A shout out to my friend Velan Ramalinggam, thanks for your help today :)
We just got back from a customer's site and they had a complain that after enabling ISA server proxy forwarding option through routing, the ISA server became a crawl. Although direct, the access is pretty acceptable.
After some initial diagnosis, we found that the DNS was not forwarding to external DNS servers correctly. We fixed it by changing to a valid external DNS forwarding server and everything seem to worked pretty well.
So in conclusion, we noticed that the ISA had rules that refer to websites (names). There were around 20 such rules. By enabling such rules, for example, block the website http://www.friendster.com/, the ISA server would then need to resolve this name to IP and evaluate the rule whether it is a match or otherwise. Since the DNS didn't resolve the names in those rules had to wait for a timeout then moved on to another rule and so forth. This caused a significant delay in evaluating those rules before it reaches the rule that allows people to browse when there's a no-match. One would think, well, since i am forwarding packets through a proxy "in front" of the ISA why would you need such DNS resolution (especially to an external DNS)? Well, this is by design and in some versions of ISA server, we can disable this lookup feature provided if we do not have rules that have names (external names particularly) and we forward ISA's web requests to a forward proxy.
Remember though, internal name resolution must work correctly especially if you use Active Directory and have internal/intranet websites.
Please note that you need name resolution to internet sites if you do not have a forward proxy configuration. In cases where you do forward to a forward proxy and you do not have names in your rules, you could wish to disable name resolution on the ISA server for external sites. An article from MS talks about this but this is for ISA 2004, not sure if ISA 2000 (which was what my customer had) has a way to do this or not!...http://www.microsoft.com/technet/isa/2004/plan/disablenameresolution.mspx
No comments:
Post a Comment