Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Problem with Microsoft Server ISA 2006 and our internal/external domain

Posted on 2014-12-11
13
Medium Priority
?
140 Views
Last Modified: 2015-03-02
Dear EE

First, I appreciate ISA 2006 is far from current and there are plans to replace in the new year.

Second, the challenge I face has only occured in the past 3 to 4 weeks and has worked fine for years.

Hardware/software
ISA Server 2006 ver 5.02.5723.493
Runing Proxy / Firewall etc
Windows Server 2003 Standard Edition Service Pack 2 Build 3790
Windows last patch - 19 June 2012
Proliant DL360 G5


The Problem
Our internal DNS domain is configured as (not real domain):

internal.example.com
our ISA server is:
isa01.internal.example.com


our external web site is hosted outside of our network, e.g.
www.example.com


Now, for some reason it is not possible to gain access to www.example.com.


Here's what I know:

All other web sites and services are fully operational

When pinging the domain example.com it resolves the correct IP address

Example.com is unavailable from both the ISA server itself and from hosts

When I connect a PC to our DMZ,  www.example.com is fully accessible (ruling out any ISP routing issues)

I have created rules within the Firewall policy to allow all traffic as the number one rule but this has no effect

Within "Configuration", "Networks" and "Internal" I have added the domain and IP address to the "Web Browser" tab to allow direct access but still the problem remains.



So, the ISA box resolves the correct IP Address, it's not an issue from the DMZ, I've tried adding exceptions etc.  

Is this a routing issue in that the ISA box doesn't know what to do with requests for www.example.com?

I'm really not sure where to look now, any help would be gratefully received.

Cheers
Tolan
0
Comment
Question by:tolanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
13 Comments
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40493568
You are using split brain DNS.  This is the correct configuration because you don't want your internal systems, like desktops, appearing on the internet with fully qualified domain names.
In all likelyhood (check your own network) the ISA server uses the domain controller running DNS for the internal network, but has a second nic configured with the ISP or public DNS server's addresses too.  Confirm this.  This should allow a browser on the ISA server access www.example.com.  If not, first check your access rules within ISA then use a laptop or other host in the dmz to confirm where the problem is.  If it works in the DMZ and there's not a blocking rule (check precedence) experiment with the hosts on the ISA server.
The internal machines should be set to use the Internal DNS server when using direct access. On the internal DNS servers confirm there's an A record for www.example.com in your internal DNS that resolves the address clients need to connect to.
0
 
LVL 5

Expert Comment

by:jkeegan123
ID: 40493569
This seems to be an issue of needing a split DNS setup. I believe what you need to do is in the domain DNS zone example.com, create an A record named www pointing to the correct IP address. If I were to look at your DNS zone setup, I would imagine that there are two zones the way that you are describing them, example.com and internal.example.com. I believe that if you create an A record of "www" in the zone example.com, not in internal. example.com that everything should resolve correctly.
0
 

Author Comment

by:tolanc
ID: 40493614
Hi Joseph/JKeegan

You are quite right, we have two NICS, one to the internal and one to the external network.   I have double checked and they are both using our internal DNS servers for DNS.   I did try changing the external NIC to use Google's DNS but this has no effect.

When a PC is put in the DMZ it works fine.


Interestingly, on the firewall when I put a rule in to allow all traffic I get a "Error Code 10060: Connection timeout " within Internet Explorer.  If I put a rule in to block example.com it's blocked straight away and there's no time out (this may not be interesting).


With regard to the DNS, we have two Zone Files

example.com
internal.example.com

Within the example.com there is a Host(A) record for "www".example.com with the external IP address.


Any help?

Tolan
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40493647
That confirms it's a DNS problem.
See Side Effects of Incorrect DNS configuration
See point 3.
The problem here was that ISA Server was using DNS on both adapters, internal and external. According to the ISA Server DNS Best Practices this shouldn’t be done because can cause behaviors like that.
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40493814
If this is DNS related, and the firewall rules are open, why don't you attempt to access www.example.com as an ip address from the internal network and see if you can get there?
I haven't done anything with ISA since 2000 so i am sorry if my suggestion won't work.. it's been a while..
0
 
LVL 5

Expert Comment

by:jkeegan123
ID: 40493831
@Tolan:

OK sorry I may have mislead about the WWW record....in your Exchange Management Console, under server -- Client Access -- Active Sync -- what are the INTERNAL and EXTERNAL settings?  If you have SPLIT DNS setup, they should both be the SAME for internal and external.

NOW...if the internal / external is MAIL.EXAMPLE.COM/Microsoft-Active-Sync, then the important "A" record is "MAIL", not "WWW".  So please check what is configured in your CAS setting.  Then make sure that the "A" record exists for that host, and that is resolves to the INTERNAL PRIVATE IP address of your Exchange server.

From the public internet, the opposite must be true.  Your ISP must have an "A" record for MAIL.EXAMPLE.COM, and that IP address must be configured in your ISA firewall to forward HTTPS / HTTP to the OWA / ActiveSync application on the Exchange server.  (I'm doing this from memory of having used TMG firewall, a newer iteration of ISA, so I may be slightly wrong in how that works with the rule).

let me know if this helps?
0
 

Author Comment

by:tolanc
ID: 40493911
Thanks for the replies.  


Rob G, I have tried the IP address but still the same issue.

JKeegan, the DNS for both the internal AND external NICS on the ISA box are the internal DNS servers.   Our mail servers for Exchange and OWA etc, are all fully operational and on different servers.


Joseph, I have followed the article and the DNS servers are the same, not different (internal/external) servers.   I do agree that it's likely to be a DNS issue.

I have installed NetMon and now looking at the packets between the destination IP address of example.com and the interface of the internal NIC.   This is displaying Ack=0 as shown here:


Tcp: [SynReTransmit #11869]Flags=......S., SrcPort=38378, DstPort=HTTP(80), PayloadLen=0, Seq=1269920864, Ack=0, Win=65535 (  ) = 65535


I'm not quite sure where to go next with resolving this issue.   What's my next step?

Thanks

Tolan
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40494990
Leave the DNS settings blank on the NIC that's not on the network that provides your DNS.
0
 

Author Comment

by:tolanc
ID: 40523372
A quick update on this.   This isn't working yet.  I will update again in the new year.

Thanks
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 40639714
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 

Accepted Solution

by:
tolanc earned 0 total points
ID: 40639656
After many months we finally got to the bottom of this and it was due to our external web site host.  They had blocked the IP address of our network!

All that time had been spent looking at the firewalls and network settings etc, and it was web site host!

Never rule anything out!

Thanks for the help at the time.
Tolan
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question