?
Solved

ISA blocks the access to the microsoft site

Posted on 2009-12-18
14
Medium Priority
?
728 Views
Last Modified: 2012-05-08
Hi there,

For some reason, I cannot access the Ms website, as a consequence, I cannot run any automatic updates on the computers on my domain. I have an isa server 2006 and a lan server in a different machine. Whenever I try to access the site from ISA it says that I have no connectivity, which is wrong since I can browse to other sites without any hassles. When surfing from a machine in the domain it gives me the error I attached...

Can anyone please help me?

Rgs
Screenshot-Error-Message---Mozil.png
0
Comment
Question by:kemitHamite
  • 7
  • 5
  • 2
14 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 26083424
ISA is not blocking anything.

Look at what the error actually says!
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 26083466
okay,

dns related error but why all of a sudden if I did not alter my dns settings? I could resolve that address without any problems!!!!

thanks for the reply
0
 
LVL 29

Expert Comment

by:pwindell
ID: 26083558
It is not you that alters any settings that would make DNS fail,...the DNS does not depend on you and it is not your DNS that resolves it.  The only thing your DNS does is discover what the authoritative DNS for microsoft.com is.  It is then that DNS server which is queried and returns a result.  Potentially every website out there has a different authoritative DNS.

If the authoritative DNS for the site is not reachable or does not respond within a certain number of seconds,...you get the error you got.  It can be as simple as internet congestion that causes a delay that goes beyond the TTL of the query.   It could be your DNS is using a Forwarder (most of us are) and that particular Forwarder DNS was not able to get a result from the Authoritative DNS within the Query TTL amount of time.

So,...if you are using a Forwarder,...try a different one.   If you are not using any Forwarder (like when using Root Hints),..then try using a Forwarder.    But beware,...DNS queries can be locally cached for up to 30 minutes if I remember correctly,...so even if it is fixed it may not work until the old cache entry expires or you run "IPCONFIG /FlushDNS" from a command prompt on all the machine involved (the client, the ISA, the DNS Server).


0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 1

Author Comment

by:kemitHamite
ID: 26083831
I will spend some minutes learning more about forwarding and the whole DNS thing (not my forte).

Thanks for the help.
Will get back to you.

Rgs
0
 
LVL 21

Expert Comment

by:farazhkhan
ID: 26093967
Hi kemitHamite,

If you are still facing the same problem, then can you answer these questions:

1. Which ISA client have you setup SecureNAT Client, Firewall Client or Web Proxy Client?

2. We had this problem same in ISA 2004(http://support.microsoft.com/kb/915421), So as you are running ISA 2006 do you have all latest patches installed for ISA 2006 from Microsoft update site.

3. Did you try clearing the cache on your dns server, just stop>start the dns server service.

4. Check if the sites are accessible on the ISA box itself. First check if the names are resolvable.

5. Access the sites based on their IP addresses both on the ISA box and clients.

6. Do have a DNS access allow rule (From Internal DNS server to external) for DNS requests to pass through ISA?

Regards,
Faraz H. Khan
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 26094443
hi farazhkhan,

I have already tried to browse to the ms site from the isa server machine but to no avail. I don't have any client firewall configured, I work from the server when I need to have a look at it (no remote)... I believe I have all patches for Isa installed too. I dont have a singular dns access rule, rather, I have an INTERNET RULE and that is where the protocol is being configured to access the external network, don't think though, there is where the problem is since I can almost browse to other sites.

Rgs
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 26094473
hi pwindell,

I have tried to configure forwarders as you suggested, but I can't resolve the addresses (dns timeout problem; I tried to perform an nslookup test to the pertinent addresses which I intend to add to my forward list but unsuccessfully). One thing though, I can perform the test from the ISA machine (my LAN machine --which is my DC is a separate one). I have included a snapshot of my rules so that you can if possible spot how my ISA is configured.

rgs
isaRules.JPG
0
 
LVL 21

Expert Comment

by:farazhkhan
ID: 26094895
Hi,

Well, Can you just simply do one thing to test if either it is a rule problem or something else, can you create a firewall rule for all protocols from LocalHost to External+Internal for All Users and see if then you can browse the MS site or not? See the rule attached.

Regards,
Faraz H. Khan
ISATestRule1.JPG
0
 
LVL 29

Accepted Solution

by:
pwindell earned 1000 total points
ID: 26096037
The LAN Rule has no purpose that I can see.  All the required LAN communication is/should be handled by System Policies,...not Access Rules.  These System Policies do not need to be created,...they are created automatically when ISA is installed as long as the machine was a Domain Member before ISA was installed. The only Protocol that makes any sense in the LAN Rule is the RDP,...and even then it should only be the regular RDP (not RDP Server).

You DNS is failing probably because of a combination of flaws.  Every single Host on the LAN should use the AD/DNS and nothing else (no compromises).   There should only be one Access Rule for DNS,...only one.   This DNS Rule needs to be at the top of the Rule List. It needs to be anonymous (All Users) and it needs the be restricted to only the Domain Controllers as the Source,...and the Destination should only be the Forwarder you added to the DNS Config.  There is a reason for that.  This rule will "weed out" any machines on the LAN with rogue or misconfigured DNS settings. This will also protect from DNS hyjacks that my be attempted by various infections that may try to redirect any DNS requests to other "rigged"  DNS Servers intended to send you to web pages that you didn't intend to go to which would lead to more infections.
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 26097097
pwindell,

the isa machine was never a DC, therefore, "...they are created automatically when ISA is installed as long as the machine was a Domain Member before ISA was installed." how can this change be applied still? I understood the rest and will perform the changes accordingly.

Rgs,
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 26097591
the difficulty in accessing the ms website is caused by a worm (conficker), I was just finding it too strange the fact that without performing any changes to my machine, the access to site was denied. I re-inforced this idea after I tried to browse to some known security sites, e.g, mcfee, symantec, eset, avast, etc. surprise surprise, the same happens, a vulnerability on windows machines has been identified and there is a patch created though...

pwindell, your comments were very helpful, they helped me gain some focus on aspects that I hadn't paid much attention to.

Thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 26098050
I didn't say ISA was a DC,...it should never be a DC,...I said the ISA machine should have been a Member of the Domain before the ISA was installed.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 26098079
Ok,..glad you discovered the infection and got that figured out.  The other things should still be cleaned up though.
0
 
LVL 1

Author Closing Comment

by:kemitHamite
ID: 31668644
while the solution didn't address my initial enquiry, it still helped me to figure out one key point which is inevitably 'connected' to an exploit.

very helpful hints.
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question