One of the more common troubleshooting issues with the ISA firewall has to do with the DNS settings on the firewall’s interfaces. The same issues apply to the new TMG’s interfaces.
In order to avoid common DNS and name resolution issues, here’s what you need to know about configuring DNS settings on the TMG:
- Never put an an external DNS server address on any of the TMG firewall’s interfaces if you need to resolve internal host names
- You also always need to have the TMG resolve internal host names, so don’t put any external DNS server addresses on any of the TMG’s interfaces
- Configure a DNS server on only one interface on the TMG. There is no fault tolerance value to adding DNS server settings on multiple interfaces
- Configure the internal interface of the TMG firewall with the DNS server settings. If you have multiple internal DNS servers, you can put them all on the same internal interface
- Move the internal interface to the top of the interface list so that the internal interface is queried first for DNS settings
- Configure the internal DNS server that the TMG will use to resolve host names so that it can resolve both internal and external names
- You can have the internal DNS server perform recursion on its own, or you can configure the internal DNS server to use a forwarder (such as your ISP, or even another DNS server on your network that is configured as a caching only forwarder)
- Remember that the Forefront TMG Firewall will resolve names for Web Proxy and Firewall clients. It will not resolve names for SecureNAT clients, so make sure you configure your SecureNAT clients with a DNS server that can resolve both internal and external hosts names. It can be the same DNS server that the Forefront TMG Firewall is using, if you want
- If you have a Forefront TMG scenario where you don’t want the machine to resolve names (such as a Web hosting environment), you can leave out all DNS settings and use a HOSTS file on the TMG firewall
DNS misconfiguration on the TMG can lead to performance problems and failures to reach requested sites.
Also, remember that if the TMG firewall is in an environment where you have enabled DDNS (such as when the TMG is a member of the domain), when make sure that only the internal interface of the TMG firewall is registered in DNS. Double check your DNS server’s Host (A) records after installing the TMG firewall to make sure that the external interface is not registered.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)