Web site not working on Domain

A Customer of ours is having an issue of accessing one of the sites that they regularly log into.
I tried everything. Made it a trusted site. set it to compatibility mode. It even is getting blocked using different browsers.
they have a cisco RV042 router and are using SBS2008.

Is there web filtering in SBS2011. or on the router. I looked everywhere. They are not using any third party web filtering.
BBraytonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrej PirmanCommented:
There's no web filtering on SBS 2011 (server 2008R2), nor on simple RV042 router. Must be something else:

- is this web site maybe on the same domain, as user's local domain? Some AD domains are (wrong!) setup by using user's public domain name as their local domain name, so since their local/public domain resolves inside LAN to, for example, 192.168.0.10 and from public to 1.2.3.4, local users cannot browse this site

- try PING and NSLOOKUP the problematic domain name (eg. www.problematic.com). Do both, ping and nslookup return the same public IP for this web site? If not, then your DNS is not properly setup.

- is this web site on common ports, for example 80 or 443? Or is there some custom port, for example https://www.problematic.com:12345 ? If so, then it *might* be router guilty, if it has OUTGOING filtering option. For example, I have a habbit to only allow OUTGOING traffic to ports 80, 443 and that's all. If any user complaints he/she cannot access something, I review each request and if it is safe, open additional outgoing rule on firewall.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BBraytonAuthor Commented:
I did put a static dns in the IPV4 settings 8.8.8.8 and 8.8.4.4 and the web site did work when I did that. SO you think it is a DNS issue?
0
BBraytonAuthor Commented:
The web site they are trying to reach is paychexonline.com  and yes port 80 and 443 are both open on the router.
0
Andrej PirmanCommented:
Hi,
sorry for my late reply - I was absent.

Yes, you probably have DNS issue here. Let me point out some basics config for SBS server:
SBS must be the only domain controller in local domain, and easier to be also the only DHCP server. So it is important no other DHCP is in the same network!

DHCP options should be:
- DNS servers for clients should be IP of your SBS server, and maybe of some other DNS server inside your domain. Do NOT!!! put here any public DNS servers!

Now, let's go to SBS's DNS server and configure it.
Right-click on properties of DNS server, find FORWARDERS and put public DNS there, for example Google's DNS 8.8.8.8 and 8.8.4.4. Then find "Disable Recursion", I think it is under OPTIONS tab, and make sure it is NOT checked! I mean, you should NOT disable recursion.

Now, what we've got?
Client will try to resolve www.somedomain.com and will ask it's set DNS server, which is SBS server. If SBS server does have this domain name in its DNS, then SBS will return IP of the domain immediately. If not, then SBS will use Forwarders to ask for IP of domain name, in our case SBS will ask Google for IP of www.somedomain.com.
Google will tell SBS, and SBS will forward the answer to client computer, thus principle is named "forwarder".

Now, the possible problem?
If you local domain name is, say, www.google.local, where "local" part is important, then in each and every case your SBS will know correct IP of www.google.local. And when your client will be at home, www.google.local will not be resolvable, which is correct behavior, as this domain cannot exist (TLD .local is not allowed in public!).
But what happens when your SBS domain name is, say, www.google.com? In such case, when your client is on your LAN, he/she will get LOCAL IP 192.168.1.10, for example, as IP of the www.google.com. But you are not Google, right? So in this case when on LAN, clients would not have access to real Google web page, because you make them think, that your SBS is www.google.com :) That's WRONG!

So, common problems arise when company has web site www.company.com and they setup SBS domain named company.com instead of company.local. If this is your case, then you should workaround:

go to SBS DNS managmenent console and under FORWARD zone of "company.com" add an A-record manually:
A    www    <IP of your PUBLIC domain www.company.com>

Doing so, your SBS will know the correct PUBLIC IP of your www.company.com web site and will not return error.

ERGO:
- configure FORWARDERS on your SBS DNS properties
- do NOT put public DNS servers in TCP/IP properties, nor in DHCP options, not for client and not for server

For backup purposes it is enough to save SCREENSHOTS of settings before you change them. If you mess something, it is all easy repairable, no worry.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cloud Computing

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.