Problem with Microsoft Server ISA 2006 and our internal/external domain

Dear EE

First, I appreciate ISA 2006 is far from current and there are plans to replace in the new year.

Second, the challenge I face has only occured in the past 3 to 4 weeks and has worked fine for years.

Hardware/software
ISA Server 2006 ver 5.02.5723.493
Runing Proxy / Firewall etc
Windows Server 2003 Standard Edition Service Pack 2 Build 3790
Windows last patch - 19 June 2012
Proliant DL360 G5


The Problem
Our internal DNS domain is configured as (not real domain):

internal.example.com
our ISA server is:
isa01.internal.example.com


our external web site is hosted outside of our network, e.g.
www.example.com


Now, for some reason it is not possible to gain access to www.example.com.


Here's what I know:

All other web sites and services are fully operational

When pinging the domain example.com it resolves the correct IP address

Example.com is unavailable from both the ISA server itself and from hosts

When I connect a PC to our DMZ,  www.example.com is fully accessible (ruling out any ISP routing issues)

I have created rules within the Firewall policy to allow all traffic as the number one rule but this has no effect

Within "Configuration", "Networks" and "Internal" I have added the domain and IP address to the "Web Browser" tab to allow direct access but still the problem remains.



So, the ISA box resolves the correct IP Address, it's not an issue from the DMZ, I've tried adding exceptions etc.  

Is this a routing issue in that the ISA box doesn't know what to do with requests for www.example.com?

I'm really not sure where to look now, any help would be gratefully received.

Cheers
Tolan
tolancIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph O'LoughlinSenior TechnicianCommented:
You are using split brain DNS.  This is the correct configuration because you don't want your internal systems, like desktops, appearing on the internet with fully qualified domain names.
In all likelyhood (check your own network) the ISA server uses the domain controller running DNS for the internal network, but has a second nic configured with the ISP or public DNS server's addresses too.  Confirm this.  This should allow a browser on the ISA server access www.example.com.  If not, first check your access rules within ISA then use a laptop or other host in the dmz to confirm where the problem is.  If it works in the DMZ and there's not a blocking rule (check precedence) experiment with the hosts on the ISA server.
The internal machines should be set to use the Internal DNS server when using direct access. On the internal DNS servers confirm there's an A record for www.example.com in your internal DNS that resolves the address clients need to connect to.
0
jkeegan123Commented:
This seems to be an issue of needing a split DNS setup. I believe what you need to do is in the domain DNS zone example.com, create an A record named www pointing to the correct IP address. If I were to look at your DNS zone setup, I would imagine that there are two zones the way that you are describing them, example.com and internal.example.com. I believe that if you create an A record of "www" in the zone example.com, not in internal. example.com that everything should resolve correctly.
0
tolancIT ManagerAuthor Commented:
Hi Joseph/JKeegan

You are quite right, we have two NICS, one to the internal and one to the external network.   I have double checked and they are both using our internal DNS servers for DNS.   I did try changing the external NIC to use Google's DNS but this has no effect.

When a PC is put in the DMZ it works fine.


Interestingly, on the firewall when I put a rule in to allow all traffic I get a "Error Code 10060: Connection timeout " within Internet Explorer.  If I put a rule in to block example.com it's blocked straight away and there's no time out (this may not be interesting).


With regard to the DNS, we have two Zone Files

example.com
internal.example.com

Within the example.com there is a Host(A) record for "www".example.com with the external IP address.


Any help?

Tolan
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Joseph O'LoughlinSenior TechnicianCommented:
That confirms it's a DNS problem.
See Side Effects of Incorrect DNS configuration
See point 3.
The problem here was that ISA Server was using DNS on both adapters, internal and external. According to the ISA Server DNS Best Practices this shouldn’t be done because can cause behaviors like that.
0
Rob GMicrosoft Systems EngineerCommented:
If this is DNS related, and the firewall rules are open, why don't you attempt to access www.example.com as an ip address from the internal network and see if you can get there?
I haven't done anything with ISA since 2000 so i am sorry if my suggestion won't work.. it's been a while..
0
jkeegan123Commented:
@Tolan:

OK sorry I may have mislead about the WWW record....in your Exchange Management Console, under server -- Client Access -- Active Sync -- what are the INTERNAL and EXTERNAL settings?  If you have SPLIT DNS setup, they should both be the SAME for internal and external.

NOW...if the internal / external is MAIL.EXAMPLE.COM/Microsoft-Active-Sync, then the important "A" record is "MAIL", not "WWW".  So please check what is configured in your CAS setting.  Then make sure that the "A" record exists for that host, and that is resolves to the INTERNAL PRIVATE IP address of your Exchange server.

From the public internet, the opposite must be true.  Your ISP must have an "A" record for MAIL.EXAMPLE.COM, and that IP address must be configured in your ISA firewall to forward HTTPS / HTTP to the OWA / ActiveSync application on the Exchange server.  (I'm doing this from memory of having used TMG firewall, a newer iteration of ISA, so I may be slightly wrong in how that works with the rule).

let me know if this helps?
0
tolancIT ManagerAuthor Commented:
Thanks for the replies.  


Rob G, I have tried the IP address but still the same issue.

JKeegan, the DNS for both the internal AND external NICS on the ISA box are the internal DNS servers.   Our mail servers for Exchange and OWA etc, are all fully operational and on different servers.


Joseph, I have followed the article and the DNS servers are the same, not different (internal/external) servers.   I do agree that it's likely to be a DNS issue.

I have installed NetMon and now looking at the packets between the destination IP address of example.com and the interface of the internal NIC.   This is displaying Ack=0 as shown here:


Tcp: [SynReTransmit #11869]Flags=......S., SrcPort=38378, DstPort=HTTP(80), PayloadLen=0, Seq=1269920864, Ack=0, Win=65535 (  ) = 65535


I'm not quite sure where to go next with resolving this issue.   What's my next step?

Thanks

Tolan
0
Joseph O'LoughlinSenior TechnicianCommented:
Leave the DNS settings blank on the NIC that's not on the network that provides your DNS.
0
tolancIT ManagerAuthor Commented:
A quick update on this.   This isn't working yet.  I will update again in the new year.

Thanks
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
tolancIT ManagerAuthor Commented:
After many months we finally got to the bottom of this and it was due to our external web site host.  They had blocked the IP address of our network!

All that time had been spent looking at the firewalls and network settings etc, and it was web site host!

Never rule anything out!

Thanks for the help at the time.
Tolan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.