and now the clients can access the internet and make nslookup without problems.

    Any ideas on where to look for the NLB error? Cables and switch for the outside interfaces has been tested both physically and logically.

    Hope the one server can handle the load during production time tomorrow....

    LVL 51

    Accepted Solution

    Ah - lol - more information :)
    What are the results from the BPA?

    If you are not running nlb on the internal interfaces also, how are you setting the default gateways of the clients? All of my installs (where I have used NLB) have had nlb running for both internal and external nics. What are the default gateways of the internal dns servers?

    Author Comment

    It turned out that our ISP made a change in their router to protect it from the unknown unicasts submittet by the ISA's NLB. We got the cluster up running again by inserting our own router in between the ISA's and the ISP's router.

    Thanks for all Your quick responses.
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Welcome & Thanks :)

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Suggested Solutions

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now