Welcome to ISAserver.org

FTP access that need Authentication

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> FTP access that need Authentication

Page: [1]

Message

<< Older Topic Newer Topic >>

FTP access that need Authentication - 1.Sep.2003 2:43:00 PM

stain

Posts: 3
Joined: 1.Sep.2003
From: LONDON
Status: offline

Hi There,

I have a small problem. ISA 2000 and firewall clients installed on the workstations. I can not access any FTP sites at all.

After adding a few filters I can now get FTP access from the workstations, BUT "[Frown]"

Any ftp site that requires a logon and password does not come up. Times out. All other FTP sites work ok like ftp.compaq.com

Any help would be great. Even perhaps to set the FTP filters up from scratch.

Thanks
Stain

Post #: 1

Featured Links*

RE: FTP access that need Authentication - 1.Sep.2003 9:23:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Stain,

what do you mean with "After adding a few filters I can now get FTP access from the workstations"? What have you done so far? What ISA client types are you using: Web Proxy, Firewall or SecureNAT client? What FTP client are you using? ...

Also, check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan

(in reply to stain)

Post #: 2

RE: FTP access that need Authentication - 2.Sep.2003 4:02:00 AM

jdurand

Posts: 20
Joined: 16.Jul.2003
From: Australia
Status: offline

I have always had the same problem. I have read both yours and Toms articles and have never been able to get it working. What perplexes me the most is if I open all the protocols just to test, It works on the ISAserver but not on the workstations. I am using firewall client with autoconfig script. I still can't get direct access with firewall client. I have ordered Tom's book but finally got sick of not knowing so I got a supposed professional to come out(from the yellow pages).He spent a few hours but didn't know any more than I do.
I don't think there aren't many of us using it here in Australia.
Jim Durand

(in reply to stain)

Post #: 3

RE: FTP access that need Authentication - 2.Sep.2003 10:46:00 AM

stain

Posts: 3
Joined: 1.Sep.2003
From: LONDON
Status: offline

Hi Guys,

The client machines are running the Firewall Client. Also tried with "Enable folder view for FTP sites" tick etc to no avail.

On the ISA have the following filters in place

TCP
Inbound
Dynamic
Fixed Port (Tried All Ports)
Port Number 20

TCP
Outbound
Dynamic
Fixed Port (Tried All Ports)
Port Number 21

TCP
Outbound
Dynamic
All Ports

Please help me out guys as I need to get this sorted. Thanks in advance

Stain

(in reply to stain)

Post #: 4

RE: FTP access that need Authentication - 2.Sep.2003 8:07:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Stain,

that seems to be IP packet filters! [Frown]

Never, NEVER create IP packet filters for internal clients, it will NOT work! You need to create protocol and site&content rules. Those rules will create *dynamically* the necessary IP packet filters when needed. So, get rid of those ugly IP packet filters asap! [Big Grin]

Make sure that:
1) you have a protocol rule allowing the FTP protocol.
2) you have a site&content rule allowing access to the destination.
3) the FTP application filter is enabled.
4) you test with the Microsoft command line FTP client. Once that is working, you can experiment with IE as an FTP client.

HTH,
Stefaan

[ September 02, 2003, 08:08 PM: Message edited by: spouseele ]

(in reply to stain)

Post #: 5

RE: FTP access that need Authentication - 2.Sep.2003 11:20:00 PM

jdurand

Posts: 20
Joined: 16.Jul.2003
From: Australia
Status: offline

Sorry to jump in on Stefaan but as I am having the same problem maybe we can work together. I have tried everything you said above and I still can't get ftp working on the command line(from isaserver as admin) unless I enable a filter allowing everything.
I have made sure ftp application is enabled.
I got rid of the ftp filters that previous articles suggested creating.
I have s&c rule allowing permission to destination.
I have protocol rule allowing all ftp.
Any other suggestions?
I too would give my kingdom to get this sorted out.
Jim Durand

(in reply to stain)

Post #: 6

RE: FTP access that need Authentication - 2.Sep.2003 11:37:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Jim,

aha... Stain is using the Firewall client. So his problem is with internal clients (or I'm missing something?). You are talking about using FTP from the ISA itself. That's something quite different!

Protocol and site&content rules are for internal hosts. When you want to give an FTP client on ISA itself outbound access then you have to use IP packet filters, a configuration I strongly advice against. Is there any particular reason why you want to FTP from ISA itself?

BTW --- is IIS running on ISA too?

HTH,
Stefaan

[ September 02, 2003, 11:40 PM: Message edited by: spouseele ]

(in reply to stain)

Post #: 7

RE: FTP access that need Authentication - 3.Sep.2003 5:57:00 AM

jdurand

Posts: 20
Joined: 16.Jul.2003
From: Australia
Status: offline

Sorry to mislead. I do not want to ftp from ISA, that is just the only place I could get it working for testing. I am using firewall client as well. Even when I had it working by opening everything up it didn't work on the client. I see now that, that is irrelevant. I went back and tested on the client and I am the most excited I have been for two years, I can actually ftp through command! BRB
Hang on, I can use Ws-ftp now!
I owe you my kingdom, unfortunately it isn't worth much.
Thanks so much, I can't believe it was so easy in the end. I think your article led me to believe I needed those filters.
Oh yeah, I am running IIS as I use SMTP to forward mail to my support server running NAV for Gateways. I also redirect POP3 to my Exchange Server. Is this bad?
Jim

(in reply to stain)

Post #: 8

RE: FTP access that need Authentication - 3.Sep.2003 8:56:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Jim,

glad to hear you got it working! [Smile]

I you carefully reread my article you will see I only discuss the IP packet filters in section '4.1. Trihomed DMZ' scenario. [Cool]

In my opinion ISA server is supposed to be a firewall, not a general purpose server. So, you should never include ISA server in your server consolidation plan. If possible, never run extra services on ISA itself. You can't do it either on a Checkpoint, Cisco PIX, Netscreen, etc... [Big Grin]

HTH,
Stefaan

(in reply to stain)

Post #: 9

RE: FTP access that need Authentication - 4.Sep.2003 5:08:00 AM

jdurand

Posts: 20
Joined: 16.Jul.2003
From: Australia
Status: offline

Hang on. Our ISA is our gateway to our Satellite connection. How do I relay mail through it without using the SMTP virtual server, and make sure no one else relays through it?

(in reply to stain)

Post #: 10

RE: FTP access that need Authentication - 4.Sep.2003 10:41:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Jim,

I'm not a mail guy, just a networking guy! [Big Grin]

So, I suggest you start a new topic for this problem.

Thanks,
Stefaan

[ September 04, 2003, 10:42 PM: Message edited by: spouseele ]

(in reply to stain)

Post #: 11

RE: FTP access that need Authentication - 5.Sep.2003 12:41:00 AM

jdurand

Posts: 20
Joined: 16.Jul.2003
From: Australia
Status: offline

Ok, thanks for all your help!
Jim

(in reply to stain)

Post #: 12

RE: FTP access that need Authentication - 5.Sep.2003 10:32:00 AM

stain

Posts: 3
Joined: 1.Sep.2003
From: LONDON
Status: offline

Hi Guys,

I have been reading the posts and will try what was suggested later today... Just thought i would drop you a quick line to let you know I have not gone of the face of the earth. will let you know how I get on.

Regards

Stain

(in reply to stain)

Post #: 13

RE: FTP access that need Authentication - 5.Sep.2003 10:37:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Stain,

OK, let us know how it works for you!

Thanks,
Stefaan

(in reply to stain)

Post #: 14

RE: FTP access that need Authentication - 10.Sep.2003 6:03:00 PM

jamesorl

Posts: 25
Joined: 20.Nov.2002
Status: offline

What are you reffering to when you mention application filters. I am having a similair problem that "happened out of the blue" where early one day my ftp ( through client and command line ) was working and then all of the sudden no longer works. HTTP still works and I see in the log that the ftp sites I try to get to are being blocked on UDP ports 137 & 138

quote:
Originally posted by spouseele:
Hi Stain,

that seems to be IP packet filters!

Never, NEVER create IP packet filters for internal clients, it will NOT work! You need to create protocol and site&content rules. Those rules will create *dynamically* the necessary IP packet filters when needed. So, get rid of those ugly IP packet filters asap!

Make sure that:
1) you have a protocol rule allowing the FTP protocol.
2) you have a site&content rule allowing access to the destination.
3) the FTP application filter is enabled.
4) you test with the Microsoft command line FTP client. Once that is working, you can experiment with IE as an FTP client.

HTH,
Stefaan

(in reply to stain)

Post #: 15

RE: FTP access that need Authentication - 10.Sep.2003 9:47:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi jamesorl,

you will find the FTP application filter in the MMC, node extension -> Application filters.

The FTP protocol uses TCP port 21 as primary connection. So, the UDP ports 137 & 138 have nothing todo with the FTP protocol. For full details about how ISA handles the FTP protocol, check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan

(in reply to stain)

Post #: 16