Solved

Problem with Microsoft Server ISA 2006 and our internal/external domain

Posted on 2014-12-11
13
129 Views
Last Modified: 2015-03-02
Dear EE

First, I appreciate ISA 2006 is far from current and there are plans to replace in the new year.

Second, the challenge I face has only occured in the past 3 to 4 weeks and has worked fine for years.

Hardware/software
ISA Server 2006 ver 5.02.5723.493
Runing Proxy / Firewall etc
Windows Server 2003 Standard Edition Service Pack 2 Build 3790
Windows last patch - 19 June 2012
Proliant DL360 G5


The Problem
Our internal DNS domain is configured as (not real domain):

internal.example.com
our ISA server is:
isa01.internal.example.com


our external web site is hosted outside of our network, e.g.
www.example.com


Now, for some reason it is not possible to gain access to www.example.com.


Here's what I know:

All other web sites and services are fully operational

When pinging the domain example.com it resolves the correct IP address

Example.com is unavailable from both the ISA server itself and from hosts

When I connect a PC to our DMZ,  www.example.com is fully accessible (ruling out any ISP routing issues)

I have created rules within the Firewall policy to allow all traffic as the number one rule but this has no effect

Within "Configuration", "Networks" and "Internal" I have added the domain and IP address to the "Web Browser" tab to allow direct access but still the problem remains.



So, the ISA box resolves the correct IP Address, it's not an issue from the DMZ, I've tried adding exceptions etc.  

Is this a routing issue in that the ISA box doesn't know what to do with requests for www.example.com?

I'm really not sure where to look now, any help would be gratefully received.

Cheers
Tolan
0
Comment
Question by:tolanc
  • 4
  • 3
  • 2
  • +2
13 Comments
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40493568
You are using split brain DNS.  This is the correct configuration because you don't want your internal systems, like desktops, appearing on the internet with fully qualified domain names.
In all likelyhood (check your own network) the ISA server uses the domain controller running DNS for the internal network, but has a second nic configured with the ISP or public DNS server's addresses too.  Confirm this.  This should allow a browser on the ISA server access www.example.com.  If not, first check your access rules within ISA then use a laptop or other host in the dmz to confirm where the problem is.  If it works in the DMZ and there's not a blocking rule (check precedence) experiment with the hosts on the ISA server.
The internal machines should be set to use the Internal DNS server when using direct access. On the internal DNS servers confirm there's an A record for www.example.com in your internal DNS that resolves the address clients need to connect to.
0
 
LVL 5

Expert Comment

by:jkeegan123
ID: 40493569
This seems to be an issue of needing a split DNS setup. I believe what you need to do is in the domain DNS zone example.com, create an A record named www pointing to the correct IP address. If I were to look at your DNS zone setup, I would imagine that there are two zones the way that you are describing them, example.com and internal.example.com. I believe that if you create an A record of "www" in the zone example.com, not in internal. example.com that everything should resolve correctly.
0
 

Author Comment

by:tolanc
ID: 40493614
Hi Joseph/JKeegan

You are quite right, we have two NICS, one to the internal and one to the external network.   I have double checked and they are both using our internal DNS servers for DNS.   I did try changing the external NIC to use Google's DNS but this has no effect.

When a PC is put in the DMZ it works fine.


Interestingly, on the firewall when I put a rule in to allow all traffic I get a "Error Code 10060: Connection timeout " within Internet Explorer.  If I put a rule in to block example.com it's blocked straight away and there's no time out (this may not be interesting).


With regard to the DNS, we have two Zone Files

example.com
internal.example.com

Within the example.com there is a Host(A) record for "www".example.com with the external IP address.


Any help?

Tolan
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40493647
That confirms it's a DNS problem.
See Side Effects of Incorrect DNS configuration
See point 3.
The problem here was that ISA Server was using DNS on both adapters, internal and external. According to the ISA Server DNS Best Practices this shouldn’t be done because can cause behaviors like that.
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40493814
If this is DNS related, and the firewall rules are open, why don't you attempt to access www.example.com as an ip address from the internal network and see if you can get there?
I haven't done anything with ISA since 2000 so i am sorry if my suggestion won't work.. it's been a while..
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:jkeegan123
ID: 40493831
@Tolan:

OK sorry I may have mislead about the WWW record....in your Exchange Management Console, under server -- Client Access -- Active Sync -- what are the INTERNAL and EXTERNAL settings?  If you have SPLIT DNS setup, they should both be the SAME for internal and external.

NOW...if the internal / external is MAIL.EXAMPLE.COM/Microsoft-Active-Sync, then the important "A" record is "MAIL", not "WWW".  So please check what is configured in your CAS setting.  Then make sure that the "A" record exists for that host, and that is resolves to the INTERNAL PRIVATE IP address of your Exchange server.

From the public internet, the opposite must be true.  Your ISP must have an "A" record for MAIL.EXAMPLE.COM, and that IP address must be configured in your ISA firewall to forward HTTPS / HTTP to the OWA / ActiveSync application on the Exchange server.  (I'm doing this from memory of having used TMG firewall, a newer iteration of ISA, so I may be slightly wrong in how that works with the rule).

let me know if this helps?
0
 

Author Comment

by:tolanc
ID: 40493911
Thanks for the replies.  


Rob G, I have tried the IP address but still the same issue.

JKeegan, the DNS for both the internal AND external NICS on the ISA box are the internal DNS servers.   Our mail servers for Exchange and OWA etc, are all fully operational and on different servers.


Joseph, I have followed the article and the DNS servers are the same, not different (internal/external) servers.   I do agree that it's likely to be a DNS issue.

I have installed NetMon and now looking at the packets between the destination IP address of example.com and the interface of the internal NIC.   This is displaying Ack=0 as shown here:


Tcp: [SynReTransmit #11869]Flags=......S., SrcPort=38378, DstPort=HTTP(80), PayloadLen=0, Seq=1269920864, Ack=0, Win=65535 (  ) = 65535


I'm not quite sure where to go next with resolving this issue.   What's my next step?

Thanks

Tolan
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40494990
Leave the DNS settings blank on the NIC that's not on the network that provides your DNS.
0
 

Author Comment

by:tolanc
ID: 40523372
A quick update on this.   This isn't working yet.  I will update again in the new year.

Thanks
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40639714
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 

Accepted Solution

by:
tolanc earned 0 total points
ID: 40639656
After many months we finally got to the bottom of this and it was due to our external web site host.  They had blocked the IP address of our network!

All that time had been spent looking at the firewalls and network settings etc, and it was web site host!

Never rule anything out!

Thanks for the help at the time.
Tolan
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

When you are trying to access the server, have you ever encountered "The terminal server has exceeded the maximum number of allowed connection" error?  or "The user is attempting to log on to a Terminal Server in Remote Administration mode, but the …
Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now