This tutorial will outline and reveal how the ISA server clients achieve DNS resolution. It will give you a better understanding on how each ISA server client interoperates with ISA server’s DNS or with the DNS servers directly, and will also assist you in choosing the correct client for the job. There are advantages and disadvantages in using each client I will highlight these and also propose a work around solution where there are downfalls.
DNS: Domain name Service, this is a service running on a computer that answers DNS queries sent to that computer, the DNS server resolves the query and sends the resolved query back to the requesting computer.
There are three types of ISA Server Clients.
1. ISA Server Firewall Clients
2. ISA Server Secure NAT Clients
3. ISA Server Web Proxy Clients
ISA Server Firewall Clients
Firewall clients send all of their DNS queries to the ISA server, the ISA server then acts as a DNS proxy forwarding the request to the DNS server that has been configured on the external interface of the ISA server.
This means that any internal DNS request will not be serviced. To overcome this issue it is recommended that you configure the Local Domain Table or LDT on the ISA server computer, so that all of your local domains will be reflected in this table. In this way when an internal DNS request is made it is not sent to the external interface card of the ISA server. The DNS query will then be sent to what ever address is configured on the ISA Server Firewall client’s computer this is normally the internal DNS server.
ISA Server Secure NAT Clients
ISA Server Secure network address translation (Secure NAT) clients typically request resources from computers on the local area network (LAN) or from the Internet.
Thus, Secure NAT clients require DNS servers that can resolve names both for external and internal computers.
Typically ISA server Secure NAT clients do not use ISA server for DNS queries, the queries are sent directly to a DNS server. If the DNS query is for a computer on the internal network then the query is sent to the internal DNS server. This server should be configured for both external and Internal DNS queries. If the only queries that will be requested will be Internet queries it is recommended that the queries be sent to an external Internet DNS server only.
Please remember that both a protocol rule and an IP packet filter must be created before ISA server will allow DNS queries through onto the Internet.
ISA Server Web Proxy Clients
ISA Server Web Proxy Clients work in pretty much the same as ISA Server Firewall Clients do.
Web Proxy clients send all of their DNS queries to the ISA server the ISA server then acts as the DNS proxy, forwarding the request to the DNS server that has been configured on the external interface of the ISA server. This means that any internal DNS request will not be serviced. However ISA Web Proxy Clients do not use LDTs (Local Domain Tables) and therefore can not differentiate between internal and external domains, in this scenario it is best to configure the ISA Web browser properties direct access tab check the box displayed below and you can add local domains if you like or you can update your LDT.
Summary: It is important that the DNS servers in your organization function well in order to have ISA and its clients working properly. I have shown above how the clients interact with the various ways with the DNS servers. This information will be valuable when trying to troubleshoot problems that the clients have with DNS, it will also help in the preparation and design of your DNS infrastructure. | 
