Can't resolve any microsoft web sites - ISA Server 2006
We have a new network with ISA 2006 SP1 as the firewall. Initially the ISA server could not resolve any microsoft.com web site. If we entered the IP address we could access the site, but not through DNS resolution.
Now no system on the network can resolve microsoft.com where yesterday every system but the ISA server could.
Has anyone run into this?
Now no system on the network can resolve microsoft.com where yesterday every system but the ISA server could.
Has anyone run into this?
Raj-GT
Can you copy 'ipconfig /all' output from your ISA Server here please.
ASKER
Windows IP Configuration
Host Name . . . . . . . . . . . . : isa
Primary Dns Suffix . . . . . . . : beratung.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : beratung.local
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.196.64
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Ethernet adapter Internal D-Link:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DGE-530T Gigabit Ethernet Adapter
Physical Address. . . . . . . . . : 00-13-46-99-56-60
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.196.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.196.10
Primary WINS Server . . . . . . . : 10.0.196.10
Ethernet adapter External Intel:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-14-22-B3-C2-B0
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 216.x.x.x
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 216.x.x.x
DNS Servers . . . . . . . . . . . : 216.x.x.20
216.x.x.40
NetBIOS over Tcpip. . . . . . . . : Disabled
Host Name . . . . . . . . . . . . : isa
Primary Dns Suffix . . . . . . . : beratung.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : beratung.local
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.196.64
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Ethernet adapter Internal D-Link:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DGE-530T Gigabit Ethernet Adapter
Physical Address. . . . . . . . . : 00-13-46-99-56-60
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.196.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.0.196.10
Primary WINS Server . . . . . . . : 10.0.196.10
Ethernet adapter External Intel:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-14-22-B3-C2-B0
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 216.x.x.x
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 216.x.x.x
DNS Servers . . . . . . . . . . . : 216.x.x.20
216.x.x.40
NetBIOS over Tcpip. . . . . . . . : Disabled
ASKER
Also, on a workstaiton...
If I don't set the proxy settings in IE connections I CAN resolve microsoft.com from the workstation. If I set th proxy settings to the ISA server I CAN'T resolve microsoft.com.
If I don't set the proxy settings in IE connections I CAN resolve microsoft.com from the workstation. If I set th proxy settings to the ISA server I CAN'T resolve microsoft.com.
Remove the DNS Server entries from the External interface of ISA. Since you can resolve the address from the workstations, I think the problem might be the ISP DNS servers.
Try running "nslookup www.microsoft.com" from a client PC and then from the ISA server (use "nslookup" then "server 216.x.x.20" and "www.microsoft.com" from the server) I suspect you might not get the correct result from the ISP DNS.
Try running "nslookup www.microsoft.com" from a client PC and then from the ISA server (use "nslookup" then "server 216.x.x.20" and "www.microsoft.com" from the server) I suspect you might not get the correct result from the ISP DNS.
ASKER
We use the same ISP DNS addresses outside the ISA server and it resolves fine.
In any case, remove the DNS entries from the external interface. It's best to use only the internal DNS Servers from your ISA. Also are you seeing anything in the ISA Server logs? Do you have all the updates installed on the ISA Server?
ASKER
I have removed the DNS entries from the External Interface and ISA is running SP1. Still won't resolve.
This may have started happening after installing W2K3 SP2
This may have started happening after installing W2K3 SP2
Do you see anything on the ISA Server logs? (under Monitoring > logging tab)
Also check your local DNS Servers and remove any forwarders you may have configured.
ASKER
No forwarder and nothing in the logging on the ISA server.
If ISA is blocking access, you should see something in the logs. Is ISA Server the default gateway on client PCs?
ASKER
There is nothing on the logs. ISA is the default gateway on the workstations. The workstations resolve fine. The only one that doesn't is the ISA server.
Might be completely off the mark here but is the DNS rule on ISA set to allow the local host outbound aswell???
ASKER
Yes it is set to allow outbound DNS for the localhost.
Try to configure the ISA Server as Web Proxy Client, i.e., the IE LAN Proxy settings should point to the IP Address of the ISA server.
The DNS Primary Address of the ISA Server's external NIC should point to the DNS IP Address of your ISP.
The DNS server should have a Forwarders pointing to the ISP DNS IP Address.
The DNS Primary Address of the ISA Server's external NIC should point to the DNS IP Address of your ISP.
The DNS server should have a Forwarders pointing to the ISP DNS IP Address.
The ISA Server external nic should NEVER have an external DNS server IP address. The external NIC should either have the same ip address of the internal dns server that is used on the ISA internal nic or you can leave it blank. Only the ISA internal nic should have a dns entry.
You can check this for yourself on any of the ISA manuals, the in-server help information or by simpling attending a course on the subject.
The ONLY caveat to this is when you do not use a DNS server internally at all, such as in a workgroup scenario.
Keith
ISA Forefront MVP
You can check this for yourself on any of the ISA manuals, the in-server help information or by simpling attending a course on the subject.
The ONLY caveat to this is when you do not use a DNS server internally at all, such as in a workgroup scenario.
Keith
ISA Forefront MVP
ASKER
Try all above to no avail. Also, if I use firewall client the client can't resolve microsoft.com
In the ISA Server...
If the LAN browser settings is configured for the ISA Server IP Address, does it connect to microsoft site?
If the browser LAN settings has nothing selected, does it connect to microsoft site?
Also verify that the System Policy Allowed Sites is enabled:
Firewall>Tasks>Edit System Policy>Various>Allowed Sites
If the LAN browser settings is configured for the ISA Server IP Address, does it connect to microsoft site?
If the browser LAN settings has nothing selected, does it connect to microsoft site?
Also verify that the System Policy Allowed Sites is enabled:
Firewall>Tasks>Edit System Policy>Various>Allowed Sites
ASKER
None of the above seems to resolve this issue
But you haven't answered the question yet.
He hasn't answered anything from anyone - why should it be different for you? :)
ASKER
JJ2,
By saying none of the above has resolved the issue I mean I tried all of what you suggest and none of it solved the issue so it can be inferred that "no" is the answer to all your questions of "did it resolve" and anything asked me to verify I did indeed.
Keith,
Was there a question in your post? By my count it missed responding to one question. JJ2's questions I fealt were answered by saying "none of the above resolved the issue". Am I missing something?
Sorry, I will be more specific in my responses going forward. Here are the questions I see in the post:
Also are you seeing anything in the ISA Server logs? NO - was answered
Do you have all the updates installed on the ISA Server? YES
If ISA is blocking access, you should see something in the logs. Is ISA Server the default gateway on client PCs? YES - was answered.
Might be completely off the mark here but is the DNS rule on ISA set to allow the local host outbound aswell??? YES - was answered.
If the LAN browser settings is configured for the ISA Server IP Address, does it connect to microsoft site? NO -inferred by saying nothing above wored
If the browser LAN settings has nothing selected, does it connect to microsoft site? NO - inferred by saying nothing above worked.
By saying none of the above has resolved the issue I mean I tried all of what you suggest and none of it solved the issue so it can be inferred that "no" is the answer to all your questions of "did it resolve" and anything asked me to verify I did indeed.
Keith,
Was there a question in your post? By my count it missed responding to one question. JJ2's questions I fealt were answered by saying "none of the above resolved the issue". Am I missing something?
Sorry, I will be more specific in my responses going forward. Here are the questions I see in the post:
Also are you seeing anything in the ISA Server logs? NO - was answered
Do you have all the updates installed on the ISA Server? YES
If ISA is blocking access, you should see something in the logs. Is ISA Server the default gateway on client PCs? YES - was answered.
Might be completely off the mark here but is the DNS rule on ISA set to allow the local host outbound aswell??? YES - was answered.
If the LAN browser settings is configured for the ISA Server IP Address, does it connect to microsoft site? NO -inferred by saying nothing above wored
If the browser LAN settings has nothing selected, does it connect to microsoft site? NO - inferred by saying nothing above worked.
What about verifying that the System Policy Allowed Sites is enabled?
Firewall>Tasks>Edit System Policy>Various>Allowed Sites
It's important because this System Policy Allowed Sites is located in the Domain Name Sets, and inside the System Policy Allowed Sites, 3 Microsoft websites (*.microsoft.com, *.windows.com, *.windowsupdate.com) are defined as allowed sites by default.
What about your " Web Chaining Rule " ? Have you defined an " Upstream proxy server "? --that may not be resolving the Microsoft sites.
Firewall>Tasks>Edit System Policy>Various>Allowed Sites
It's important because this System Policy Allowed Sites is located in the Domain Name Sets, and inside the System Policy Allowed Sites, 3 Microsoft websites (*.microsoft.com, *.windows.com, *.windowsupdate.com) are defined as allowed sites by default.
What about your " Web Chaining Rule " ? Have you defined an " Upstream proxy server "? --that may not be resolving the Microsoft sites.
ASKER
System Allowed Sites is enabled. Web chaining rule hasn't been modified from default settings and now Upstream Proxy has been specified.
Again, is strange that this worked before we installed Server 2003 SP2.
Again, is strange that this worked before we installed Server 2003 SP2.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In the process of trying to update FCS client but because can't get access to Microsoft site that is a problem. Also, sites like trend micro are not available so I think you are on the right track that this could be malware.
ASKER
Thank you JJ2! We installed another vendors antivirus and it did indeed find conflicker on the system. Once we used that vendors remval tool we were able to get to microsoft update. Thanks again!