Chat Transcript for May 8 2003 Chat Transcript

May 8, 2003



Please wait, connecting to server…



DrTom : Hi Spsl!

DrTom : Sorry I’m late, I was here early and then got lost doing something else

8spsl has returned.

spsl : Hi Tom, I’m back! Stefaan

DrTom : Hi Stefaan!

DrTom : I was late

DrTom : How are you today? Did you have a good holiday?

DrTom : That was last week, IIRC

spsl : Not really, too much work with the Belgium elections on 18 may.

DrTom : Do you have any idea why these people have VPN gateway links drop for no reason? I’ve never seen it in any of my deployments

DrTom : Ah, yes — that is the large product you are working on. Did you decide to go with Aspelle or Aventail?

spsl : I never installed a VPN site-to-site, just client VPN access and they are rock solid.

DrTom : That VPN server and VPN gateways have been very solid for me too, so its very strange. I still wonder if its an ISP issue or maybe a hardware/driver issue

spsl : Well, there is great difference in price between both products. I think we will do some test next month with the Aventail product first.

DrTom : Is the Aspelle product much more expensive?

8jasonb54 has joined the conversation.

DrTom : Hi Jason! Welcome to the Open chat

jasonb54 : Hey Tom!

8spsl is away.

DrTom : Hi Jason, can you ask that question again?

DrTom :

jasonb54 : Hey Tom – how’s it going?

DrTom : Hi Jason, the text of youre questions is showing up as all “0”s

DrTom :

jasonb54 : Hey Dr. Tom!

jasonb54 : My font was set to Tunga???

DrTom : Hi Jason, that is much better!

DrTom : That was probably the problem

jasonb54 : This is a great idea! Thanks for putting it together!

DrTom : Thanks!

DrTom : Got an ISA Sever problem or question?

jasonb54 : I have an ISA Server that is not displaying session activity and when you look inside the Computers container, the server has a red X. Any way to fix without a reinstall?

jasonb54 : The services are running fine.

DrTom : Interesting.

DrTom : You mean the Computers node in the ISA Management console?

jasonb54 : I am not sure what changed on the server either. The only thing different is we installed Surfcontrol.

DrTom : Or in the Active Directory?

jasonb54 : We are running AD. Do you think is in relation to the computer account?

DrTom : Is there anything in the Event View Logs that suggest what the problem might be?

jasonb54 : Unfortunately, no. Nothing out of the norm.

DrTom : I don’t think the computer acocunt would be affected by SurfControl. Did you run the “Secure Your Server” Wizard on the ISA Server?

DrTom : Did the problem appear immediately after installing SurfControl?

jasonb54 : No, I didn’t.

DrTom : I would check to see if things go back to normal by installing SurfControl

DrTom : If they get back to normal, then you know that SurfControl was the problem

jasonb54 : That’s the problem, not sure if the console was doing this before or after Surfcontrol. I am planning to uninstall/reinstall to correct since I can’t see anything in the logs.

DrTom : And then you can take the problem to their Tech Support line with confidence

jasonb54 : Good point!

DrTom : Otherwise, they’ll bounce you back to Microsoft

jasonb54 : See when is the next book coming out! Thanks for the assistance!

DrTom : Are you running in Web Caching mode or Integrated Mode?

jasonb54 : Integrated.

DrTom : You bet! Next book will be in about four-five months

DrTom : Integrated mode, and two NICs, right?

8Nicholas has joined the conversation.

DrTom : Hi Nicholas!

Nicholas : Hi Tom

DrTom : How is your ISA Server?

Nicholas : Just thought I would check this out ..

Nicholas : Its fine.

DrTom : You bet, glad you could make it today

Nicholas : Thank you for asking

DrTom :

8croush has joined the conversation.

DrTom : Hi Croush!

jasonb54 : Only 1 NIC now. MS Support had me disable the second NIC and disable IP packet filtering, since we have a firewall on the perimeter.

Nicholas : Only thing I haven’t been able to figure out is a strange problem with my Exchange server and DNS

DrTom : Hi Jason, running integrated mode with 1 NIC might cause problems


DrTom : Hi Croush, nice to chat with you!

jasonb54 : I’ll investigate further. Thanks.

DrTom : Jason — I would ask MS if maybe the integrated mode config with a single NIC could cause this kind of problem, esp. with SurfControl! Interesting setup

croush : Tom, are you still using Mail Essentials to filter spam on your server?

DrTom : Nicholas, what kind of DNS problems are you having with Exchange?

jasonb54 : You bet

Nicholas : Well, at random times, near as I can tell, DNS on my Exchange server will stop working.

Nicholas : If I goto the properties on the network connection and swap the

DrTom : How do you have the Exchange Server configured to resolve MX domain names?

Nicholas : order of the DNS severs the problem goes away.

Nicholas : I’m using DNS

DrTom : Are you using a Smart Host? Or is the Exchange Server resolving the MX domain names?

Nicholas : Exchange server is I believe.

DrTom : Nicholas, as you using an internal DNS server, or an external DNS server to perform name resolution?

Nicholas : I have both an Internal DNS server for my domain, and then I use my ISP’s server for external DNS

Nicholas : my exchange server is a SecureNAT client as it should be.

Nicholas : On the Exchagne server, I have my ISP’s DNS servers listed first, and then my internal one last.

DrTom : Nicholas, OK, but have you make any changes to the SMTP service propeties on the Exchange Server to customize how domain names are resolved?

croush : Is your internal DNS server set to forward unresolved requests to your ISP’s DNS server?

DrTom : Nicholas, when you say you have your ISP’s DNS server listed first, is that on the Network Interface configuration or in the SMTP service properties?

Nicholas : Tom, I’m using 5.5 so I don’t have the SMTP service, just the Internet Mail connector.

Nicholas : Croush, no, its not.

DrTom : Nicholas, OK. That makes a big difference

Nicholas : Hopefully not a bad difference ?

croush : running 5.5 on NT4 or 2000?

Nicholas : on 2000.

DrTom : So, the ISP DNS server and the internal DNS server addresses are bound to the Exchange Server’s NIC?

Nicholas : Tom, yes.

DrTom : Nicholas, not good. Use one or the other, but not both. I would start with using ONLY the internal DNS server and remove the entry for the ISP DNS server

8BigAl has joined the conversation.

DrTom : Make sure that there is a Protocol and Site and Content Rule that allows your internal DNS server to make outbound DNS Query and DNS Zone Transfer connections

DrTom : The DNS Zone Transfer is required for the MX queries (in some cases)

DrTom : Hi BigAl!!!

DrTom :

BigAl : hello

DrTom : How is your ISA Server?

8NFerreira has joined the conversation.

Nicholas : OK, I’ll check those on the ISA server. I sure they have to be right now otherwise things wouldn’t work at all right ?

DrTom : Hi NFerreira!

NFerreira : I people!

croush : HI

BigAl : not so good. I’m trying to setup OWA on small business server. I keep getting error 403 access denied.

DrTom : Nicholas, yes, but the DNS server that is used changes based on what queires are answered successfully. If you remove one of the entries, you’ll find out which one is causing the trouble

DrTom : BigAl — OWA on SBS is a very complex affiar!

Nicholas : ok. Strange thing this all worked fine when I was running 5.5 on my NT 4.0 Server

8NFerreira is away.

8NFerreira has left the conversation.

DrTom : Lots of issues — socket pooling. log on locally rights, binding sites to the internal address only, logging lists only the internal IP address of the ISA Server, SSL bridging..

DrTom : Nicholas, Win2k handles DNS a bit differently than NT 4.0

BigAl : I’m finding out. I read your article about using a different port other than 80 which I did.

DrTom : BigAl — the 403 indicates maybe an authentication issue. Are you using Web Publishing or Server Publishing Rules?

BigAl : web publishing

Nicholas : Tom, if have my DNS Server forward unknown requests, do I have to make that system a SecureNAT client ?

DrTom : BigAl — I’ve not tried it, but I don’t think OWA supports publishing on an alternate port very well. However, I could be wrong becuase I’ve not tried it and I seem to recall other people saying they got it to work OK

DrTom : Nichoas, servers should always be SecureNAT clients, they almost never should be Firewall clients

DrTom : BigAl – Web Publishing Rules should work. But you should add IP addresses to the internal interface of the ISA Server and bind the site to one of the new addresses

BigAl : ye i found it didn’t work well. So i tried disabling socket spooling and still get the 403 error

DrTom : That what you don’t get any conflicts with autodiscovery publishing

DrTom : BigAl- are you using SSL for the connection yet?

BigAl : no

DrTom : BigAl- another important thing is that you use ONLY Basic Authentication. That means removing the Digest and Integrated options from the OWA folders

BigAl : I’ll give that a try.

DrTom : BigAl- I have all the details on how to do setup OWA and Exchange on the ISA Server in my ISA Sever and Beyond book

Nicholas : ok. So I’ll try changing the DNS settings on my Exchange server and also have my internal DNS server forward requests to my ISP’s DNS

DrTom : However, they might also have some information on this in the FP1 docs

BigAl : Ye, I have your first book and it was great. I just recently saw where you published a second book.

DrTom : Nicholas, yes. Try your internal DNS first. If that works, leave it that way and it should continue to work fine.

DrTom : BigAl – thanks for the compliments on the first book! I didn’t spend much time on supporting services on the ISA Server itslef in that book, becuase its not a recommneded config

BigAl : FP1 docs?

DrTom : However, so many wanted to do it that I did the second book and dedicated a lot of time and pages to the subject!

croush : Anyone here using Mail Essentials 8 on a W2K SMTP server setup to forward to Exchange? I am noticing a huge delay 30-60 minutes in processing mail since I have installed it.

DrTom : Nicholas, Great!

DrTom : BigAl – FP1 is Feature Pack 1

BigAl : Gotcha!

DrTom : Check it out over at

8Nicholas has left the conversation.

DrTom : BigAl – if you do use the Basic Authentication only option, make sure you secure the credentials with SSL

DrTom : Its pretty easy to create your own certificate server and create your own certificates. You can even do it on the SBS server machine.

BigAl : I see.

croush : Dr.Tom, did you ever find out what the deal with Amazon preselling your book ISA Server 2003?

DrTom : Croush, yes — our publisher was expecting the next version of ISA Server to be out much earlier than it will be

DrTom : They though it would be available in January of this year

DrTom : Maybe January of next year

DrTom : But we’ll definitely have a book on it when it does come out!

BigAl : One more question. I use InoculateIT 6.0 on the same server and I can’t do automatic virus signature updates using ftp. Any ideas?

croush : ah…have any new books in the works?

DrTom : BigAl — Most of these apps using FTP to download the updates. Go to and type FTP in the Search box, you should see FTP packet filters show up

DrTom : Croush — a couple of cool books in the works, but I can’t tell you about them yet

DrTom : If I told you, well, you know

croush :

DrTom : LOL!

BigAl : Will do. It’s funny because workstations behind the ISA server can update just fine, just not the server itself.

croush : nothing like getting on a hitlist via a chat room

croush : are the workstations running the firewall client?

DrTom : BigAl- the reason for that is that Protocol and Site/Content Rules don’t apply to the ISA Server machine

BigAl : no

DrTom : You have to create packet filters for apps on the ISA Server itself

DrTom : Croush- LOL! No hit list yet

BigAl : gotcha. I tell you small business server can be a bear.

croush : yep they sure can

DrTom : BigAl- I agree! There are a lot of special things you need to do to get ISA Sever to work correctly, most of it is socket pooling related, but multihomed DCs and RRAS on multihomed DCs is a REAL challange!

DrTom : The good news is that almost all of the problems can be fixed

BigAl : Looks like I need to pick up your second book

DrTom : Hey guys, its 12NOON here, which means I need to turn into a pumpkin

DrTom : Thanks for coming to the chat, and I hope to see ya’ll next week!

8Rickrk has joined the conversation.

DrTom : BigAl- thanks for getting the book!!!

croush : Thanks

BigAl : Keep up the good work Doc.

DrTom : Thanks! I’ll post the transcript on later today

DrTom : Thanks!

DrTom : Bye….

croush : bye



Got questions on anything you read here in the chat? If so, head on over to;f=2;t=008963 and let’s talk about it. Thanks! –Tom.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top