Implementing DNS resolution to realize redirect of Firewall Client

Now many companies are using Microsoft's Active Directory to manage the network, in which the internal DNS server is an integral part. We know that when ISA Firewall client accesses network resources through ISA, its DNS resolution is done by ISA Server, and if you have any idea, the combination of internal DNS server and Firewall client can skillfully solve many practical problems.

In this article, I will use two cases to address two practical problems using a combination of the two methods.

Statement: These two case are my recent problems, which solved the first case is one of my colleagues, he provided me with a new idea; the second case is that I use this idea to solve new problems.

CASE1:

Problem Description: The network environment of Contoso company is shown in the following illustration:

The company uses ISA 2004 as a proxy server.

The company's internal network adopts the single forest single domain mode, the internal DNS name is contoso.com, and the domain name registered on the Internet is contoso.com. The company has more than 50 servers, including mail server, database server, OA server, FTP server and Web server, including mail server, OA server are dual network card, and FTP server and Web server are only external network card, database server only internal network card. Servers with external network adapters are directly connected to an outside line switch and have legitimate DNS names registered on the Internet.

In the TCP/IP configuration of the company's internal client, DNS is pointed to an internal DNS server, and clients with access to Internet permissions use the FWC method to access the Internet. Now the company in order to improve access to the OA server and mail server speed, requesting clients through the server's internal network card to access the mail server and OA server.

Analysis of the problem: the total number of OA server and mail server totals about 30 units, if a one on the ISA console set "Access through Proxy Server", the workload is large, and in the future to add a new server, the need to add a corresponding record on the ISA; If you set up bypass *.contoso.com directly on ISA, it will cause Firewall client users to be installed without access to ftp.contoso.com and www.contoso.com (because these servers do not have an internal network card).