• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1337
  • Last Modified:

Can't resolve any microsoft web sites - ISA Server 2006

We have a new network with ISA 2006 SP1 as the firewall.  Initially the ISA server could not resolve any microsoft.com web site.  If we entered the IP address we could access the site, but not through DNS resolution.

Now no system on the network can resolve microsoft.com where yesterday every system but the ISA server could.

Has anyone run into this?
0
Beratung
Asked:
Beratung
  • 13
  • 6
  • 5
  • +2
1 Solution
 
Raj-GTSystems EngineerCommented:
Can you copy 'ipconfig /all' output from your ISA Server here please.
0
 
BeratungAuthor Commented:
Windows IP Configuration

   Host Name . . . . . . . . . . . . : isa
   Primary Dns Suffix  . . . . . . . : beratung.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : beratung.local

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.0.196.64
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :

Ethernet adapter Internal D-Link:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : D-Link DGE-530T Gigabit Ethernet Adapter
   Physical Address. . . . . . . . . : 00-13-46-99-56-60
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.0.196.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.196.10
   Primary WINS Server . . . . . . . : 10.0.196.10

Ethernet adapter External Intel:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-14-22-B3-C2-B0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 216.x.x.x
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 216.x.x.x
   DNS Servers . . . . . . . . . . . : 216.x.x.20
                                       216.x.x.40
   NetBIOS over Tcpip. . . . . . . . : Disabled
0
 
BeratungAuthor Commented:
Also, on a workstaiton...

If I don't set the proxy settings in IE connections I CAN  resolve microsoft.com from the workstation.  If I set th proxy settings to the ISA server I CAN'T resolve microsoft.com.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Raj-GTSystems EngineerCommented:
Remove the DNS Server entries from the External interface of ISA. Since you can resolve the address from the workstations, I think the problem might be the ISP DNS servers.

Try running "nslookup www.microsoft.com" from a client PC and then from the ISA server (use "nslookup" then "server 216.x.x.20" and "www.microsoft.com" from the server) I suspect you might not get the correct result from the ISP DNS.
0
 
BeratungAuthor Commented:
We use the same ISP DNS addresses outside the ISA server and it resolves fine.
0
 
Raj-GTSystems EngineerCommented:
In any case, remove the DNS entries from the external interface. It's best to use only the internal DNS Servers from your ISA. Also are you seeing anything in the ISA Server logs? Do you have all the updates installed on the ISA Server?
0
 
BeratungAuthor Commented:
I have removed the DNS entries from the External Interface and ISA is running SP1.  Still won't resolve.

This may have started happening after installing W2K3 SP2
0
 
Raj-GTSystems EngineerCommented:
Do you see anything on the ISA Server logs? (under Monitoring > logging tab)
0
 
Raj-GTSystems EngineerCommented:
Also check your local DNS Servers and remove any forwarders you may have configured.
0
 
BeratungAuthor Commented:
No forwarder and nothing in the logging on the ISA server.
0
 
Raj-GTSystems EngineerCommented:
If ISA is blocking access, you should see something in the logs. Is ISA Server the default gateway on client PCs?
0
 
BeratungAuthor Commented:
There is nothing on the logs.   ISA is the default gateway on the workstations.  The workstations resolve fine.  The only one that doesn't is the ISA server.
0
 
LukeMilbourneCommented:
Might be completely off the mark here but is the DNS rule on ISA set to allow the local host outbound aswell???
0
 
BeratungAuthor Commented:
Yes it is set to allow outbound DNS for the localhost.
0
 
JJ2Commented:
Try to configure the ISA Server as Web Proxy Client, i.e., the IE LAN Proxy settings should point to the IP Address of the ISA server.

The DNS Primary Address of the ISA Server's external NIC should point to the DNS IP Address of your ISP.

The DNS server should have a Forwarders pointing to the ISP DNS IP Address.
0
 
Keith AlabasterCommented:
The ISA Server external nic should NEVER have an external DNS server IP address. The external NIC should either have the same ip address of the internal dns server that is used on the ISA internal nic or you can leave it blank. Only the ISA internal nic should have a dns entry.
You can check this for yourself on any of the ISA manuals, the in-server help information or by simpling attending a course on the subject.


The ONLY caveat to this is when you do not use a DNS server internally at all, such as in a workgroup scenario.

Keith
ISA Forefront MVP
0
 
BeratungAuthor Commented:
Try all above to no avail.  Also, if I use firewall client the client can't resolve microsoft.com
0
 
JJ2Commented:
In the ISA Server...

If the LAN browser settings is configured for the ISA Server IP Address, does it connect to microsoft site?

If the browser LAN settings has nothing selected, does it connect to microsoft site?

Also verify that the System Policy Allowed Sites is enabled:

Firewall>Tasks>Edit System Policy>Various>Allowed Sites
0
 
BeratungAuthor Commented:
None of the above seems to resolve this issue
0
 
JJ2Commented:
But you haven't answered the question yet.
0
 
Keith AlabasterCommented:
He hasn't answered anything from anyone - why should it be different for you?  :)
0
 
BeratungAuthor Commented:
JJ2,

By saying none of the above has resolved the issue I mean I tried all of what you suggest and none of it solved the issue so it can be inferred that "no" is the answer to all your questions of "did it resolve" and anything asked me to verify I did indeed.

Keith,

Was there a question in your post?  By my count it missed responding to one question.  JJ2's questions I fealt were answered by saying "none of the above resolved the issue".  Am I missing something?

Sorry, I will be more specific in my responses going forward. Here are the questions I see in the post:

Also are you seeing anything in the ISA Server logs?  NO - was answered

Do you have all the updates installed on the ISA Server? YES

If ISA is blocking access, you should see something in the logs. Is ISA Server the default gateway on client PCs? YES - was answered.

Might be completely off the mark here but is the DNS rule on ISA set to allow the local host outbound aswell??? YES - was answered.

If the LAN browser settings is configured for the ISA Server IP Address, does it connect to microsoft site? NO -inferred by saying nothing above wored

If the browser LAN settings has nothing selected, does it connect to microsoft site? NO - inferred by saying nothing above worked.
0
 
JJ2Commented:
What about verifying that the System Policy Allowed Sites is enabled?

Firewall>Tasks>Edit System Policy>Various>Allowed Sites

It's important because this System Policy Allowed Sites is located in the Domain Name Sets, and inside the System Policy Allowed Sites, 3 Microsoft websites (*.microsoft.com, *.windows.com, *.windowsupdate.com) are defined as allowed sites by default.

What about your " Web Chaining Rule " ? Have you defined an " Upstream proxy server "? --that may not be resolving the Microsoft sites.
0
 
BeratungAuthor Commented:
System Allowed Sites is enabled.  Web chaining rule hasn't been modified from default settings and now Upstream Proxy has been specified.

Again, is strange that this worked before we installed Server 2003 SP2.
0
 
JJ2Commented:
The ISA server machine might be infected by a Conflicker Worm.
http://www.microsoft.com/security/worms/conficker.aspx

On ISA Monitoring then Logging...define this destination IP and see whether the ISA server IP Address is accessing it continuously:

204.152.184.92

Also verify the services of the ISA server, if you find strange service names that are unusual like " gelrb, hnilfbb, " and the like, disable it and delete the malicious services in the registry.
0
 
BeratungAuthor Commented:
In the process of trying to update FCS client but because can't get access to Microsoft site that is a problem.  Also, sites like trend micro are not available so I think you are on the right track that this could be malware.  
0
 
BeratungAuthor Commented:
Thank you JJ2!  We installed another vendors antivirus and it did indeed find conflicker on the system.  Once we used that vendors remval tool we were able to get to microsoft update.  Thanks again!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 13
  • 6
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now