Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
FTP Uploads
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
FTP Uploads - 25.Jul.2006 10:08:38 PM
|
|
|
kharris_trc
Posts: 5
Joined: 25.Jul.2006
Status: offline
|
I am attempting to allow my internal clients the ability to upload files to an external FTP site, preferably via Internet Explorer. I have recently moved up to ISA 2004 from ISA 2000 (running on another machine) and it was easy in ISA 2000, but it is very difficult in ISA 2004. I just found the following link at Microsoft:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/unsupportedconfigs.mspx
It basically says that you can not use FTP to upload from a Web Proxy Client in ISA 2004 and there is no workaround.
Therefore I installed the Firewall Client and I still can not get it to work. User's can log on to the remote site and download, but they can not upload.
After researching this, I have found several suggestions but none work. Among the suggestion tried:
* Verify the read-only option is not checked in the FTP filter - I have verified that the filter is enabled, and the read-only option is NOT checked.
* Check out the following link: http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html - I have read it at least four times and followed it to the best of my ability, but it still doesn't work.
* Try it from the command line or another application - I have, and I get the same results . . . Read-only.
I have come across several others posts here and there that tell me others have had similar difficulties with ISA 2004. I feel like it has to do with the access rules, but I don't know how to solve the issue. Has anyone done this that can give me some guidance?
Thank you in advance.
|
|
|
|
|
RE: FTP Uploads - 25.Jul.2006 10:37:40 PM
|
|
|
kharris_trc
Posts: 5
Joined: 25.Jul.2006
Status: offline
|
Honestly, I can, but I don't have anything special. Therefore, I guess my question is how
have others done this? Does anyone have instructions for the access rules they have in place
to make this work? If I could see the access rules that make this work, I (as well as others) could probably recreate them. There is obviously some special rules that must be
in place to make this work, and the ISA 2000 articles are just different enought fro ISA 2004 that it is difficult to follow.
|
|
|
|
|
RE: FTP Uploads - 25.Jul.2006 10:55:33 PM
|
|
|
kharris_trc
Posts: 5
Joined: 25.Jul.2006
Status: offline
|
I do have two nics, one internal and one external. All updates have been applied to both 2003 R2
and ISA 2004. And, as originally posted, I have checked it with the command line. It is the same -- read-only.
Again, what I am really hoping for is to hear from someone that has made this work that can
give me details of what access rules are necessary to make this work. It is obviously not straight forward
or so many people would not be having similar problems.
If you have it working, perhaps you can give me your access rules that make it work for you on ISA 2004? That
is the only way I can see to solve this.
|
|
|
|
|
RE: FTP Uploads - 25.Jul.2006 11:12:39 PM
|
|
|
kharris_trc
Posts: 5
Joined: 25.Jul.2006
Status: offline
|
Thanks much. I have actually been through that page. But again, I can't make it work.
Are you (or anyone else) able to upload to an external FTP site (passive)? If so, what rules do you have in place to make it work? There must be more than the standard FTP protocol outbound with the filter enabled (and no read-only check) from internal to external hosts. Oh, add the fact that the Firewall client is installed and appears to be working correctly. There must be something missing.
I have scoured the Internet looking for instructions on how to make this work, and so far, nothing. All I can find is other people that have had similar problems.
|
|
|
|
|
RE: FTP Uploads - 9.Aug.2006 12:07:43 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi ernest_emj,
check out if the 'read only' flag is unchecked on the FTP protocol rule. If that's not the case it would disable any FTP write operation for SecureNAT and Firewall clients. Another reason that you can't perform FTP write operations might be that the client is configured as Web Proxy client only.
BTW --- I assume you are running ISA SP2 with all latest updates.
HTH,
Stefaan
|
|
|
|
|
RE: FTP Uploads - 19.Aug.2006 7:05:15 PM
|
|
|
arouet99
Posts: 6
Joined: 18.Aug.2006
Status: offline
|
I had a lot of problems with this. I was unable to upload via IE or other browsers. However, when I installed a dedicated FTP Program like Cute FTP or FTP Explorer, I was able to get it to work for both downloads and uploads to external FTP sites.
|
|
|
|
|
RE: FTP Uploads - 20.Aug.2006 3:03:14 PM
|
|
|
arouet99
Posts: 6
Joined: 18.Aug.2006
Status: offline
|
Thanks Stefaan,
I will look at that tomorrow at work.
Arouet99
|
|
|
|
|
RE: FTP Uploads - 20.Aug.2006 3:14:55 PM
|
|
|
arouet99
Posts: 6
Joined: 18.Aug.2006
Status: offline
|
Stefaan,
You might help me on another issue. I am a High School IT teacher and by default the IT manager. We host our own Web Site on one of the servers. I am trying to set up remote FTP access so I can update the Web Site from home. Access to the Web Site is fine and we even have a link on the Home page to OWA for the staff and Student Exchange EmaiI Accounts. I thought I had set up the rules correctly for FTP access, but I can't get it to work. This is the text from an attempt to access via FTP Explorer. We are running ISA Server 2004 on Win 2003 server.
Arouet99
Connecting to: Oxley FTP
Connection Established
220-Microsoft FTP Service
220 Oxley College FTP Site
Connected to: Oxley FTP
USER anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
PASS
230 Anonymous user logged in.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (192,168,1,253,77,11)
LIST
425 Can't open data connection.
|
|
|
|
|
RE: FTP Uploads - 20.Aug.2006 11:01:13 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi arouet99,
according to the posted info, the FTP control connection succeeds but there is something serious wrong with the negotiation of the FTP data connection.
quote:
227 Entering Passive Mode (192,168,1,253,77,11)
That's a private IP address! So, if you are testing from an external location (e.g. from home) that won't never work. In other words, a NAT device along the path doesn't translate the FTP control data correctly.
Are you running ISA 2004 SP2 with the following post-SP2 updates:
You should because SP2 solves a number of FTP problems.
HTH,
Stefaan
|
|
|
|
|
RE: FTP Uploads - 21.Aug.2006 2:43:56 PM
|
|
|
arouet99
Posts: 6
Joined: 18.Aug.2006
Status: offline
|
Stefaan,
As I indicated in an earlier post I am not an IT expert. We outsource the technical stuff. The IT "expert" attempted to set up the remote FTP access to our Web Site. I examined the ISA Server today to get the details of the rule. Here are the details of the Server Publishing Rule.
General Tab: Name = FTP Web Update, Enable = true
Action Tab: Allow = True Log Requests = True
Traffic Tab: Allow network traffic using the following protocol: FTP Server. Properties Port Range = 21, Protocol Type =TCP, Direction = Inbound, Application Filters: FTP Access Filter = True
From Tab: Anywhere
To Tab: Network address of the Server to Publish = 192.168.0.252, (This is the address of the Server on which the Web Site Files are stored), Requests appear to come from the original client = True
Networks Tab: Selected networks for this listener: External = True, Selected IPs = 192.168.1.253 (This is the External Network card on the ISA Server) All other boxes on the Networks Tab are unchecked.
Schedule Tab: Always (24*7)
On the Configures FTP protocol policy - Protocol Tab Read Only is Checked.
Appreciate your response on this
Arouet99
|
|
|
|
|
RE: FTP Uploads - 21.Aug.2006 10:00:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi arouet99,
the FTP server publishing rule looks good. However, the flag 'read only' should be cleared on the 'Configures FTP protocol policy - Protocol Tab' for full FTP access (read and write).
From where are you testing, from the internal or from the external network?
Because the ISA external IP address is the private IP address 192.168.1.253 there must be another NAT device along the path. What is the public IP address that maps to the ISA external IP address?
HTH,
Stefaan
|
|
|
|
|
RE: FTP Uploads - 21.Aug.2006 11:30:06 PM
|
|
|
arouet99
Posts: 6
Joined: 18.Aug.2006
Status: offline
|
We have a static IP Address: 202.168.39.12
Is this what you mean? This is hinet.net.au, our ISP.
Arouet99
|
|
|
|
|
RE: FTP Uploads - 22.Aug.2006 9:38:08 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Arouet99,
I've tested the FTP connection and this is the result: quote:
MOVEit Freely version 3.2.0.1, compiled Apr 14 2005 17:15:42
FTPS is a command-line FTP client similar to the FTP.EXE
that comes with Windows 2000, but it also implements secure FTP
(with SSL), and passive mode. When used with MOVEit DMZ FTP server,
also does on-the-fly compression and integrity checking.
Written by Standard Networks, Inc. See http://www.stdnet.com
ftp> open 202.168.39.12
220-Microsoft FTP Service
220 Oxley College FTP Site
Connected to 202.168.39.12.
User: anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: **
230 Anonymous user logged in.
ftp> ls
500 Invalid PORT command.
ftp> passive
Passive mode On .
ftp> ls
227 Entering Passive Mode (192,168,1,253,94,104)
Unable to connect to server: The connection timed-out. timeout=5
425 Can't open data connection.
ftp>
Clearly the FTP publishing isn't working, neither in active nor passive FTP mode. Because the FTP service is published on the ISA external interface IP address '192.168.1.253' it looks that the NAT device translating the public IP address '202.168.39.12' to the private IP address 192.168.1.253' isn't FTP aware. That NAT device should translate the IP addresses within the FTP control channel to the proper public IP addresses.
In other words, it doesn't look like an ISA problem! 
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
Hello, 