• ISAserver.org Site Updates
• ISA Server and Beyond and ISA Server Seminars Now Available
• Feature: ISA Server and DNS
• ISAServer.org Learning Zone Articles of Interest
• KB Articles of the Month
• Post of the Month
• ISA Server Link of the Month
• Ask Dr. Tom

1. Site Updates

Best Regards,
Stephen Chetcuti

2. ISA Server and Beyond and ISA Server Seminars Now Available

By Thomas W Shinder ISA Server and Beyond is now available! ! We've included tons of stuff on DMZs, firewall chaining, hierarchical Web caching (Web Proxy chaining), SSL bridging, SSL publishing, OWA, Secure IMAP4/SMTP/POP3 publishing, and publishing services on the ISA Server itself! Most of this stuff isn't described anywhere else. If you're ready to take ISA Server 2000 to the next level, then this is a book you must have. Click here to order ISA Server and Beyond from Amazon.com today! Are you wrestling with ISA Server? Need to get your head around what makes ISA Server tick? If so, consider my one-day seminar on ISA Server. I'll bring meaning to inbound and outbound access, ISA Server client types, Web and Server Publishing, and VPN Servers and VPN Gateways. I guarantee you'll learn something new and maybe even have fun along the way. The next seminar is May 9th here in Dallas, Texas. Click HERE for more info and I hope to see you there!

Click here to Order your copy today

3. ISA Server and DNS

When it comes to challenging ISA Server administrators, DNS issues are on top of the list. Its not really an issue with ISA Server as much as it is a problem dealing with the complexities of DNS. Most Windows network administrators have a good enough grasp of DNS and how it works to keep their networks running smoothly. They can maintain zone databases, configuring simple replication networks, and manage resource records. The problem is the level of complexity makes a quantum leap when you introduce a firewall.

Common areas of DNS confusion include:

• How to configure DNS settings on the ISA Server interfaces
• How to configure DNS settings on the ISA Server client interfaces
• How to configure DNS for Exchange Servers
• How to configure a DNS server on the internal network
• How to deal with the same DNS domain name for public and private resources

 Let’s take a closer look at each of these issues.

----------------------------------

How to Configure DNS Settings on the ISA Server Interfaces

----------------------------------

DNS server settings on the ISA Server interfaces should be simple, and they are. The problem is that there are a number of different scenarios and complexity is introduced when you don’t understand these scenarios.

The are two primary setups: when you have a DNS server on your internal network, and when you don’t.

You depend on your ISP’s DNS server when you don’t have a DNS server on your internal network. In that case, you can put the IP address of your ISP’s DNS server in the DNS settings of your primary interface. The primary interface is the one on the top of the list of adapters in the Advanced Settings dialog box. You can access the Advanced Settings dialog box from the Advanced menu in the Network and Dial-up Connections window. The internal interface should be on top of that list.

The vast majority of ISA Server admins have at least one DNS server on the internal network and the DNS server is configured to resolve Internet host names. In this case, you should configure the primary interface (internal interface) to use this DNS server. Leave the DNS settings on the external interface empty.

There are special considerations when the DNS server is on the ISA Server itself. The DNS server should be configured to listen only on the internal interface and the primary interface is configured to use the IP address that the DNS server is listening on. ISA Server has a pre-built packet filter that allows outbound UDP 53 to support DNS queries. However, you might want to consider creating a packet filter for TCP 53 if you want to support IIS 5.0 (Exchange) MX record lookups. Note that the packet filter is required because the service is on the ISA Server itself. You never create packet filter to allow outbound access for internal network clients.

If you must run your DNS server on the ISA Server itself, I highly recommend that you do not use it to publish your public DNS records. If you feel compelled to run a DNS server on the ISA Server itself, use the DNS server on the ISA Server as a caching only server. Of course, if you have a single Windows 2000 Server on your network (a la SBS), then you have no choice but to put a DNS server on the ISA Server. In that case your domain zone file will be on the ISA Server and you definitely should not publish public DNS records on this server.

The “take home” message is that you should have a DNS server on your internal network and the IP address of the DNS server should be in your primary (internal) interface.

----------------------------------

How to Configure DNS Settings on the ISA Server client interfaces

----------------------------------

Here’s where things get interesting. What DNS server address should you use on the ISA Server clients? An external DNS server? An internal? Both?? Are there different settings for the SecureNAT, Firewall and Web Proxy clients?

The SecureNAT client must be configured with a DNS server address. ISA Server isn’t going to resolve any names on behalf of the SecureNAT client. The SecureNAT client has to resolve names on its own. The SecureNAT client can be configured to use an external DNS server or an internal DNS server. If you configure the SecureNAT client to use an external DNS server, it will not be able to resolve names on the internal network. If the SecureNAT client is configured to use an internal DNS server, then the SecureNAT client will be able to resolve internal and external host names if the internal DNS server is configured to resolve Internet host names.

The Firewall client is more flexible. By default, the Firewall client allows the ISA Server to resolve names on its behalf. That allows the ISA Server to build up its DNS cache of Internet addresses. You can control this behavior by manipulating the NameResolution key in the mspclnt.ini file. If you leave the Firewall client with its default settings, you won’t need to configure a DNS server address on the client. However, I recommend you configure the Firewall client machines with an IP address of an internal DNS server and then configure the Local Domain Table (LDT) with your internal network domains. The Firewall client will send queries for hosts in the LDT directly to the DNS server and not allow the ISA Server to resolve the name on its behalf. This is a more efficient use of the ISA Server’s resources.

The Web Proxy client always allows the ISA Server to resolve names on its behalf. There aren’t any configuration options that allow you to bypass this setting. However, the Web Proxy client is almost always configured as a Firewall or SecureNAT client, so you should use the DNS settings that are appropriate for those client types. I recommend you configure the Web Proxy client with the address of an internal DNS server and then configure the LDT with your internal domain names. Then configure the Web Proxy client to use Direct Access to connect to Web resources on the internal network. This allows the Web Proxy client machines to bypass the Web Proxy service when connecting to internal resources and will improve overall Internet access performance for all network hosts because internal clients aren’t “looping back” through the ISA Server to access trusted resources on the internal network.

----------------------------------

How to Configure DNS for Exchange Servers

----------------------------------

I don’t why, but it seems like DNS settings for Exchange Servers is the biggest DNS bugbear related to ISA Server. Actually, I don’t think ISA Server has anything to do with it, as the DNS requirements for an internal Exchange Server are the same whether you use ISA Server or another firewall.

The Exchange Server should never be configured as a Firewall client. Servers, especially published servers, are always configured as SecureNAT clients (except for special situations when you’re using a wspcfg.ini file). That means the Exchange Server has to resolve names itself; the ISA Server isn’t going to resolve names for the Exchange Server.

The default setting for Exchange 2000 is to use the DNS setting on its interface. This typically is set for an internal DNS server. The internal DNS server can then resolve mail domain name records (MX) and forward the answer to the Exchange Server. You can configure the Exchange Server to use an external DNS server if you don’t have an internal DNS server.

Although I’ve never seen it myself, I’ve heard a few people say they have problems with using an internal DNS server to resolve mail domains for their internal Exchange Server. If the Exchange Server can’t get the MX record information, then it won’t be able to send outbound mail and it’ll get stuck in the queue. The people reporting this issue claim they have Protocol Rules allowing the DNS server outbound access to UDP and TCP port 53. In spite of these reports, I recommend that you first try to use the DNS server on your internal network before trying any alternatives.

Exchange Server does allow you to use an “external” DNS server. This external DNS server configuration allows the IIS 5 SMTP service to bypass the DNS settings on the machine’s interface and use a different DNS server (such as your ISP’s) to resolve mail domain names. If you have problems using your internal DNS server to resolve mail domain names, try configuring the SMTP service on the Exchange Server to use an “external” DNS server.

If you want to sidestep the name resolution issue altogether, configure the Exchange SMTP service to use a “smart host”. All outgoing SMTP traffic is forwarded to the smart host. The Exchange Server doesn’t need to resolve any Internet names because you configure the smart host settings to use the IP address of your ISP’s SMTP server.

Note that these DNS settings have no effect on inbound mail. If you’ve published an Exchange Server and you’re not receiving inbound messages, the problem is most likely your external DNS. Make sure DNS servers that are responsible for your public records have MX records that point to Host (A) records that resolve to the IP address you’re using to publish the Exchange SMTP service.

----------------------------------

How to Deal with the Same Domain Name for Public and Private Resources

----------------------------------

Here’s one that can cause big problems. You’ve named your internal network domain domain.com and your public Web site and FTP servers are reachable from the Internet by the same domain name. If your internal network clients use the same DNS servers to resolve public and private names, then your internal network clients are going to “loop back” through the external interface of the ISA Server to access internal resources. Even worse, you might not be able to access your public Web sites that’s hosted by your ISP or Web hosting provider because the name is resolving to a private address on your internal network.

That’s the solution? A “split DNS”. The split DNS infrastructure splits your public records from your private records. This means you must have at least two different DNS server machines to host your records. You can’t have two domain.com zones on the same DNS server. You need a DNS server internal users use to resolve names on the internal network, and you need a DNS server that resolves your Internet resource names.

For example, you’ve published a Web server on your internal network. External users access that server using the FQDN http://www.domain.com/, which resolves to the public address 222.222.222.222. Internal network clients needs to access the same server and you want them to be able to access it by typing http://www.domain.com/. You do NOT want the internal users to access the published server via 222.222.222.222; you want the internal clients to resolve the name to 192.168.1.10. You accomplish this by having external clients use a different DNS server than the external clients.

-----------------------------

Conclusion

-----------------------------

DNS will continue to be an issue for ISA Server administrators. There are just too many possible scenarios to make a DNS “cookbook” for ISA Server. However, if you have a simple network and don’t have any unusual or special requirements, you shouldn’t have too many problems getting your DNS settings correct on your ISA Server, your ISA Server clients and your Exchange Servers. The problem is that most networks, like most people, seem to have special requirements. Your best armor against DNS problems is to learn as much as you can about DNS. If you’re not already a well-heeled DNS pro, you might want to check out DNS on Windows 2000 http://www.amazon.com/exec/obidos/ASIN/0596002300/qid=1048198067/sr=2-3/ref=sr_2_3/104-1948623-5402356  Got questions on what I said here? Head on over to XXXXX and I’ll answer you ASAP.

4. ISAServer.org Learning Zone articles of Interest

• Using DHCP with ISA/VPN Server Clients
• ISA Server and Beyond -- Chapter 4 Available on ISAServer.org!
• How the FTP Protocol Challenges Firewall Security
• The Unihomed Web Cache Mode ISA Server, Part 2: Web Publishing Outlook Web Access
• How to Publish VNC Behind an ISA Server by Greg Mulholland
• Using ISA Server Feature Pack 1 to Forward Basic Authentication Credentials
• Configuring an ISP Co-located Web/SMTP/ISA Server

5. KB Articles of the Month

• Windows XP-Based Clients Do Not Receive "New Mail" Notification Messages After You Install Service Pack 1
• Server Publishing Rules May Not Permit Inbound UDP Packets Through to Published Server
• Internal Clients Cannot Access FTP Sites Through Internet Security and Acceleration Server 2000
• Cannot Send SMTP Outbound Mail Through ISA Server
• FTP Client May Not Work When You Enable IP Routing on a Downstream ISA Server
• Outlook Clients Cannot Connect to an ISA Server-Published Exchange 2000 Server
• Using Internet Protocol Security with Network Address Translation and Internet Security Acceleration Server
• HOW TO: Enable a Cisco IPSec VPN Client to Connect to a Cisco VPN Concentrator Through ISA Server 2000

6. Post of the Month!

Instead of adding to connect.asp:
* MsTsc.AdvancedSettings2.RDPPort
(after the entries starting with MsTsc.AdvancedSettings2.)
you can add to default.htm:
* MsRdpClient.AdvancedSettings2.RDPPort
(after the entries starting with MsRdpClient.AdvancedSettings2.)

Do you have problems with your Outlook Web Access users always forgetting to type /exchange at the end of the URL? Me too. Here's a nice tip from Michael Hemming to help us all out:

Just set up a redirect in the root of your OWA server.  For example:
META HTTP-EQUIV=Refresh CONTENT="0; URL=https://webmail.blahblahblah.com/exchange/"
Works perfectly for me and I'm using SSL through ISA.
And if you're running another website on your Exchange server, preventing you from redirecting the root, I'd ask you why you would even think of doing that in the first place. <g>

Great advice Michael, especially regarding publishing general public access Web sites on the OWA server.

7. ISA Server Link of the Month

8. Ask Dr. Tom