Re: Unable to block domains using domain name set

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Phillip is right when he says that SNAT client resolves FQDN to IP address
*before* the request even reach an ISA server.
Though I haven't seen explicit references to any docs that could confirm my
idea, I suspect that to process SNAT client requests according to firewall
policy containing domain name sets, ISA server performs reverse DNS lookup
against the particular IP address. That is the only way ISA server can find
out if the particular SNAT request is a subject to apply restrictions from
domain name sets.
In your case, I believe the main issue was improper DNS settings on your
previous ISA installation. That is the reason why ISA was unable to properly
handle SNAT client requests.

Regards,
Andrew

"Alex Chunikhin" <alexc@xxxxxxxxxxxx> wrote in message
news:dfW6g.15258$_e3.2742@xxxxxxxxxxxxxxxxxxxxxxxx
Having hard time finding this on microsoft, but this is another article:

http://www.isaserver.org/articles/2004domainnamesets.html
There are a number of ways this can be accomplished using ISA 2004
firewalls. In this article, we'll focus on how to use the ISA 2004
firewall's Domain Name Sets feature to control access to Internet servers.
Domain Name Sets can be used by all ISA client types, including SecureNAT,
Web Proxy and Firewall clients. However, if you want to control access by
user or group, you need to configure the clients as Web Proxy or Firewall
clients (or both).

I just installed second ISA server in my network and it works there.
I cant figure out what's wrong with the first one.




"Phillip Windell" <@.> wrote in message
news:er4dSjGcGHA.4896@xxxxxxxxxxxxxxxxxxxxxxx
"AlexC" <alexc@xxxxxxxxxxxx> wrote in message
news:QSu6g.43936$g%5.25907@xxxxxxxxxxxxxxxxxxxxxxxx
According to Microsoft this should work for both firewall clients and
secured nat clients.
In my case it works only for firewall clients.

Where did you read that? I thought it would work only for Web Proxy and
Firewall Clients,..but not SecureNAT.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com







.

Relevant Pages

  • RE: ISA 2004 blocking even when no firewall option chosen
    ... the internal clients and the ISA Server itself. ... Brightmail scanner DOESN'T need to contact other servers on the internet? ...
    (microsoft.public.windows.server.sbs)
  • Re: a few questions...
    ... Create a pair of rules, one of them wold allow all protocols (http, https, ... any LAN client except the ISA server. ... This will prevent your clients from ... There is a tutorial regarding unihomed ISA server 2000 by Thomas Shinder: ...
    (microsoft.public.isa)
  • RE: need to access web-based printserver interface from client worksta
    ... by default the ISA web proxy clients will submit all ... request to web server. ... 'Microsoft Firewall' service. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing VPN Error 619
    ... I've checked in local network rules and I do have a rule called VPN clients ... PPTP clients are configured to use ISA as a hop to the Internet ... SecureNAT Clients while still trying to have Web and Firewall Client ...
    (microsoft.public.isa.vpn)
  • RE: Single Nic - Default Gateway - Isa 2006
    ... You can Set your Router as the Default Gateway, but inorder to use ISA Server ... How else would these clients get redirected if it's a single nic? ... My router is another firewall that currently is a proxy so this should work ...
    (microsoft.public.isa.configuration)