Solved

Problem with Microsoft Server ISA 2006 and our internal/external domain

Posted on 2014-12-11
13
139 Views
Last Modified: 2015-03-02
Dear EE

First, I appreciate ISA 2006 is far from current and there are plans to replace in the new year.

Second, the challenge I face has only occured in the past 3 to 4 weeks and has worked fine for years.

Hardware/software
ISA Server 2006 ver 5.02.5723.493
Runing Proxy / Firewall etc
Windows Server 2003 Standard Edition Service Pack 2 Build 3790
Windows last patch - 19 June 2012
Proliant DL360 G5


The Problem
Our internal DNS domain is configured as (not real domain):

internal.example.com
our ISA server is:
isa01.internal.example.com


our external web site is hosted outside of our network, e.g.
www.example.com


Now, for some reason it is not possible to gain access to www.example.com.


Here's what I know:

All other web sites and services are fully operational

When pinging the domain example.com it resolves the correct IP address

Example.com is unavailable from both the ISA server itself and from hosts

When I connect a PC to our DMZ,  www.example.com is fully accessible (ruling out any ISP routing issues)

I have created rules within the Firewall policy to allow all traffic as the number one rule but this has no effect

Within "Configuration", "Networks" and "Internal" I have added the domain and IP address to the "Web Browser" tab to allow direct access but still the problem remains.



So, the ISA box resolves the correct IP Address, it's not an issue from the DMZ, I've tried adding exceptions etc.  

Is this a routing issue in that the ISA box doesn't know what to do with requests for www.example.com?

I'm really not sure where to look now, any help would be gratefully received.

Cheers
Tolan
0
Comment
Question by:tolanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
13 Comments
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40493568
You are using split brain DNS.  This is the correct configuration because you don't want your internal systems, like desktops, appearing on the internet with fully qualified domain names.
In all likelyhood (check your own network) the ISA server uses the domain controller running DNS for the internal network, but has a second nic configured with the ISP or public DNS server's addresses too.  Confirm this.  This should allow a browser on the ISA server access www.example.com.  If not, first check your access rules within ISA then use a laptop or other host in the dmz to confirm where the problem is.  If it works in the DMZ and there's not a blocking rule (check precedence) experiment with the hosts on the ISA server.
The internal machines should be set to use the Internal DNS server when using direct access. On the internal DNS servers confirm there's an A record for www.example.com in your internal DNS that resolves the address clients need to connect to.
0
 
LVL 5

Expert Comment

by:jkeegan123
ID: 40493569
This seems to be an issue of needing a split DNS setup. I believe what you need to do is in the domain DNS zone example.com, create an A record named www pointing to the correct IP address. If I were to look at your DNS zone setup, I would imagine that there are two zones the way that you are describing them, example.com and internal.example.com. I believe that if you create an A record of "www" in the zone example.com, not in internal. example.com that everything should resolve correctly.
0
 

Author Comment

by:tolanc
ID: 40493614
Hi Joseph/JKeegan

You are quite right, we have two NICS, one to the internal and one to the external network.   I have double checked and they are both using our internal DNS servers for DNS.   I did try changing the external NIC to use Google's DNS but this has no effect.

When a PC is put in the DMZ it works fine.


Interestingly, on the firewall when I put a rule in to allow all traffic I get a "Error Code 10060: Connection timeout " within Internet Explorer.  If I put a rule in to block example.com it's blocked straight away and there's no time out (this may not be interesting).


With regard to the DNS, we have two Zone Files

example.com
internal.example.com

Within the example.com there is a Host(A) record for "www".example.com with the external IP address.


Any help?

Tolan
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40493647
That confirms it's a DNS problem.
See Side Effects of Incorrect DNS configuration
See point 3.
The problem here was that ISA Server was using DNS on both adapters, internal and external. According to the ISA Server DNS Best Practices this shouldn’t be done because can cause behaviors like that.
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40493814
If this is DNS related, and the firewall rules are open, why don't you attempt to access www.example.com as an ip address from the internal network and see if you can get there?
I haven't done anything with ISA since 2000 so i am sorry if my suggestion won't work.. it's been a while..
0
 
LVL 5

Expert Comment

by:jkeegan123
ID: 40493831
@Tolan:

OK sorry I may have mislead about the WWW record....in your Exchange Management Console, under server -- Client Access -- Active Sync -- what are the INTERNAL and EXTERNAL settings?  If you have SPLIT DNS setup, they should both be the SAME for internal and external.

NOW...if the internal / external is MAIL.EXAMPLE.COM/Microsoft-Active-Sync, then the important "A" record is "MAIL", not "WWW".  So please check what is configured in your CAS setting.  Then make sure that the "A" record exists for that host, and that is resolves to the INTERNAL PRIVATE IP address of your Exchange server.

From the public internet, the opposite must be true.  Your ISP must have an "A" record for MAIL.EXAMPLE.COM, and that IP address must be configured in your ISA firewall to forward HTTPS / HTTP to the OWA / ActiveSync application on the Exchange server.  (I'm doing this from memory of having used TMG firewall, a newer iteration of ISA, so I may be slightly wrong in how that works with the rule).

let me know if this helps?
0
 

Author Comment

by:tolanc
ID: 40493911
Thanks for the replies.  


Rob G, I have tried the IP address but still the same issue.

JKeegan, the DNS for both the internal AND external NICS on the ISA box are the internal DNS servers.   Our mail servers for Exchange and OWA etc, are all fully operational and on different servers.


Joseph, I have followed the article and the DNS servers are the same, not different (internal/external) servers.   I do agree that it's likely to be a DNS issue.

I have installed NetMon and now looking at the packets between the destination IP address of example.com and the interface of the internal NIC.   This is displaying Ack=0 as shown here:


Tcp: [SynReTransmit #11869]Flags=......S., SrcPort=38378, DstPort=HTTP(80), PayloadLen=0, Seq=1269920864, Ack=0, Win=65535 (  ) = 65535


I'm not quite sure where to go next with resolving this issue.   What's my next step?

Thanks

Tolan
0
 
LVL 11

Expert Comment

by:Joseph O'Loughlin
ID: 40494990
Leave the DNS settings blank on the NIC that's not on the network that provides your DNS.
0
 

Author Comment

by:tolanc
ID: 40523372
A quick update on this.   This isn't working yet.  I will update again in the new year.

Thanks
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 40639714
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 

Accepted Solution

by:
tolanc earned 0 total points
ID: 40639656
After many months we finally got to the bottom of this and it was due to our external web site host.  They had blocked the IP address of our network!

All that time had been spent looking at the firewalls and network settings etc, and it was web site host!

Never rule anything out!

Thanks for the help at the time.
Tolan
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question