Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
FTP not working with Firewall client installed
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
FTP not working with Firewall client installed - 7.May2005 12:05:00 AM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
Hi,
I've searched around but did not find anything on this issue. None of our users that have the ISA 2004 Firewall client installed are able to access FTP sites. Non-firewall clients with Proxy settings configured in IE accessing the same sites have no problem. Disabling the Firewall client (not a good idea anyway) doesn't make a difference.
The proxy logs show that the outbound ftp connections are allowed, but the firewall logs show unidentified IP traffic on random high ports going through ISA on port 8080 (as configured) but the connection is just opened then closed.
Has anyone else seen this by chance? Can you please direct me towards a solution? Our firewall policy allows outbound FTP on port 21, and we've tried configuring secondary connections (which can only be done by disabling the FTP Accesss Filter (I don't know if that's good or not). We've also tried the various combinations of browser settings (such as enable/disable ftp folder view, passive/port connections). We are running ISA 2004 SP1 on Windows 2003 Std.
Any help is greatly appreciated.
Thanks.
[ May 07, 2005, 12:05 AM: Message edited by: Pupo ]
|
|
|
|
|
RE: FTP not working with Firewall client installed - 7.May2005 1:31:00 AM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
How many NICs? Route or NAT?
|
|
|
|
|
RE: FTP not working with Firewall client installed - 7.May2005 1:58:00 AM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
2 NICs and doing NAT. All internal clients go out through the IP address of the external interface.
Thanks.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 7.May2005 11:57:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Pupo,
first of all, you should use the default FTP protocol with the FTP Access filter bound to it. Don't create yourself secondary connections. That's not needed at all.
Is the Firewall client working? Check it out with the Firewall Client Tool for ISA Server 2004 at http://www.microsoft.com/downloads/details.aspx?FamilyId=F20F6267-273D-4870-B1E8-799B261B4786&displaylang=en .
Also, did you already try the standard Microsoft command line FTP client?
HTH,
Stefaan
|
|
|
|
|
RE: FTP not working with Firewall client installed - 7.May2005 7:58:00 PM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
I tried it both ways. I figured that the FTP Access Filter should be all I need but firewall clients still cannot access anything via ftp. The firewall clients appears to be working as we have no issues with anything else. Now whether it is working properly might be another story.
The ftp command-line client initiates a connection if we add an exception for it in the Firewall client configuration. But it then just hangs never asking for a user name. This is the case with any ftp site we try, with anonymous access or not.
Looking through the firewall logs we see entries for the firewall client and web proxy client when trying to do ftp. The web proxy entry says the connection is allowed. The firewall client says that the connection is initiated, then immediately closed. I would also note that there is no username or executable listed in the firewall log entries. We do see them with other programs, but we also have a lot of these "blank" firewall log entries that show source and destination, clientIP, but not the user or application which caused the firewall client to be used.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 7.May2005 10:27:00 PM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
More notes after reading other people's posts in the other forums:
The clients are already all configured to use passive ftp. I also saw the kb article regarding the active ftp issue, but all of our IE browsers are configured to user passive ftp.
Right now I'm thinking that something else must be wrong as we have FTP outbound enabled with the FTP Access Filter and Read-only disabled. Yet when users go to an ftp site - such as ftp.redhat.com (or any other) - for example a window within IE says something along the lines of uploads, moves etc can't be done because of the proxy settings. There are no restrictions on the ISA 2004 box. Even disabling all rules and going back to allow all outbound traffic doesn't do it.
It works fine with the firewall client disabled.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 7.May2005 10:57:00 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Sounds like you have web proxy (WP) configured for FTP. If you want to use FWC for FTP from IE, you need to disable WP. IE only warns about Read-Only if WP is set.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 9.May2005 5:43:00 PM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
What would I need to do to force all FTP to use the firewall client and not use web proxy at all? I don't see any settings in firewall policy nor in Networks/[my network]/firewall client tab that would allow me to do so.
Thank you in advance for your help. I'm digging through MS articles, KB, and the T.S. ISA 2004 book but I still have not found the pertinent information.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 9.May2005 5:54:00 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
I use GPOs to configure WP.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 9.May2005 6:34:00 PM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
Hi LLigetfa,
At the risk of sounding ignorant, could you please clarify? We currently have the Firewall Client deployed on virtually all of our Windows 2000/XP clients. We also configure the browsers through GP to Automatically Detect Settings in combination with DHCP Option 252 by DHCP Scope(as we use port 8080), and the Firewall Client also configures browsers with a routing script in the Use automatic configuration script field in IE (http://[ISA 2004 Server]:8080/array.dll?Get.Routing.Script).
So through GP we configure "Automatically detect settings", and leave the Enable Automatic Configuration box unchecked. When the Firewall Client loads on the client it automatically configures the browsers with the routing script.
I am guessing that this might not be the correct way to do it based on your reply?
Thank you all in the meantime for sharing some of your expertise.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 9.May2005 8:12:00 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
I don't use Automatic Configuration so cannot be certain, but I could not see where it would be able to give you the granulatiy to specify that WP not be used for FTP.
Back before AD and GPOs, I was using the IEAK to create custom IE settings. I now use preference mode GPOs to set all sorts of IE properties. Then, by applying a variety of GPOs on specific OUs and through the use of ACLs to specific groups, I can have different settings based on user's need.
I think the ISA integrated settings are too limited to be of much use.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 9.May2005 8:33:00 PM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
I'm still not certain what I would change then. Ideally I would like all of our clients to use the Firewall Client for all FTP (uploads and downloads) - and not Web Proxy, and for vendors and consultants who come in to be able to have FTP download capability through web proxy. Right now I am unsure how to do this. The key problem is still that with the Firewall Client enabled no one can do FTP at all. The log shows connections from the computers for both Web Proxy and Firewall Client. The Web Proxy says that the connection is allowed, and the firewall client simply initiated and closes the connection right away. There are no "denied" messages. The interim solution right now has been to turn off ISA accepting firewall clients which basically turns everyone into Web Proxy and SecureNAT clients. This at least allows FTP downloads, although uploads do not work. This is not the solution we want though.
Any other input is greatly appreciated.
Thanks.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 9.May2005 9:02:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Pupo,
to enable FTP upload, right click the FTP access rule and uncheck the read-only flag in the FTP access filter.
Did you already download the Firewall Client Tool for ISA Server 2004 and use it to verify the configuration?
HTH,
Stefaan
|
|
|
|
|
RE: FTP not working with Firewall client installed - 9.May2005 9:16:00 PM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
We already have the Read-only flag unchecked in the FTP Access filter. It's not making a difference.
I also downloaded and ran the Firewall Client Tools for ISA 2004 with all the various options, but do not see anything out of the ordinary. The configs match the settings we configured on the server, and the connectivity is good. There are also no failures.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 9.May2005 10:45:00 PM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
I don't think there is anything secret here:
Ethernet adapter Outside:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC3163 Fast Ethernet NIC #2
Physical Address. . . . . . . . . : 00-08-02-B2-BE-9B
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.204.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.204.10
DNS Servers . . . . . . . . . . . : 10.9.2.2
10.95.2.2
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Inside:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC3163 Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-08-02-B2-BE-9C
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.95.2.254
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.95.2.2
10.9.2.2
Primary WINS Server . . . . . . . : 10.9.2.2
Secondary WINS Server . . . . . . : 10.95.2.2
|
|
|
|
|
RE: FTP not working with Firewall client installed - 9.May2005 11:42:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Pupo,
ok, your external interface is on a private network ID. So, what's upstream to your ISA server?
The next step could be to place an FTP server on your external segment and test an FTP upload and download. Is this feasible?
HTH,
Stefaan
[ May 09, 2005, 11:42 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: FTP not working with Firewall client installed - 10.May2005 12:36:00 AM
|
|
|
pupo888
Posts: 11
Joined: 6.May2005
Status: offline
|
There's a hardware firewall which allows all connections from the ISA Server.
|
|
|
|
|
RE: FTP not working with Firewall client installed - 13.May2005 10:47:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Pupo,
what's the outcome of my suggestion quote:
The next step could be to place an FTP server on your external segment and test an FTP upload and download.
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Confused]](/image/smiles/confused.gif)
![[Frown]](/image/smiles/frown.gif)
