ISA Server DNS Lookups

[Magico]

Hi all

SImple question with I hope a simple answer.

We have a Firewall 1, v 4.1, guarding a DMZ and it is in dual homed configuration. Our ISA servers, which are configured in firewall mode, and whose external NICs "touchdown" in the DMZ cannot forward browsing requests through the firewall.

The firewall receives the requests OK, but drops them using the stealth rules at the end of the rule set.

The firewall has a rule to allow it to make DNS lookups and one assumes that when browsing requests are sent out the firewall does the lookups on behalf of the ISA servers.

We have no requirement for inbound traffic to be processed and we rely on our ISP's DNS servers for resolution.

So - the simple question - is the right way to allow ISA servers to send browsing request via the firewall.

Thanks

Magico

 

[ChrisAC]

What makes you think that the firewall will do DNS lookups on behalf of the ISA server. Firewall-1 is not a DNS cache and as such will not process port 53 requests.

You need a rule that allows the ISA server to be able to do any services that it requires through the firewall, ie. UDP 53, TCP 80, 443 etc.. Without these rules this traffic will be dropped by the stealth rule.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************