Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


isa 2006 - dns publishing rule query

Posted on 2012-04-10
Medium Priority
Last Modified: 2012-04-14
hi i have successfully configured my win 2003 dc which gets its internet access via my win 2003/isa 2006 standard 2 nic member server.

i have successfully configured 'dns server' publishing as per my instructions from 'url':


i realise the below instructions would not work from an 'internet cafe' as i would not be allowed to change their ip addressing scheme and their machines would not be recognised on my network!!!!

if i was a vpn user this scenario below would not fit although i could allocate a static address, but as my network is on a domain & isa2006/vpn/windows group configuration i would not be able to 'browse' to my laptop as it would not be on my 'master dc/dns' although yes 'dhcp' does allocate my vpn an address either dynamically or a static address!!

question 1.
so can anyone advise in what scenario im missing to fit with the below instructions ?
1.Click the Firewall Policy tab, right-click the new server publishing rule that you created, and then click Properties.
2.Click the From tab, click Anywhere, click Remove, and then click Add.
3.In the Network entities dialog box, click New, and then click Computer.
4.In the Name box, type a descriptive name for the new computer rule element, type the computer's IP address in the Computer IP Address box, and then click OK.
5.Expand Computers, click the new computer element that you created, click Add, and then click Close.
6.Click OK.
7.Click Apply to save your changes and to update the firewall policy, and then click OK
Question by:mikey250
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3

Expert Comment

ID: 37831530
Can i check.

I am unsure from your question, Are you planning on publishing your internal DNS server to the internet? Assuming this is the case, you know this is a bad idea don't you?

If it is just for your VPN clients they will use your DNS server as soon as they are logged in.

Again, i may have misunderstood your question....

Author Comment

ID: 37831849
hi apologies for confusion!!!:)

test 1: visited a remote friends house and used their internet by connecting my laptop/vpn successfully and accessing and saving & copying files!

test 2: as a temporary measure used my laptop/vpn connected to my 3 mobile phone and accessed, saved and copied files successfully!

next task below:

why does isa 2006 offer below if not recommended as vpn is maybe preferred method uuuummmm ?

- 'dns server - publishing - configured but fails
- https server- publishing - not configured as need website i think

im sure i read yesturday that dns zone transfers could take place by a hacker if dns server/http server was used!!!!!

hence my main thread shows step 1 - 7 to allocate 'static address', but this would not be relevant for 'internet cafe' as they use their own ip address scheme.!!!!!!!!!!!!uuuuummmm

Accepted Solution

chris-burns earned 1332 total points
ID: 37831946

Just because ISA allows it does not mean it is a good idea. When i set my ISA up i did not even think about exposing my internal DNS servers.

"im sure i read yesturday that dns zone transfers could take place by a hacker if dns server/http server was used!!!!!" Very true, which is why i would not do this.

I ended up with a split brain DNS. Kept internal DNS internal and used Zoneedit or an external server for outside DNS.

I would suggest this is the path you follow. Just to be on the safe side.
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  


Author Comment

ID: 37831974
hi chris, yes i had a browse of this 'url' yesturday but did not read it all:


i will put on my to do list!!!

question 1.
what companies would even do this then although you say avoid altogether ?
LVL 29

Assisted Solution

pwindell earned 668 total points
ID: 37832788
I want to second chris-burns' comment.

Publishing DNS?   You...just ...don't!

Chris is laying out the correct process.

question 1.
what companies would even do this then although you say avoid altogether ?

In all the years I have dealt with this, which is getting close to a decade and a half,...I am still waiting to find a company that really should do it,...I haven't met one yet.   A lot of companies do things that are not such a great idea,..even large companies.

A Company might have to have a DNS available to the public if they handle their own DNS Hosting for their own Public Namespace,...but,,..that's rare,...and two,... even then it would be a standalone DNS placed on the "outside" of their network, would not be their internal DNS.

Author Comment

ID: 37834153
ok i can accept what you say!!!!!!!!no problems!!:)

i just wish i knew why after configuring it in the firewall policy, why it isn't until the next day
publishing failure' shows but has repeat entries where it is automatically 're-sync'd itself and appears ok!

everytime i learn something i like to know that at least i can configure it rather than just chat about it!! thats all!!

the same with 'https server' aswell but i gather i need a website for that!! ?

then i can close this thread once and for all and get out of my ignorant phase!!:)(

Author Comment

ID: 37836873
hi chris & pwindell, ive just been going through my isa 2006 video course and my notes and found the following information regarding 'dns zone transfers.

in isa 2006 under the configuration/general option on the left hand side i selected under: 'additional security policy':

enable intrusion detection & dns attack detection and 2 tabs show:

- common attacks tab: self explanatory
- dns attacks tab: dns zone transfer - not ticked by default so 'zone transfers' could happen, but if 'ticked' 'dns zone transfer' would not be allowed according to the video verbal explaination!!!

so i assume from the above if i wanted public users or an external company that was not part of my network then other than using a 'vpn' i could then do this!!

can anyone advise ? :)

Assisted Solution

chris-burns earned 1332 total points
ID: 37837021
I think if you had a dedicated DNS server on your network that was not attached to your AD. And it's sole purpose was to provide outside resolution then this would apply.

But i get the impression this is not what you want to do. Based on your question above you appear to want to expose your AD DNS. Even without a zone transfer you are still exposing some potentially sensitive information. AD DNS holds a lot of information about the make up of your internal network

If i was running my own public DNS server on Microsoft OS i would certainly place the server behind an ISA box and use the protection mechanisms mentioned above. But i would certainly not allow my AD DNS to be seen by the outside world regardless of the protections offered.

The other thing is, your AD DNS should be resolving to your internal IP addresses. If you were to try and resolve them from outside the routing would not work. You would need to expose external ip addresses... then in that case your internal clients would be picking up an external address and would not route properly.

Whilst technically it is possible, I really don't know why you would.

If you don't want to have an external company provide DNS for you, then set up a second non-AD connected box in your DMZ with DNS installed then use the above protection mechanisms.


EDIT: I did type this quite quickly, so apologies  for any grammar or spelling mistakes

Author Comment

ID: 37837130
thanks for that!!

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question