ISA blocks the access to the microsoft site
Hi there,
For some reason, I cannot access the Ms website, as a consequence, I cannot run any automatic updates on the computers on my domain. I have an isa server 2006 and a lan server in a different machine. Whenever I try to access the site from ISA it says that I have no connectivity, which is wrong since I can browse to other sites without any hassles. When surfing from a machine in the domain it gives me the error I attached...
Can anyone please help me?
Rgs
Screenshot-Error-Message---Mozil.png
For some reason, I cannot access the Ms website, as a consequence, I cannot run any automatic updates on the computers on my domain. I have an isa server 2006 and a lan server in a different machine. Whenever I try to access the site from ISA it says that I have no connectivity, which is wrong since I can browse to other sites without any hassles. When surfing from a machine in the domain it gives me the error I attached...
Can anyone please help me?
Rgs
Screenshot-Error-Message---Mozil.png
ASKER
okay,
dns related error but why all of a sudden if I did not alter my dns settings? I could resolve that address without any problems!!!!
thanks for the reply
dns related error but why all of a sudden if I did not alter my dns settings? I could resolve that address without any problems!!!!
thanks for the reply
It is not you that alters any settings that would make DNS fail,...the DNS does not depend on you and it is not your DNS that resolves it. The only thing your DNS does is discover what the authoritative DNS for microsoft.com is. It is then that DNS server which is queried and returns a result. Potentially every website out there has a different authoritative DNS.
If the authoritative DNS for the site is not reachable or does not respond within a certain number of seconds,...you get the error you got. It can be as simple as internet congestion that causes a delay that goes beyond the TTL of the query. It could be your DNS is using a Forwarder (most of us are) and that particular Forwarder DNS was not able to get a result from the Authoritative DNS within the Query TTL amount of time.
So,...if you are using a Forwarder,...try a different one. If you are not using any Forwarder (like when using Root Hints),..then try using a Forwarder. But beware,...DNS queries can be locally cached for up to 30 minutes if I remember correctly,...so even if it is fixed it may not work until the old cache entry expires or you run "IPCONFIG /FlushDNS" from a command prompt on all the machine involved (the client, the ISA, the DNS Server).
If the authoritative DNS for the site is not reachable or does not respond within a certain number of seconds,...you get the error you got. It can be as simple as internet congestion that causes a delay that goes beyond the TTL of the query. It could be your DNS is using a Forwarder (most of us are) and that particular Forwarder DNS was not able to get a result from the Authoritative DNS within the Query TTL amount of time.
So,...if you are using a Forwarder,...try a different one. If you are not using any Forwarder (like when using Root Hints),..then try using a Forwarder. But beware,...DNS queries can be locally cached for up to 30 minutes if I remember correctly,...so even if it is fixed it may not work until the old cache entry expires or you run "IPCONFIG /FlushDNS" from a command prompt on all the machine involved (the client, the ISA, the DNS Server).
ASKER
I will spend some minutes learning more about forwarding and the whole DNS thing (not my forte).
Thanks for the help.
Will get back to you.
Rgs
Thanks for the help.
Will get back to you.
Rgs
Hi kemitHamite,
If you are still facing the same problem, then can you answer these questions:
1. Which ISA client have you setup SecureNAT Client, Firewall Client or Web Proxy Client?
2. We had this problem same in ISA 2004(http://support.microsoft.com/kb/915421), So as you are running ISA 2006 do you have all latest patches installed for ISA 2006 from Microsoft update site.
3. Did you try clearing the cache on your dns server, just stop>start the dns server service.
4. Check if the sites are accessible on the ISA box itself. First check if the names are resolvable.
5. Access the sites based on their IP addresses both on the ISA box and clients.
6. Do have a DNS access allow rule (From Internal DNS server to external) for DNS requests to pass through ISA?
Regards,
Faraz H. Khan
If you are still facing the same problem, then can you answer these questions:
1. Which ISA client have you setup SecureNAT Client, Firewall Client or Web Proxy Client?
2. We had this problem same in ISA 2004(http://support.microsoft.com/kb/915421), So as you are running ISA 2006 do you have all latest patches installed for ISA 2006 from Microsoft update site.
3. Did you try clearing the cache on your dns server, just stop>start the dns server service.
4. Check if the sites are accessible on the ISA box itself. First check if the names are resolvable.
5. Access the sites based on their IP addresses both on the ISA box and clients.
6. Do have a DNS access allow rule (From Internal DNS server to external) for DNS requests to pass through ISA?
Regards,
Faraz H. Khan
ASKER
hi farazhkhan,
I have already tried to browse to the ms site from the isa server machine but to no avail. I don't have any client firewall configured, I work from the server when I need to have a look at it (no remote)... I believe I have all patches for Isa installed too. I dont have a singular dns access rule, rather, I have an INTERNET RULE and that is where the protocol is being configured to access the external network, don't think though, there is where the problem is since I can almost browse to other sites.
Rgs
I have already tried to browse to the ms site from the isa server machine but to no avail. I don't have any client firewall configured, I work from the server when I need to have a look at it (no remote)... I believe I have all patches for Isa installed too. I dont have a singular dns access rule, rather, I have an INTERNET RULE and that is where the protocol is being configured to access the external network, don't think though, there is where the problem is since I can almost browse to other sites.
Rgs
ASKER
hi pwindell,
I have tried to configure forwarders as you suggested, but I can't resolve the addresses (dns timeout problem; I tried to perform an nslookup test to the pertinent addresses which I intend to add to my forward list but unsuccessfully). One thing though, I can perform the test from the ISA machine (my LAN machine --which is my DC is a separate one). I have included a snapshot of my rules so that you can if possible spot how my ISA is configured.
rgs
isaRules.JPG
I have tried to configure forwarders as you suggested, but I can't resolve the addresses (dns timeout problem; I tried to perform an nslookup test to the pertinent addresses which I intend to add to my forward list but unsuccessfully). One thing though, I can perform the test from the ISA machine (my LAN machine --which is my DC is a separate one). I have included a snapshot of my rules so that you can if possible spot how my ISA is configured.
rgs
isaRules.JPG
Hi,
Well, Can you just simply do one thing to test if either it is a rule problem or something else, can you create a firewall rule for all protocols from LocalHost to External+Internal for All Users and see if then you can browse the MS site or not? See the rule attached.
Regards,
Faraz H. Khan
ISATestRule1.JPG
Well, Can you just simply do one thing to test if either it is a rule problem or something else, can you create a firewall rule for all protocols from LocalHost to External+Internal for All Users and see if then you can browse the MS site or not? See the rule attached.
Regards,
Faraz H. Khan
ISATestRule1.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
pwindell,
the isa machine was never a DC, therefore, "...they are created automatically when ISA is installed as long as the machine was a Domain Member before ISA was installed." how can this change be applied still? I understood the rest and will perform the changes accordingly.
Rgs,
the isa machine was never a DC, therefore, "...they are created automatically when ISA is installed as long as the machine was a Domain Member before ISA was installed." how can this change be applied still? I understood the rest and will perform the changes accordingly.
Rgs,
ASKER
the difficulty in accessing the ms website is caused by a worm (conficker), I was just finding it too strange the fact that without performing any changes to my machine, the access to site was denied. I re-inforced this idea after I tried to browse to some known security sites, e.g, mcfee, symantec, eset, avast, etc. surprise surprise, the same happens, a vulnerability on windows machines has been identified and there is a patch created though...
pwindell, your comments were very helpful, they helped me gain some focus on aspects that I hadn't paid much attention to.
Thanks
pwindell, your comments were very helpful, they helped me gain some focus on aspects that I hadn't paid much attention to.
Thanks
I didn't say ISA was a DC,...it should never be a DC,...I said the ISA machine should have been a Member of the Domain before the ISA was installed.
Ok,..glad you discovered the infection and got that figured out. The other things should still be cleaned up though.
ASKER
while the solution didn't address my initial enquiry, it still helped me to figure out one key point which is inevitably 'connected' to an exploit.
very helpful hints.
very helpful hints.
Look at what the error actually says!