A DMZ challenging question for the Old Masters !

  • Thread starter Thread starter Raed Al-Jarrah
  • Start date Start date
R

Raed Al-Jarrah

Hi ...

Here is my Network Setup :

An Internal DNS Server configured to Forward to my
External DNS Server .

A DNS Query Server Publishing rule (IP of the Internal DNS
Server--to--External IP of the Internal ISA Server)

Internal Interface of the Internal ISA is configured to
use the Internal DNS Server.

External Interface of the Internal ISA Server is
configured to use the External DNS Server ( at its private
IP address ---DMZ Range)

The External DNS Server ( which is supposed to act as my
public DNS Server is located in a B2B DMZ with a Private
IP address ) is published through the External ISA Server
in the same way as the Internal DNS Server.It contains a
single forward lookup zone for my public domain and two
reverse lookup zones , one for the public domain and one
for the DMZ hosts with no corresponding actual domain !

Now :

1 : The External DNS Server can perform name
resolution only using the nslookup utility.
It fails on both Simple & Recursive tests !

2: The External ISA , DMZ hosts & the Internal
ISA are able to perform name resolution . They
are all configured to use the External DNS
server for thet purpose .The Private IP of the
External DNS Server itself.

3: No Internal host is able to perform any real
Internet name resolution including the
Exchange 2000 server itself which is published
on both ISA Servers using the Secure Mail
server Wizard.

4: The Exchange 2000 Server is configured as a secureNAT
client for the iNternal ISA Server which in turn is
configured as a SecureNAT client to the External ISA Server

All servers & clients are able to access the Internet !

Any ideas please !
 
In
Raed Al-Jarrah said:
Hi ...

Here is my Network Setup :

An Internal DNS Server configured to Forward to my
External DNS Server .

A DNS Query Server Publishing rule (IP of the Internal DNS
Server--to--External IP of the Internal ISA Server)

Internal Interface of the Internal ISA is configured to
use the Internal DNS Server.

External Interface of the Internal ISA Server is
configured to use the External DNS Server ( at its private
IP address ---DMZ Range)

The External DNS Server ( which is supposed to act as my
public DNS Server is located in a B2B DMZ with a Private
IP address ) is published through the External ISA Server
in the same way as the Internal DNS Server.It contains a
single forward lookup zone for my public domain and two
reverse lookup zones , one for the public domain and one
for the DMZ hosts with no corresponding actual domain !

Now :

1 : The External DNS Server can perform name
resolution only using the nslookup utility.
It fails on both Simple & Recursive tests !

2: The External ISA , DMZ hosts & the Internal
ISA are able to perform name resolution . They
are all configured to use the External DNS
server for thet purpose .The Private IP of the
External DNS Server itself.

3: No Internal host is able to perform any real
Internet name resolution including the
Exchange 2000 server itself which is published
on both ISA Servers using the Secure Mail
server Wizard.

4: The Exchange 2000 Server is configured as a secureNAT
client for the iNternal ISA Server which in turn is
configured as a SecureNAT client to the External ISA Server

All servers & clients are able to access the Internet !

Any ideas please !

I'm assuming the internal ISA is configured as a SecureNAT client to the
external.

The one thing I would look at with DNS is the emphereal response port, which
is UDP greater than 1023. This has been an issue if you ask me with any
firewall rule. I would also post this to the ISA groups and see what comes
of it.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top