• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FTP access issue with ISA 2004 proxy

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> FTP access issue with ISA 2004 proxy Page: [1]
Login
Message << Older Topic   Newer Topic >>
FTP access issue with ISA 2004 proxy - 22.Feb.2007 7:18:08 AM   
lavionline

 

Posts: 5
Joined: 10.Oct.2006
Status: offline
Hello ,
We are dealing with a typical problem at our end with FTP website access through ISA 2004 server. here are the details:-
We have an ISA 2004 server installed on a win2k3/SP1 server with single NIC. Single NIC template applied on it and it is running with SP2 with patch 916106. the LAT is configured properly by using the "ADD ADAPTER" option so that it automatically selects the LAT using the routing table of the NIC card. we have XP machines configured as proxy clients manually in their IE settings. All the HTTP/HTTPS websites are accessible fine without any issues. 
However, when it comes to FTP access, we do have a problem. When we try to open ftp.microsoft.com from command prompt(which uses active mode), it works fine. We can login anonymously and LS command also shows the files. when we try to access the same website through IE, it gives the following error:-

Error Code: 502 Proxy Error. The File Transfer Protocol (FTP) session was terminated. The connection was closed because of either a possible attempted security violation or a time out on the remote server. Reconnect to the server or check for server availability. No further action is required. (12111)

Then we go ahead and uncheck the option "Use folder view" in IE advanced options and thus force it to use active mode rather than passive mode but with same error as result.

In ISA logging, we see that client tried to use the rule and is denied connection. We are not using any surf control or websesnse or any other 3rd party product. If we bypass ISA, it works.
the rule we are using allows clients from "Internal network" to "Internal network" for all protocols, for all users.

We would really appreciate if anyone throws some more light in it or if someone has some fix for it.
Thank you.


 
Post #: 1
FTP access issue with ISA 2004 proxy - 23.Feb.2007 6:27:49 AM   
lavionline

 

Posts: 5
Joined: 10.Oct.2006
Status: offline
I would really appreciate if anyone gives a clue about it.
BTW, network trace shows ISA throws 407: authentication required in response to client's reqest for FTP website. it happens twice and then ISA throws error : Error Code: 502 Proxy Error. The File Transfer Protocol (FTP) session was terminated. The connection was closed because of either a possible attempted security violation or a time out on the remote server. Reconnect to the server or check for server availability. No further action is required. (12111)

on internal network, "Ask all users to authenticate " option is checked.

to me it looks like an authentication issue.
I would welcome if anyone has any thoughts to share.

(in reply to lavionline)
Post #: 2
RE: FTP access issue with ISA 2006 proxy - 20.Apr.2007 4:50:34 AM   
abdulaziz

 

Posts: 21
Joined: 15.Mar.2007
Status: offline
Hi everyone,
I am facing critical problem with downloading some ftp sites such as:
http://download.fedora.redhat.com/pub/fedora/linux/core/6/x86_64/iso/

My ISA Server version is 2006, SP1 Enterprise Edition

I am using Proxy for browsing setting. Attempts tried to solve this problem including from IE - Enable Folder view for FTP sites.

ISA Server firewall policy defined to allow FTP from Internal to External with NO luck.

Please i need your support guys.

Thanks,
Abdulaziz

(in reply to lavionline)
Post #: 3
RE: FTP access issue with ISA 2006 proxy - 20.Apr.2007 3:10:58 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

check out:
- How the FTP protocol Challenges Firewall Security
- About the FTP Protocol Support in ISA Server
- http://www.microsoft.com/technet/isa/2006/ts_outbound_ftp.mspx

HTH,
Stefaan

(in reply to abdulaziz)
Post #: 4
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 21.Apr.2007 5:05:55 PM   
abdulaziz

 

Posts: 21
Joined: 15.Mar.2007
Status: offline
Dear all,
I finally conclude that with Proxy firewall ISA Server 2006 not possible to get through with FTP downloads or upload.

With all suggestions you have provided FTP is not working to my Internal Network.

I have been playing with registry changing like experts here you have suggested but still no luck.

My error is still persis " ISA Server Extended Error" this means ISA Server doesnt know to resolve the FTP protocols while all have been defined from Internal to External.

FTP is a big problem especially with Proxy Firewall.

Thanks,
Abdulaziz

(in reply to lavionline)
Post #: 5
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 22.Apr.2007 1:36:11 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Abdulaziz,

quote:

I finally conclude that with Proxy firewall ISA Server 2006 not possible to get through with FTP downloads or upload. 

That's definitely a wrong conclusion! ISA server does support fully the FTP protocol.

I strongly suggest you re-read the posted links. Also, if you want us to help further, you'll have to give us *exact* information about your specific network and ISA configuration.

HTH,
Stefaan

(in reply to abdulaziz)
Post #: 6
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 22.Apr.2007 3:54:56 PM   
abdulaziz

 

Posts: 21
Joined: 15.Mar.2007
Status: offline
hi,
My network is very simple. I have two NIC inside ISA Server 2006, with one pointing to Outside with Public IP Address provided by ISP.
The other card pointing to Internal Network where all my machine stay behind it.

ISA Server Management configured to allow FTP protocol from External to Internal and From Internal to Local host and External as well.

DNS protocols has been allowed as well together with HTTP, HTTPS, SMTP, POP3.

Behind ISA Server I can browse fine but not ftp any sites. It gives me ISA Server Extended error. Permission etc.

My browser is using Proxy which is an IP Address of ISA Internal IP Address.
I thought by just allowing FTP protocol is enough to allow me performing FTP downloading but not the case.

I have done all possibility including changing DWORD from registry, Enable Folder view FTP sites no luck yet.

Funny enough even inside ISA Server trying accessing ftp sites not allowing.

What else can be done!!!



(in reply to spouseele)
Post #: 7
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 22.Apr.2007 4:24:11 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Abdulaziz,

could you post some *exact* info about your specific configuration (ipconfig /all, route print)? Also, what network definitions and network rules do you have in place?

Did you ever try an FTP session from a command prompt with he standard Microsoft FTP command line client?

Thanks,
Stefaan

(in reply to abdulaziz)
Post #: 8
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 23.Apr.2007 3:20:34 AM   
abdulaziz

 

Posts: 21
Joined: 15.Mar.2007
Status: offline
hi,

Network Rules:
Localhost   Access - Route
Internet Access - NAT
VPN - Route

ftp from command line is working fine.

External NIC -
IP = 213.128.126.18
Subnet Mask = 255.255.255.248
Gateway = 213.128.126.17
DNS Server 82.206.47.2

Internal NIC
IP = 192.168.10.1
Subnet Mask = 255.255.255.0
No gateway
No DNS

route print captured couldn't posted because i dont how to add attachment over here. But it looks very ok

Anything else

(in reply to spouseele)
Post #: 9
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 23.Apr.2007 3:44:40 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Abdulaziz,

quote:

ftp from command line is working fine.

OK, that means that the ISA Server is correctly configured!

The standard Microsoft FTP command line client supports only FTP active mode. If you want to test FTP passive mode, I suggest you download and install MoveIt Freely as indicated in my blog http://blogs.isaserver.org/pouseele/2006/05/15/about-the-ftp-protocol-support-in-isa-server/.

Now, regarding the IE support for FTP, which version of IE are you talking about? For IE version up to an including 6, my blog gives you the details how IE should be configured. Take note that when IE act as a Web Proxy client for the FTP protocol (the IE setting Enable folder view for FTP sites is not checked)  only FTP download is possible by design.

HTH,
Stefaan 

(in reply to abdulaziz)
Post #: 10
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 24.Apr.2007 2:08:19 AM   
abdulaziz

 

Posts: 21
Joined: 15.Mar.2007
Status: offline
Hi stefaan,
I am glad now to say problem solved. Thank you very much for your untired effort in supporting me.

What i did was to add a rule that allowing FTP Server protocol. Earlier the firewall policy was allowing only FTP Protocol.

After doing that, FTP is working fine.

Abdulaziz

(in reply to spouseele)
Post #: 11
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 24.Apr.2007 2:24:57 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Abdulaziz,

that make no sense! The FTP Server protocol is for inbound access; in other words when you server publish an internal FTP server!

HTH,
Stefaan

(in reply to abdulaziz)
Post #: 12
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 25.Apr.2007 2:12:44 AM   
abdulaziz

 

Posts: 21
Joined: 15.Mar.2007
Status: offline
True,
The problem resume again I can't open ftp sites. For unknown reason last time after adding FTP Server Protocol it works right now stop.

One thing I have notice, may be could be the problem. ISA Server that I have in my network is not connected with DNS Server.

In fact I dont have DNS Server. I have been provided by ISP the IP Address, Subnet Mask and Default Gateway.

It seems the problem is DNS because when I am trying to ping www.google.com
its not resolving - I was expecting ISA to resolve the DNS from External NIC which has public IP's and DNS IP provided by ISP.

Is it possible for ISA Server to resolve DNS from ISP DNS IP Address??

My ISA Server has two NIC : One connected External - pointing to ISP settings
One connected to Internal behind my Network.

With this Architecture do you think ISA Server can resolve Internal Network DNS queries??
If possible how because i have allowed DNS protocols from Internal - to - External and opposite way. But with NO success.

Help me please

(in reply to abdulaziz)
Post #: 13
RE: Microsoft ISA Server 2006 doesn't work with FTP sites - 25.Apr.2007 4:45:36 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Abdulaziz,

quote:

Is it possible for ISA Server to resolve DNS from ISP DNS IP Address?
Yes, this should work and is controlled by a system policy rule.

quote:

With this Architecture do you think ISA Server can resolve Internal Network DNS queries?
Yes, this should work also, assuming the internal clients has the ISP DNS server configured on their NIC, and they are configured as a SecureNAT client, and there is a rule allowing the DNS protocol from Internal to External (or the ISP DNS server) forall users.

HTH,
Stefaan

(in reply to abdulaziz)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> Web Proxy client >> FTP access issue with ISA 2004 proxy Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts