ISA Server can provide a reliable solution for Microsoft shops that are looking for a firewall that can tightly integrate with their existing Microsoft network infrastructure. However, ISA Server is not without its faults. For example, name resolution problems are extremely common when using ISA Server as a firewall. In fact, this issue is at the root of a large number of the e-mail that I receive from ISA Server administrators. In this Daily Drill Down, I’ll focus on how to troubleshoot common DNS host-name resolution issues with the Firewall client. Learning how to troubleshoot this issue in terms of DNS should allow you to resolve most of the host name resolution problems you will encounter with the Firewall client.
Three clients for the price of one
Internal network clients that use the ISA Server to access the Internet are classified by how they communicate with the ISA Server. ISA Server can provide different levels of service depending on the client type they use. ISA Server client types include the SecureNAT client, the Firewall client, and the Web Proxy client. For the purposes of this Daily Drill Down, I’ll focus on the Firewall client.
DNS host-name resolution issues
Host-name resolution problems are probably the most common issues you’ll encounter with the Firewall client. You’ll know your users are having name resolution problems when they complain about receiving errors when they access Web pages from their Favorites menu or enter URLs into Internet Explorer’s Address field.
You should be able to resolve any host-name resolution issues by carefully reviewing matters in each of these areas:
- ISA Server internal interface configuration
- ISA Server external interface configuration
- Firewall client computer interface configuration
- Local domain table (LDT) configuration
ISA Server internal interface configuration (primary interface)
By default, ISA Server resolves Internet host names on behalf of Firewall clients. This ability can save you lots of time, because it keeps you from having to individually configure the network clients with the IP address of a DNS server, or even maintain a DNS server on your internal network.
When the Firewall client sends a request to a particular host, the ISA server will resolve the request and return the answer to the Firewall client. After receiving the IP address of the destination host, the Firewall client will send the request to the ISA server for retrieval.
In order for the ISA server to successfully resolve Internet host names on the behalf of the Firewall client, you need to configure the internal interface of the ISA server appropriately. The appropriate configuration of the internal interface of the ISA server includes the IP addresses of DNS servers that can resolve Internet host names (and internal network host names as well). If the ISA server cannot resolve host names, name resolution will fail, and the Firewall clients will not be able to access Internet (or intranet) resources.
An optimal configuration is to use DNS servers on your internal network that are configured to resolve Internet host names as well as internal network host names. As long as the internal network DNS server is not configured as a root server for the internal domain, and is configured with a Forwarder or Root Hints file, the DNS server will be able to resolve Internet host names. You should configure multiple DNS servers on the internal interface of the ISA server for fault tolerance reasons.
A common error is when ISA administrators configure just an external DNS server on the internal interface of the ISA server, or configure the internal DNS server on top of the DNS server search list, and put an external DNS server as an alternate DNS server. This can cause problems if the internal DNS servers should become unavailable for some reason.
If the top-listed DNS server in the search list becomes unavailable, the DNS client service will move the alternate DNS server to the top of the list. If an alternate DNS server is moved to the top of the list, and that DNS server is an external DNS server, then the ISA server will lose contact with the Active Directory. If ISA Server can’t contact Active Directory, user/group-based access controls will no longer work, and reports configured to run on domain accounts will no longer be created on the ISA server.
While the DNS server order should return to normal after the primary DNS server comes back up, I’ve discovered that it does not always work that way. If the DNS search order doesn’t return to normal, you can restart the ISA server. But the best solution is prevention: Don’t include an external DNS server on the internal interface of the ISA server.
The internal interface, the one connected to your LAN, needs to be configured as the ISA server’s primary interface. You can control interface configuration by right-clicking My Network Places and clicking Properties. When the Network And Dial-up Connections window appears, select Advanced Settings from the Advanced menu.
You’ll then see the Advanced Settings dialog box shown in Figure A. Click on the Internal interface and use the arrow buttons to ensure that the internal interface is on the top of the interface list. This makes the internal interface the primary interface for DNS queries. Click OK to save the change, and restart your server for the change to take effect.
|Make the internal interface the first interface on your list.|
ISA Server external interface configuration
You don’t have to configure a DNS server address on the external interface of ISA Server. Of course, if you use a dial-up connection, you will have no choice, because the dial-up connections use IPCP to assign IP addresses and DNS server addresses to your adapter. There is nothing wrong with having a DNS server assigned to the external interface, and this configuration will not cause untoward problems with the ISA Server name resolution scheme.
In fact, there may be some advantages to including a DNS server setting on the external interface of the ISA server. This has to do with how DNS name resolution requests are handled by multihomed machines.
An internal network DNS server may send a negative response to the ISA server and shut down all DNS queries for DNS severs configured on that adapter. While this should be a rare situation, it can and does occur. By configuring an external network DNS server on the external interface, you will be able to access Internet resources, even though the DNS server list on the internal network interface will not be available for the query.
This situation also explains why you might not want to put the internal and external DNS servers on the internal interface and leave the external interface settings empty. If you receive a negative response to a query issued from the internal interface, all queries to servers configured on that interface will stop. If the external interface settings are empty, then all DNS queries for that request will stop.
Firewall client computer interface settings
Another issue with ISA Server's resolving names for Firewall client computers is related to how ISA Server caches the results of DNS queries. ISA Server does not use the client-side resolver cache that is part of the Windows 2000 operating system. Instead, ISA Server maintains its own separate DNS cache and sets the TTL (Time To Live) on the ISA Server cache to six hours. Under some circumstances, a long TTL on DNS entries can create problems for the Firewall client (and also the Web Proxy client, which uses the same caching mechanism).
You can solve all problems related to the ISA Server performing proxy DNS services for Firewall clients by configuring the Firewall clients to resolve requests based on their local DNS server settings. To do this, you must edit the Mspclnt.ini file, which is the master configuration file for all Firewall clients. This master configuration file is pulled by Firewall clients from the ISA server every six hours (by default), although you can change the frequency by making a change in the Mspclnt.ini file itself.
Start the ISA Management Console by clicking Start | Programs | Microsoft ISA Server | ISA Management. When the ISA Management console appears, expand your server name or array and the click on the Client Configuration node.
Double-click on the Firewall client entry in the right pane of the console. When the Firewall Client properties sheet appears, click on Application Settings, as shown in Figure B.
|The Firewall Client properties sheet helps you control proxy DNS requests.|
Click New. In the Application Entry Setting dialog box, enter Common Configuration in the Application text box. Select NameResolution from the Key dropdown list box. You’ll then notice that the Value field changes to a drop-down list box. Select the L option from the Value drop-down list box, as shown in Figure C.
|You can reconfigure Firewall clients to use local DNS settings.|
The Common Configuration application instructs the Firewall client to use the key values for all applications unless noted otherwise for a specific application. The Key value NameResolution indicates how the Firewall client should handle name resolution. When the value is set to L, the local computer resolves all names. If the value were set to R, all names would be redirected to the ISA server for resolution. The default setting allows the ISA server to resolve dotted decimal or FQDNs on behalf of the Firewall client. Single-label names are resolved locally by the client. Click OK to close the Application Entry Setting dialog box.
The configuration settings can take up to six hours to propagate to the Firewall client computers. You cannot push the settings to the Firewall clients because Firewall clients obtain their configuration themselves using a Pull operation. However, you can go to the Firewall client computers and force a Pull operation. At the user’s workstation, double-click on the Firewall client icon on the System Tray. Then, the Firewall Client Options dialog box will appear, as shown in Figure D. Click the Update Now button. Changes will then download to the Firewall client.
|You can force the client to pull new configuration information.|
Make sure that the Firewall client computer is configured with a DNS server to query before making this change. If you don’t do this, the Firewall client will not be able to resolve any host names!
Configuring the local domain table
If you choose to use the default host name configuration for Firewall clients, you can prevent problems with host name resolution by taking advantage of the local domain table (LDT). The LDTallows you to configure domain names that bypass the ISA Server DNS proxy mechanism. The ISA server can resolve external domain names on the behalf of the Firewall client, and the client can resolve names for local domains based on its own DNS server configuration.
The LDT is downloaded to the Firewall client with the Mspclnt.ini file. The Firewall client checks the Mspclnt.ini file to determine if the request is for an entry in the LDT. If the domain name in the request is for an LDT entry, the local machine takes the responsibility of resolving the name. If the domain name in the request is not on the LDT, the Firewall client will send the request to the ISA server for host name resolution.
To view the LDT, launch the ISA Management console. Navigate the left pane to server | Network Configuration | Local Domain Table. The right pane will display a blank information screen.
To add an entry in the LDT, right-click Local Domain Table in the left pane and select New | LDT Entry. You’ll then see the New LDT Entry screen appear. Enter the domain information for your local domain in the Name field. You can also enter any general information you want to store about the domain in the Description text box.
DNS host-name resolution is one of the most common problems you’re run in to when working with the Firewall client. Once you understand how the Firewall client resolves host names, you can troubleshoot and correct problems with host name resolution. In this Daily Drill Down, I covered different methods you can use to correct and optimize your Firewall client host name resolution configuration.