• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FTP access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> FTP access Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
FTP access - 22.Nov.2005 6:54:57 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
can any please help me figure out FTP connection?
I have configured client to use webproxy.
I only have 3 access policy?
default access policy
DNS lookup policy ( allows everyone)
INternet access policy ( allows ftp,http,https..protocol to allusers)
when user tries to connect ftp it does not work...
do I have to configure on ISA server, Am I doing something wrong here> 


This is the log error I get on ISA server when I try to connect to FTP using FTP client
on FTP client
cant connect to FTP
host unreachable.
ON ISA SERVER
unidentified IP traffic
action denied
rule enterprise default rule
Post #: 1
RE: FTP access - 22.Nov.2005 8:12:31 PM   
mrupright

 

Posts: 68
Joined: 18.Oct.2004
Status: offline
Bhavin,

Have you installed the firewall client?

(in reply to bhavin78)
Post #: 2
RE: FTP access - 22.Nov.2005 8:41:19 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
I have not installed firewall client?
what difference it's going to make if I use firewall client?
I want to avoid installing  Firewall Client on all PC.

(in reply to mrupright)
Post #: 3
RE: FTP access - 23.Nov.2005 4:50:11 PM   
mrupright

 

Posts: 68
Joined: 18.Oct.2004
Status: offline
Bhavin,

The rules you have defined should allow you to connect via ftp. Can anyone connect to anyftp site?  I don't mean to sound flippant, but are you sure that the ftp site you are trying to connect to is available?  From what your ftp client reports, it appears to be the case.  Can you connect to the site below?

ftp://ftp.loc.gov/pub



(in reply to bhavin78)
Post #: 4
RE: FTP access - 23.Nov.2005 4:58:11 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
cannot connect to FTP using FTP client.

I can use IE browser to connect to any ftp works fine but not with ftp client.

secNAT client can connect to any ftp using ftp client but not with web proxy.


(in reply to mrupright)
Post #: 5
RE: FTP access - 23.Nov.2005 8:37:02 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

maybe http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html could be of any help.

HTH,
Stefaan

(in reply to bhavin78)
Post #: 6
RE: FTP access - 23.Nov.2005 9:04:19 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
good article but still cannot figure out my issue with FTP using FTP client

(in reply to spouseele)
Post #: 7
RE: FTP access - 23.Nov.2005 9:12:03 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi bhavin78,

is the client configured as a SecureNAT client?
If that's case, can the client resolve the FQDN of the external FTP server?
If that works too, try the standard Microsoft FTP command line client to connect to an external FTP server. What's the result and what is the ISA log telling you?

HTH,
Stefaan 

(in reply to bhavin78)
Post #: 8
RE: FTP access - 23.Nov.2005 9:54:54 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
is the client configured as a SecureNAT client?
CLIENT IS CONFIGURED AS WEBPROXY BUT WHEN IT'S CONFIUGRED AS SECURE NAT IT WORKS

If that's case, can the client resolve the FQDN of the external FTP server?

If that works too, try the standard Microsoft FTP command line client to connect to an external FTP server. What's the result and what is the ISA log telling you?
I TRIED FTP.MICROSOFT.COM AND IT GAVE ME AN ERROR  (UNKNOWN ERROR NUMBER)


HTH,
Stefaan 

(in reply to spouseele)
Post #: 9
RE: FTP access - 23.Nov.2005 10:10:06 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi bhavin78,

you'll have to learn to be more precise in your answers...

On one hand you said that 'WHEN IT'S CONFIUGRED AS SECURE NAT IT WORKS' and on the other hand you said 'I TRIED FTP.MICROSOFT.COM AND IT GAVE ME AN ERROR  (UNKNOWN ERROR NUMBER)'.

Now, the standard Microsoft FTP command line client can only send requests as SecureNAT or Firewall client, not as Web Proxy client. So, let me rephrase the question: can you access ftp.microsoft.com with the Microsoft FTP command line client? If not, what is the client and the ISA log telling you. Please post the relevant ISA log entries.

HTH,
Stefaan

(in reply to bhavin78)
Post #: 10
RE: FTP access - 25.Nov.2005 4:02:11 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
When I configure client as SecureNAT FTP works using browser and FTp client.

When I configure client as WEBPROXY FTP works using browser BUT FTp does not work using ftp client.
I tried this with client configured as webproxy
ftp> open
To ftp.microsoft.com
> ftp: connect :Unknown error number
To ftp.microsoft.com
> ftp: connect :Unknown error number
ftp>

I isa server I dont see any logs when  I run above commands.

I tried my best to explain

(in reply to spouseele)
Post #: 11
RE: FTP access - 25.Nov.2005 4:20:01 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
OK, so where is the problem?  What you describe is expected behavior and exactly as Stefaan explained.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to bhavin78)
Post #: 12
RE: FTP access - 25.Nov.2005 4:23:53 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
I didnt understant what you mean to say? please explain.

(in reply to LLigetfa)
Post #: 13
RE: FTP access - 25.Nov.2005 5:12:53 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
What part of Stefaan's and my answer do you not understand?

Command line FTP does not use WP, plain and simple.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to bhavin78)
Post #: 14
RE: FTP access - 25.Nov.2005 6:03:52 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
This is what I tried with SecNat client.
C:\Documents and Settings\bpatel>ftp
ftp> open
To ftp.microsoft.com
Connected to ftp.microsoft.com.
220 Microsoft FTP Service
User (ftp.microsoft.com:(none)): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230-Welcome to ftp.microsoft.com.  Please also visit http://www.micros
wnloads.
230 Anonymous user logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
dr-xr-xr-x   1 owner    group               0 Nov 25  2002 bussys
dr-xr-xr-x   1 owner    group               0 May 21  2001 deskapps
dr-xr-xr-x   1 owner    group               0 Apr 20  2001 developr
dr-xr-xr-x   1 owner    group               0 Nov 18  2002 KBHelp
dr-xr-xr-x   1 owner    group               0 Jul  2  2002 MISC
dr-xr-xr-x   1 owner    group               0 Dec 16  2002 MISC1
dr-xr-xr-x   1 owner    group               0 Feb 25  2000 peropsys
dr-xr-xr-x   1 owner    group               0 Jan  2  2001 Products
dr-xr-xr-x   1 owner    group               0 Apr  4  2003 PSS
dr-xr-xr-x   1 owner    group               0 Sep 21  2000 ResKit
dr-xr-xr-x   1 owner    group               0 Feb 25  2000 Services
dr-xr-xr-x   1 owner    group               0 Feb 25  2000 Softlib
226 Transfer complete.
ftp: 809 bytes received in 0.00Seconds 809000.00Kbytes/sec.
ftp>

So what about WebProxy? I just want to know why I cannot connect to FTP server using FTP client when configured as WP client.
What are the other optioin to make this work? Dont want to configure client as use SecNat as windows groups authentication is not supported.

(in reply to LLigetfa)
Post #: 15
RE: FTP access - 25.Nov.2005 6:06:44 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi bhavin78,

I suggest you re-read my article again! As explained in there, IE can act as a Web Proxy, a Firewall  or a SecureNat client for FTP access. Everything depends on how IE is configured, particular the setting Enable folder view for FTP sites is very important. However, the Microsoft commandline FTP client can only act as a Firewall or SecureNAT client.
 
Also, take note that a Web Proxy client can only do FTP downloads by design. Therefore, if you need full FTP support then the clients must be Firewall and/or SecureNAT clients. To better understand how the different ISA clients interact with each other and the ISA server, check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html section 4. Configuring ISA Clients. Maybe I should put that information in a separate article because it is so fundamental to really understand how things really work.

Another important thing to keep always in mind is that only Web Proxy and Firewall clients can authenticate against the ISA server. Therefore, if you want to use user authentication with full FTP support then the clients must be Firewall clients and you should not use IE as FTP client.


HTH,
Stefaan


< Message edited by spouseele -- 25.Nov.2005 6:12:35 PM >

(in reply to LLigetfa)
Post #: 16
RE: FTP access - 25.Nov.2005 6:11:49 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
Please help me to clear following....

I dont have  too much knowledge of this. I read your article twice but still confuse. I just need to know following, if you can please tell me straight I will understand better.

I just want to know why I cannot connect to FTP server using FTP client when configured as WP client.
Is it possible to connect to ftp server using ftp client when configured as WP? why?

What are the other optioin to make this work? 
Dont want to configure client as use SecNat as windows groups authentication is not supported.
Want to avoid installing Firewall client on users P.

(in reply to bhavin78)
Post #: 17
RE: FTP access - 25.Nov.2005 6:20:36 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi bhavin78,

by design a Web Proxy client can only use the protocols HTTP, HTTPS and FTP through HTTP. Therefore the normal FTP protocol is *not* supported. Nothing you can do about that because it is by design.

So, you have no other option than using the Firewall client for non-HTTP protocols if you want to support user authentication.

HTH,
Stefaan

< Message edited by spouseele -- 25.Nov.2005 6:23:21 PM >

(in reply to bhavin78)
Post #: 18
RE: FTP access - 25.Nov.2005 6:33:03 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
Now my understanding is that FTP client is not supported by WP(WP only suppport Http and Https even thoug you can add FTP as list of protocols its not supported) but can use IE to browse ftp server.

what about yahoo messenger with WP? it's not working for me

(in reply to spouseele)
Post #: 19
RE: FTP access - 25.Nov.2005 6:48:46 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

What part of Stefaan's and my answer do you not understand?

Command line FTP does not use WP, plain and simple.

Now, it is very clear by your example that you use commandline FTP and it is also clear by your response that you want the Microsoft commandline FTP to behave differently than what Microsoft intended.

As I already said, the commandline FTP does NOT use web proxy.  You need to accept that and move on.

Web Proxy is an application layer proxy and while there are applications such as IE that support it, the OS at the commandline does not.  The Firewall client, being a winsock replacement will support commandline FTP.

Stefaan wrote a good atricle that explains the three client types and how they work within the network OSI model.  You only need to accept that the commandline FTP does not support WP.  If you want that changed, you will have to ask Microsoft to change it but I'm pretty sure they cannot and will not.

< Message edited by LLigetfa -- 25.Nov.2005 6:51:45 PM >


_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to spouseele)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> FTP access Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts