Re: Can't browse Network on VPN - seems to be a rule issue?

"Dave Onex" <dave@xxxxxxxx> wrote in message
news:%23NLrt%23MmHHA.4768@xxxxxxxxxxxxxxxxxxxxxxx
I then created a hosts file for the laptop mapping the internal machines to
their internal addressing - now everything works perfectly.

Get rid of the Host file. That is want WINS is for. Run "IPConfig /All" on the
Client to make sure it is getting all the details correct (ignore the Default
Gateway for now). Make sure the ISA has the correct Access Rule (From=VPN
Clients, To=Internal) so that the client can actually query the internal DNS and
WINS.like it is supposed to. Watch the Live Log (filter set to Source
Network=VPN Clients) to clean up anything else the Client needs that is being
denied.

So it seems that when I connect to ISA using a VPN, ISA is still telling the
connection to use the ISA DNS entries which are all the valid 'external'
addresses - even though I've forced ISA to use the internal DNS servers in
the VPN configuration and forced the VPN client to use the internal DNS
entries.

There isn't supposed to be an "ISA DNS". Get DNS off the ISA. The ISA should
use the Internal DNS just like everything else. The Internal DNS should use the
ISP's DNS as a forwarder and should have it listed in the Forwarders List. The
ISA should have an anonymous outbound access rule for DNS to allow the Internal
DNS to make outbound DNS queries. The Rule should limit it only to the Internal
DNS to eliminate and expose any machines with rouge DNS entries.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • RE: RWW not accessible over web
    ... Can the client access Internet web sites when you ... Extract all files to a folder on ISA server. ... 'Microsoft Firewall' service. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot connect to RWW from home PC
    ... DNS stuff says your mail server is responding with reply that is not MS ... When we setup this new SBS2003 setup we installed without ISA as it does ... not seeing any problems anywhere regards internet or email - we also run ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA 2000 - Open Remote Port
    ... website on the internet by using a port other than 443. ... Blank page or page cannot be displayed when you view SSL sites through ISA ... Do you configure all the internal clients as both the Web Proxy client ... configure ISA server as your Proxy ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet access with local PPP links
    ... Extract all files to a folder on ISA server ... This newsgroup only focuses on SBS technical issues. ... if I disable the ISA client but leave IE setup to use the ... | server at port 8080 then the user can still surf the Internet fine. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot connect to RWW from home PC
    ... DNS stuff says your mail server is responding with reply that is not MS ... When we setup this new SBS2003 setup we installed without ISA as it does ... not seeing any problems anywhere regards internet or email - we also run ...
    (microsoft.public.windows.server.sbs)
Loading