Update

From: A Klimkin (aklimkin)
Date: 06/10/04 

Date: Thu, 10 Jun 2004 11:20:43 +0400

I rebooted my ISA server and DNS lookups started to pass via ISA even
without DNS packet filter.
It seems that there was some unrelated problem, maybe temporary problems on
the external DNS resolvers or something else...
Anyway, today I re-tested this and have got absolutely positive results.
Happy to make sure the things take their normal course. I mean Packet
filters / Protocol rules effect on the snat clients.
Thanks everybody who responded to this.

Regards,
Andrew

"A Klimkin" <aklimkin at mail dot ru> wrote in message
news:%23C7Ta5gTEHA.204@TK2MSFTNGP10.phx.gbl...
> Does anybody can shed the light onto the following question.
> Do I need to have enabled the DNS filter that comes with default ISA
server
> installation (don't mix it up with DNS intrusion detection filter, I'm
> talking about the IP packet filter, not the application filter) if:
> 1. I have installed and configured internal DNS server (not on the same
box
> as ISA server) for the LAN names resolution.
> 2. Internal DNS server configured with forwarders so it does effective
> external names resolution.
> 3. Internal ISA interface, alongside with any other internal computer,
> configured with the above DNS server address as the only DNS server.
> External ISA interface does not configured with DNS server address at all.
> 4. I have configured the allow rule for DNS queries (actually, for all IP
> traffic) from internal DNS server to the outside world.
>
> Using nslookup utility I tested the name resolution process and discovered
> that if I disable the DNS filter, the name resolution process fails with
> "DNS request timed out" error. After enabling the DNS filter name
resolution
> process immediately gets working smoothly. This happens both on ISA server
> itself and on any snat client (I didn't tested this on firewall clients
> though - I don't have any of them).
> As far as I know, static IP packet filter is unable to grant the internet
> access to the internal client, this is the protocol rule's point. So why
do
> I facing the above behavior if I already have appropriate protocol rule in
> place, but in addition have to enable the packet filter?
>
> Regards,
> Andrew
>
>

Relevant Pages

  • Re: Cannot connect to RWW from home PC
    ... DNS stuff says your mail server is responding with reply that is not MS ... When we setup this new SBS2003 setup we installed without ISA as it does ... not seeing any problems anywhere regards internet or email - we also run ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot connect to RWW from home PC
    ... DNS stuff says your mail server is responding with reply that is not MS ... When we setup this new SBS2003 setup we installed without ISA as it does ... not seeing any problems anywhere regards internet or email - we also run ...
    (microsoft.public.windows.server.sbs)
  • Re: Arghhh..... DNS and ISA :-0
    ... domain pointing to the external IP of your ISA server. ... www.yourcompany.com needs to resolve FROM OUTSIDE to the external IP of ISA. ... A lookup will be done by that site and if your DNS is working ... For your INTERNAL clients to be able to get on the Internet you need: ...
    (microsoft.public.isa)
  • Re: Isa Server 2006
    ... the only one with two nics. ... machine that is not the ISA SERVER?? ... Get rid of the DSL box and physically replace it with the ISA ... DNS & WINS 192.168.1.1 ...
    (microsoft.public.isaserver)
  • Re: Strange Issues moving from SBS 2000 to Server 2003 R2
    ... Have you setup forwarders on the DNS server to your ISP's DNS server? ... Are the clients configured in IE settings to use the ISA as a proxy? ...
    (microsoft.public.windows.server.networking)
Loading