Welcome to ISAserver.org

FTP Uploads From Perimeter Network [not working]

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> FTP Uploads From Perimeter Network [not working]

Page: [1] 2 3 next > >>

Message

<< Older Topic Newer Topic >>

FTP Uploads From Perimeter Network [not working] - 24.Aug.2006 12:29:47 AM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

I've researched a number of posts on this and related forums, ran Ethereal traces, changed every single option in IE and the ISA Server and still cannot get Internet Explorer to get an outbound FTP connection to work as either a SecureNAT Client or as a Web Proxy Client. With all of the other issues people are having I'm seriously beginning to wonder if this is a bug inherent to ISA Server 2004?

Here is what I have:

Windows 2003 R2 and ISA Server 2004 (fully patched w/SP2).
3 NIC's: Internal, Campus and External.
Network Rule: Campus to External is NAT.
Firewall policy: Campus to External (All Outbound Traffic allowed).
FTP (Read-Only) is unchecked.

Clients are in the campus network, running the x64 Edition of XP and using the 32-bit version of IE.

The FTP site I am attempting to go to is running IIS 5.0 so the FTP server is not configured for Passive FTP.

=====

Client Test #1:

IE Folder View is enabled.
IE Passive FTP is disabled.
IE configured as a SecureNAT client.

Error from Test #1:

"An error occurred opening that folder on the FTP Server. Make sure you have permission to access that folder.
Details:
200 Type set to A.
500 Invalid PORT command.
500 'LPRT 6,16,0,0,0,0,0,0,0,149,163,77,125,24,24,98,125,2,17,28': command not understood.

=====

Client Test #2:

IE Folder View is disabled.
IE Passive FTP is disabled.
IE configured as a SecureNAT client.

Error from Test #2:

The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

=====

Client Test #3:

IE Folder View is enabled.
IE Passive FTP is disabled.
IE configured as a Web Proxy client via port 80.

Error from Test #3:

"An error occurred opening that folder on the FTP Server. Make sure you have permission to access that folder.
Details:
200 Type set to A.
500 Invalid PORT command.
500 'LPRT 6,16,0,0,0,0,0,0,0,149,163,77,125,24,24,98,125,2,17,147': command not understood.

=====

Client Test #4:

IE Folder View is disabled.
IE Passive FTP is disabled.
IE configured as a Web Proxy client via port 80.

Error from Test #4:

Error Code: 502 Proxy Error. The login request was denied. The logon account might have been disabled or logon information might have changed. Log on again to verify that the information was typed correctly. If the problem continues, report the problem to the administrator of the Internet server you are requesting. (12015)

=====

Client Test #5:

IE Folder View is enabled.
IE Passive FTP is disabled.
IE configured as a Firewall Client.

It works without any issues.

=====

When I look at the logging of the ISA Server when I attempt to make an outbound FTP connection (using tests 1-4) I can see that my source port is listed as 0 instead of coming from a dynamically assigned port above 1023 and the action is listed as Failed Connection Attempt. This is very strange.

When I look at the logging of the ISA Server when I attempt to make an outbound FTP connection as a Firewall Client I can clearly see my request. The source port is correctly dynamically assigned above port 1023 and the request correctly comes back from the FTP server on port 20.

All of the Ethereal traces basically show the connection happening but when it gets to the DIR portion of the FTP connection it comes back with a COMMAND NOT UNDERSTOOD error.

I know the simple solution would be to install the Firewall Client on all of the desktops and be done with it. It's not that simple as there are other political issues at hand here. FTP uploading should be working with clients configured as SecureNAT clients but obviously this is not working!

Any and all help would be incredibly appreciated as I am simply out of ideas at this point.

Note: For those of you wondering how I was able to get the Firewall Client working on XP x64 Edition I had to download ISA 2006 RC1 and extract the Firewall Client from the executable using WinRar. The Firewall Client that comes with ISA 2004 will not work on XP x64 Edition.

Post #: 1

Featured Links*

RE: FTP Uploads From Perimeter Network [not working] - 24.Aug.2006 11:09:27 AM

samir7399

Posts: 18
Joined: 21.Jun.2006
Status: offline

Just a question:

Scenario Client Test 4

The web proxy port should be 8080 instead of 80 ?

Or have you changed it to 80 from the default?

(in reply to mhowells)

Post #: 2

RE: FTP Uploads From Perimeter Network [not working] - 24.Aug.2006 4:49:08 PM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

We changed it from the default of 8080 to port 80 so that WPAD and DHCP Option 252 will work properly.

(in reply to samir7399)

Post #: 3

RE: FTP Uploads From Perimeter Network [not working] - 24.Aug.2006 9:23:57 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi mhowells,

which FTP client are you using?

The point is that "500 'LPRT 6,16,0,0,0,0,0,0,0,149,163,77,125,24,24,98,125,2,17,28': command not understood" is the "Long Data port" FTP command defined in the experimental RFC1639. I doubt that the ISA FTP protocol filter supports that command.

I strongly suggest that you test first your full FTP access with the standard Microsoft FTP command line client. If you can login and do a dir command, you have tested the FTP control and data connection. Take note that the Microsoft FTP command line client does not support passive mode. If you need to test passive mode too, use the free FTP command line client MoveIt Freely from Standard Networks.

HTH,
Stefaan

(in reply to mhowells)

Post #: 4

RE: FTP Uploads From Perimeter Network [not working] - 25.Aug.2006 12:02:05 AM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

spouseele thanks for the quick reply.

When I open a command prompt and use the firewall client it works.

However, when I open a command prompt with the firewall client disabled I receive this error:

ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.

When I run an Ethereal trace I see that the communication is all taking place as it should until my client issue the PORT request. I sent the following command: PORT 172,16,0,169,19,138\r\n.

The command prompt window then says, "Invalid PORT command" and then just sits there doing nothing. Ethereal shows the following:

500 Invalid PORT command.\r\n
Response code: Syntax error, command unrecognized (500)
Response arg: Invalid PORT command

(in reply to spouseele)

Post #: 5

RE: FTP Uploads From Perimeter Network [not working] - 25.Aug.2006 12:03:30 AM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

I forgot to reply to your original question in that what FTP client am I using.

I was testing it with the 32-bit version of Internet Explorer 6.0.3790.1830.

Hope this helps.

(in reply to spouseele)

Post #: 6

RE: FTP Uploads From Perimeter Network [not working] - 25.Aug.2006 11:46:22 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi mhowells,

I've just tested a simular setup in my lab, however without X64 editions. It is an trihomed ISA configuration as shown in my article http://www.isaserver.org/articles/VPC2004_ISAlab.html with a NAT relation between Internal & External and Perimeter & External, and a ROUTE relation between Internal & Perimeter.

With ISA 2004 SP2 the FTP is working perfectly as well as a Firewall as a SecureNAT client. So, I would love to see your Ethereal trace of the failing FTP session as a SecureNAT client.

Also, what happens if you use a regular WinXP workstation from the same network and test with the standard Microsoft FTP command line client? Does it work then?

HTH,
Stefaan

(in reply to mhowells)

Post #: 7

RE: FTP Uploads From Perimeter Network [not working] - 25.Aug.2006 10:19:46 PM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

>Also, what happens if you use a regular WinXP workstation from the same network
>and test with the standard Microsoft FTP command line client? Does it work then?

I just tested both the x32 and x64 editions of XP SP2 and had similar results.

I plan on performing Ethereal traces and I'll forward them to you once I'm done.

(in reply to spouseele)

Post #: 8

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:28:16 AM

semendua

Posts: 9
Joined: 19.Jan.2005
Status: offline

I have seen similar problems, are you using a private or public address on your Perimeter network?

(in reply to mhowells)

Post #: 9

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:38:46 AM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

We're using private IP addresses. We do have a NAT relationship between us and external.

What kind of problems have you seen?

What have you done to alleviate/fix the problem (if anything)?

(in reply to semendua)

Post #: 10

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:43:19 AM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

>with a NAT relation between Internal & External and Perimeter & External
>and a ROUTE relation between Internal & Perimeter.

This is exactly how I have our environment architected. I can honestly see nothing wrong with it. We are also having problems with a Cisco VPN Client not working either, which I suspect is due to the problems were seeing with FTP. We have an incredibly simple network that is not complex. 2003 R2 and ISA 2004 SP2 were also recently re-built from scratch so I do not suspect a corrupt install. At this point, I'm open to any and all suggestions.

(in reply to spouseele)

Post #: 11

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 12:20:03 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Mike,

quote:

We are also having problems with a Cisco VPN Client not working either, which I suspect is due to the problems were seeing with FTP.

Which kind of problems?

HTH,
Stefaan

(in reply to mhowells)

Post #: 12

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 4:28:57 PM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

The Cisco VPN client will actually connect and I will receive an IP address in the remote range. However, when I attempt to ping a pingable IP address on the remote network or access a web site in the remote network the request will fail.

(in reply to spouseele)

Post #: 13

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:21:04 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Mike,

please take a network monitor trace at the same time on the ISA internal *and* external interface of a command line FTP session. You can send them to my email address.

All I can say so far is that the port command (PORT) doesn't succeed in all the captures you sent me. Because of that, your IE version tries also the "Long Data port" (LPRT) command. Because that one is not supported by the current ISA version, you see that failure "command not understood".

Are you sure you are running ISA 2004 SP2 and that the FTP Access Filter is enabled and bound to the FTP protocol?

The reason for this question is that I found an FTP bug in SP1 and that was definitely solved from SP2 onwards. The problem did *only* occure with active mode FTP and SecureNAT clients if you restrict the destination to a domain name set (FQDN). The issue was that the embedded IP address in the PORT command was not correctly translated by the ISA server (NAT relationship). If you used a computer set (IP addresses) or just External then everything worked.

BTW --- I'm running ISA 2004 SP2 Standard Edition with the updates KB916106 & KB920716.

HTH,
Stefaan

< Message edited by spouseele -- 26.Aug.2006 5:30:35 PM >

(in reply to mhowells)

Post #: 14

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:34:41 PM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

I can confirm that I have SP2 installed and KB916106 installed. However, I do not have KB920716 installed. I'll contact Microsoft PSS for that on Monday and get it installed hopefully later that evening. I'll also be sure to get a network monitor trace on Monday to see what is going on as well. Could you re-confirm what interfaces you'd like a Network Monitor trace of? Our infastructure is as follows:

ISA - Internal = 192.168.1.0/24
ISA - Campus = 172.16.0.0/22
ISA - External = <Internet>

The problem client is in the campus network.

(in reply to spouseele)

Post #: 15

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:35:51 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Mike,

quote:

The Cisco VPN client will actually connect and I will receive an IP address in the remote range. However, when I attempt to ping a pingable IP address on the remote network or access a web site in the remote network the request will fail.

Once the VPN connection is up, the ISA server is not aware what traffic is going through the VPN connection. So, this problem looks more like a client configuration problem. Did you already check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html and related topic http://forums.isaserver.org/m_130146700/tm.htm?

HTH,
Stefaan

(in reply to mhowells)

Post #: 16

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:41:41 PM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

I recall reading the first article but I'll have to look more closely at the second article. It appears that the problem indicated in the second article you list is exactly the problem that I'm encountering. I'll have to perform some additional network traces and see if ISA is dividing the packet into two TCP segments. It looks like this article thread was created in 2003 before ISA 2004 was released so I wonder if it is still applicable to ISA Server 2004?

(in reply to spouseele)

Post #: 17

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:42:54 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Mike,

quote:

Could you re-confirm what interfaces you'd like a Network Monitor trace of? Our infastructure is as follows:

ISA - Internal = 192.168.1.0/24
ISA - Campus = 172.16.0.0/22
ISA - External = <Internet>

The problem client is in the campus network.

Of course, in that case it's the Campus and External interface I need. I want to see the translation of the embedded IP address and port number in the PORT command!

Does a command line FTP session works from your Internal network to that same FTP server?

HTH,
Stefaan

(in reply to mhowells)

Post #: 18

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:45:38 PM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

>Are you sure you are running ISA 2004 SP2 and that the
>FTP Access Filter is enabled and bound to the FTP protocol?

A HELP ABOUT in ISA Server shows the following version: 4.0.2165.610.

In the Configuration/Add-Ins section I'm showing the FTP Access Filter is enabled.

In the Protocols listing I'm showing the FTP Protocol (21/TCP/Outbound) as having the FTP Access Filter enabled in the checkbox.

(in reply to spouseele)

Post #: 19

RE: FTP Uploads From Perimeter Network [not working] - 26.Aug.2006 5:49:07 PM

mhowells

Posts: 32
Joined: 18.Mar.2003
Status: offline

>Does a command line FTP session works from your Internal network to that same FTP server?

HOLY FREAKING CRAP. I just tried an FTP command line from a server in the INTERNAL network to the same FTP server and it WORKED.

(in reply to spouseele)

Post #: 20