We help IT Professionals succeed at work.

Problem with Microsoft Server ISA 2006 and our internal/external domain

232 Views
Last Modified: 2015-03-02
Dear EE

First, I appreciate ISA 2006 is far from current and there are plans to replace in the new year.

Second, the challenge I face has only occured in the past 3 to 4 weeks and has worked fine for years.

Hardware/software
ISA Server 2006 ver 5.02.5723.493
Runing Proxy / Firewall etc
Windows Server 2003 Standard Edition Service Pack 2 Build 3790
Windows last patch - 19 June 2012
Proliant DL360 G5


The Problem
Our internal DNS domain is configured as (not real domain):

internal.example.com
our ISA server is:
isa01.internal.example.com


our external web site is hosted outside of our network, e.g.
www.example.com


Now, for some reason it is not possible to gain access to www.example.com.


Here's what I know:

All other web sites and services are fully operational

When pinging the domain example.com it resolves the correct IP address

Example.com is unavailable from both the ISA server itself and from hosts

When I connect a PC to our DMZ,  www.example.com is fully accessible (ruling out any ISP routing issues)

I have created rules within the Firewall policy to allow all traffic as the number one rule but this has no effect

Within "Configuration", "Networks" and "Internal" I have added the domain and IP address to the "Web Browser" tab to allow direct access but still the problem remains.



So, the ISA box resolves the correct IP Address, it's not an issue from the DMZ, I've tried adding exceptions etc.  

Is this a routing issue in that the ISA box doesn't know what to do with requests for www.example.com?

I'm really not sure where to look now, any help would be gratefully received.

Cheers
Tolan
Comment
Watch Question

Joseph O'LoughlinSystems Administrator
CERTIFIED EXPERT

Commented:
You are using split brain DNS.  This is the correct configuration because you don't want your internal systems, like desktops, appearing on the internet with fully qualified domain names.
In all likelyhood (check your own network) the ISA server uses the domain controller running DNS for the internal network, but has a second nic configured with the ISP or public DNS server's addresses too.  Confirm this.  This should allow a browser on the ISA server access www.example.com.  If not, first check your access rules within ISA then use a laptop or other host in the dmz to confirm where the problem is.  If it works in the DMZ and there's not a blocking rule (check precedence) experiment with the hosts on the ISA server.
The internal machines should be set to use the Internal DNS server when using direct access. On the internal DNS servers confirm there's an A record for www.example.com in your internal DNS that resolves the address clients need to connect to.
This seems to be an issue of needing a split DNS setup. I believe what you need to do is in the domain DNS zone example.com, create an A record named www pointing to the correct IP address. If I were to look at your DNS zone setup, I would imagine that there are two zones the way that you are describing them, example.com and internal.example.com. I believe that if you create an A record of "www" in the zone example.com, not in internal. example.com that everything should resolve correctly.
tolancIT Manager

Author

Commented:
Hi Joseph/JKeegan

You are quite right, we have two NICS, one to the internal and one to the external network.   I have double checked and they are both using our internal DNS servers for DNS.   I did try changing the external NIC to use Google's DNS but this has no effect.

When a PC is put in the DMZ it works fine.


Interestingly, on the firewall when I put a rule in to allow all traffic I get a "Error Code 10060: Connection timeout " within Internet Explorer.  If I put a rule in to block example.com it's blocked straight away and there's no time out (this may not be interesting).


With regard to the DNS, we have two Zone Files

example.com
internal.example.com

Within the example.com there is a Host(A) record for "www".example.com with the external IP address.


Any help?

Tolan
Joseph O'LoughlinSystems Administrator
CERTIFIED EXPERT

Commented:
That confirms it's a DNS problem.
See Side Effects of Incorrect DNS configuration
See point 3.
The problem here was that ISA Server was using DNS on both adapters, internal and external. According to the ISA Server DNS Best Practices this shouldn’t be done because can cause behaviors like that.
Rob GMicrosoft Systems Engineer

Commented:
If this is DNS related, and the firewall rules are open, why don't you attempt to access www.example.com as an ip address from the internal network and see if you can get there?
I haven't done anything with ISA since 2000 so i am sorry if my suggestion won't work.. it's been a while..
@Tolan:

OK sorry I may have mislead about the WWW record....in your Exchange Management Console, under server -- Client Access -- Active Sync -- what are the INTERNAL and EXTERNAL settings?  If you have SPLIT DNS setup, they should both be the SAME for internal and external.

NOW...if the internal / external is MAIL.EXAMPLE.COM/Microsoft-Active-Sync, then the important "A" record is "MAIL", not "WWW".  So please check what is configured in your CAS setting.  Then make sure that the "A" record exists for that host, and that is resolves to the INTERNAL PRIVATE IP address of your Exchange server.

From the public internet, the opposite must be true.  Your ISP must have an "A" record for MAIL.EXAMPLE.COM, and that IP address must be configured in your ISA firewall to forward HTTPS / HTTP to the OWA / ActiveSync application on the Exchange server.  (I'm doing this from memory of having used TMG firewall, a newer iteration of ISA, so I may be slightly wrong in how that works with the rule).

let me know if this helps?
tolancIT Manager

Author

Commented:
Thanks for the replies.  


Rob G, I have tried the IP address but still the same issue.

JKeegan, the DNS for both the internal AND external NICS on the ISA box are the internal DNS servers.   Our mail servers for Exchange and OWA etc, are all fully operational and on different servers.


Joseph, I have followed the article and the DNS servers are the same, not different (internal/external) servers.   I do agree that it's likely to be a DNS issue.

I have installed NetMon and now looking at the packets between the destination IP address of example.com and the interface of the internal NIC.   This is displaying Ack=0 as shown here:


Tcp: [SynReTransmit #11869]Flags=......S., SrcPort=38378, DstPort=HTTP(80), PayloadLen=0, Seq=1269920864, Ack=0, Win=65535 (  ) = 65535


I'm not quite sure where to go next with resolving this issue.   What's my next step?

Thanks

Tolan
Joseph O'LoughlinSystems Administrator
CERTIFIED EXPERT

Commented:
Leave the DNS settings blank on the NIC that's not on the network that provides your DNS.
tolancIT Manager

Author

Commented:
A quick update on this.   This isn't working yet.  I will update again in the new year.

Thanks
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
IT Manager
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.