Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
FTP server on the ISA machine
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
FTP server on the ISA machine - 23.Sep.2003 11:49:00 PM
|
|
|
andre@freaking.info
Posts: 68
Joined: 23.Sep.2003
From: New York
Status: offline
|
Hello,
I'm having trouble configuring FTP server on the same computer as ISA server.
I tried both methods suggested in MS article Q294679 setting up the application filters for TCP ports 21 and 20, and configuring server publishing rule (disabled socket pooling and set the EnablePortAttack to 1) -- and still getting the error message "425 Can't open data connection" when trying to connect on 21 port to the ISA external interface.
Any suggestions?
Thanks,
Andre.
[ September 23, 2003, 11:54 PM: Message edited by: andre ]
|
|
|
|
|
RE: FTP server on the ISA machine - 24.Sep.2003 2:21:00 AM
|
|
|
Larsbe
Posts: 68
Joined: 23.May2001
Status: offline
|
The article said "either" not both.
You have to choose between either opening up packet filters or server publishing the FTP Server.
If your client fails to connect on the FTP control channel (TCP/21), then check the direction of your packet filter. (That is if you chose this option) Otherwise check that the FTP Access Filter is enabled and the Server Publishing rule is active.
The packet filters are the most simple option, but it only allows the PORT mode. (Active mode)
If you need passive mode (PASV), then follow the Server Publishing steps.
FTP.EXE is an active mode only client, does this work? or are you using another client to test?
Can you see your FTP data or control channel being blocked in the packet filter log?
Try starting a CMD prompt and run
NETSTAT -anp TCP
This will dump all TCP ports that Windows are listening on.
Look for either
0.0.0.0:21 LISTENING
or on a specific IP address.
0.0.0.0 means any interface.
Regards,
Lars
|
|
|
|
|
RE: FTP server on the ISA machine - 24.Sep.2003 3:29:00 AM
|
|
|
andre@freaking.info
Posts: 68
Joined: 23.Sep.2003
From: New York
Status: offline
|
Uponafter I had socket pooling disabled, Windows is listening on 21 port on internal and external interfaces separately
(192.168.0.111:21 as internal and 192.168.2.111:21 as external)
If I disable FTP publishing rule, Windows stops listening on external interface, and I cannot connect on 21 port at all.
When I enable publishing rule, have disabled or enabled IP packet filters for 21/inbound and 20/both, the following happens:
I tried telnet/ftp.exe/cuteftp using PORT and PASV modes. I can connect, issue some commands like USER, PASS,
but when I'm trying to LIST directory - 425 error.
ftp.exe after using DIR command returns this:
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.
and gets stuck...
In telnet I can see 425 error. No packets are logged as blocked.
Thanks,
Andre.
[ September 24, 2003, 03:43 AM: Message edited by: andre ]
|
|
|
|
|
RE: FTP server on the ISA machine - 26.Sep.2003 11:18:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Andre,
if you use the server publishing method, which I prefer, do NOT create IP packet filters!
Check out first the LAT. Keep in mind that the LAT should only contain your internal network ID's, nothing more, nothing less. Also, check out the ISA server interface settings. Use Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html as baseline.
HTH,
Stefaan
|
|
|
|
|
RE: FTP server on the ISA machine - 26.Sep.2003 11:48:00 PM
|
|
|
andre@freaking.info
Posts: 68
Joined: 23.Sep.2003
From: New York
Status: offline
|
Hi, thank you for your response.
LAT is ok, it contains 192.168.0.0-192.168.0.255, and nothing more.
I read this article a year ago, when I installed ISA server for the first time.
I have disabled IP packet filters for FTP, and using only the publishing rule now, which is configured as follows:
Internal interface: 192.168.0.111
External IP: 192.168.2.111
Mapped protocol: FTP Server
IIS 6.0 FTP Server is configured on 192.168.0.111:21
I installed some network monitor, and now I can see the following. After issuing LIST command:
192.168.2.30 192.168.2.111 FTP Request: PASV
192.168.2.111 192.168.2.30 FTP Response: 227 Entering Passive Mode (192,168,2,111,47,217)
192.168.2.30 192.168.2.111 FTP Request: LIST
192.168.2.30 192.168.2.111 TCP 1064 > 12249 [SYN]
192.168.2.111 192.168.2.30 TCP 12249 > 1064 [SYN, ACK]
192.168.2.30 192.168.2.111 TCP 1064 > 12249 [ACK]
192.168.2.111 192.168.2.30 TCP 12249 > 1064 [FIN, ACK]
192.168.2.30 192.168.2.111 TCP 1064 > 12249 [ACK]
192.168.2.111 192.168.2.30 FTP Response: 426 Connection closed; transfer aborted.
192.168.2.30 192.168.2.111 1063 > FTP [ACK]
And that's it.
Maybe you have a slightest notion why is it happening?
Many thanks,
Andre.
|
|
|
|
|
RE: FTP server on the ISA machine - 27.Sep.2003 11:42:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Andre,
looking at the trace file the FTP server (ISA external interface) tells the client to connect to TCP port 47*256 + 217 = 12249. The client makes the data connection and the data connection is accepted by the FTP server. So far so good. Then the FTP server closes the data connection.
So, the question is why does this happen? I must admit I've never tried it myself because in my opinion ISA is supposed to be a Firewall only, not a general purpose server. Therefore, can you test with an FTP server behind ISA?
HTH,
Stefaan
|
|
|
|
|
RE: FTP server on the ISA machine - 27.Sep.2003 4:09:00 PM
|
|
|
andre@freaking.info
Posts: 68
Joined: 23.Sep.2003
From: New York
Status: offline
|
Just checked the configuration when the FTP server is installed on a different computer - works, no problem. PORT and PASV modes. Looks like there's something on the ISA which prevents the data connection from establishing.
Well, I will try to investigate it, but if you one day would come across the solution, I'd appreciate if you post it here or somewhere.
Thanks!
Andre.
|
|
|
|
|
RE: FTP server on the ISA machine - 28.Sep.2003 5:15:00 PM
|
|
|
andre@freaking.info
Posts: 68
Joined: 23.Sep.2003
From: New York
Status: offline
|
Hi Stefaan,
I got it to work with PORT mode. In this case FTP server should be configured to listen on ALL interfaces (or only external, if you don't need FTP for the LAN side), as opposed to Piblishing Rule method, where it is supposed to listen only on the internal interface.
I read all of the mentioned articles, followed all the steps, looks like even Microsoft didn't test this configuration properly, because it's not working : ) Maybe, I'm missing something, but doesn't seem like that.. I will continue trying, and will post the results here.
Andre.
|
|
|
|
|
RE: FTP server on the ISA machine - 28.Sep.2003 10:24:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Andre,
if you configure the FTP server on ISA to listen on all interfaces, then you can *not* use the publishing method.
Also, when testing with the publishing method, make sure there is a site&content rule in place allowing outbound access for any destination and any request?
HTH,
Stefaan
|
|
|
|
|
RE: FTP server on the ISA machine - 28.Sep.2003 10:45:00 PM
|
|
|
smokeskull
Posts: 25
Joined: 28.Sep.2003
Status: offline
|
You should try connecting from an external network location. I have run into errors like the "no listing" error trying to FTP to the external interface from inside the network. Try it from web2ftp.com to see if it works.
|
|
|
|
|
RE: FTP server on the ISA machine - 28.Sep.2003 11:26:00 PM
|
|
|
andre@freaking.info
Posts: 68
Joined: 23.Sep.2003
From: New York
Status: offline
|
Stefaan: PORT mode works when FTP Publishing Rule is disabled. Also I tested the configuration when Web Publishing Rule is used to redirect HTTP as FTP requests to the internal server - worked ok. But this is not what I need...
Concerning site & content rules - I have it enabled only for the LAT requests (set up a special client set for that) - this might caused the problem? Hmmm... Tried to allow for any request - still not working, same on the network monitor...
smokeskull: I'm testing the configuration from a computer which is external to ISA... I know about the problems with loopback.
Andre.
|
|
|
|
|
RE: FTP server on the ISA machine - 29.Sep.2003 9:38:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Andre,
when you use the IP packet filter method, getting Active mode FTP working is no big deal. However, for Passive mode FTP you need to allow inbound TCP connections to all high numbered ports. Needless to say that is a very unsecure configuration.
Now, when you test with the Server Publishing method, make sure that:
- the FTP server is *only* bound to the internal interface.
- you disabled the FTP Port Attack Setting on IIS.
- you have disabled all the IP packet filters you created for the IP packet filter method.
Also, you have said multiple times that the data connection doesn't succeed. I don't agree with you at that point. According to the posted Network Monitor trace the data connection succeeds (TCP SYN ACK) but is closed probably shortly after (TCP FIN). So it sounds that ISA is doing his job correctly and maybe there is a problem with the FTP server. Can you post an excerpt of the Firewall and IP packet filter log unmodified? Just make sure you have enabled the logging of all fields on ISA and you have set the logging to ISA format.
HTH,
Stefaan
|
|
|
|
|
RE: FTP server on the ISA machine - 30.Sep.2003 1:47:00 AM
|
|
|
andre@freaking.info
Posts: 68
Joined: 23.Sep.2003
From: New York
Status: offline
|
Stefaan: Here is what I got.
I'm sure that FTP server is listening only on the internal interface. When the Publishing Rule is disabled, netstat -na returns the following:
netstat -na |find ":21"
TCP 192.168.0.111:21 0.0.0.0:0 LISTENING
When I enable Publishing Rule, external interface starts to listen:
netstat -na |find ":21"
TCP 192.168.0.111:21 0.0.0.0:0 LISTENING
TCP 192.168.2.111:21 0.0.0.0:0 LISTENING
EnablePortAttack flag is set to 1 for msftpsvc in registry. FTP Access Application filter is enabled. All of the active mode packet filters are disabled.
When I'm trying to connect to the FTP from the external machine (and the network monitor shows exactly the same, as above mentioned), FTP server logs the following:
| clienthst | user | date-time |service | machine| srvip | p-time | b-rcvd | b-sent | status | w32stat | operation
| 127.0.0.1 | ftpuser | 9/29/2003 7:20:34 PM | MSFTPSVC1 | AK2003 | 192.168.0.111 | 0 | 0 | 0 | 331 | 0 | [3]USER
| 127.0.0.1 | ftpuser | 9/29/2003 7:20:34 PM | MSFTPSVC1 | AK2003 | 192.168.0.111 | 219 | 0 | 0 | 230 | 0 | [3]PASS
| 127.0.0.1 | ftpuser | 9/29/2003 7:20:48 PM | MSFTPSVC1 | AK2003 | 192.168.0.111 | 0 | 0 | 0 | 331 | 0 | [4]USER
| 127.0.0.1 | ftpuser | 9/29/2003 7:20:48 PM | MSFTPSVC1 | AK2003 | 192.168.0.111 | 0 | 0 | 0 | 230 | 0 | [4]PASS
And Packet filter logs only usual netbios packets:
| date | time | s-address | d-address | prot| s-port | d-port | tcpflgs | filter | interface | ip-header | payload
| 9/29/2003 | 7:21:23 PM | 192.168.2.30 | 192.168.2.255 | Udp | 137 | 137 | - | BLOCKED | 192.168.2.111 | 45 00 00 4e 80 13 00 00 80 11 34 1e c0 a8 02 1e c0 a8 02 ff | 00 89 00 89 00 3a 7e 91 81 ef 01 10 00 01 00 00 00 00 00 00 20 45 42 45 4c 44 41 44 41 44 42 43 4e 45 48 46 43 45 50 46 46 46 41 43 41 43 41 43 41 43 41 42 4c 00 00 20 00 01 |
| 9/29/2003 | 7:21:23 PM | 192.168.2.30 | 192.168.2.255 | Udp | 137 | 137 | - | BLOCKED | 192.168.2.111 | 45 00 00 4e 80 14 00 00 80 11 34 1d c0 a8 02 1e c0 a8 02 ff | 00 89 00 89 00 3a 7e 91 81 ef 01 10 00 01 00 00 00 00 00 00 20 45 42 45 4c 44 41 44 41 44 42 43 4e 45 48 46 43 45 50 46 46 46 41 43 41 43 41 43 41 43 41 42 4c 00 00 20 00 01 |
| 9/29/2003 | 7:21:24 PM | 192.168.2.30 | 192.168.2.255 | Udp | 137 | 137 | - | BLOCKED | 192.168.2.111 | 45 00 00 4e 80 15 00 00 80 11 34 1c c0 a8 02 1e c0 a8 02 ff | 00 89 00 89 00 3a 7e 91 81 ef 01 10 00 01 00 00 00 00 00 00 20 45 42 45 4c 44 41 44 41 44 42 43 4e 45 48 46 43 45 50 46 46 46 41 43 41 43 41 43 41 43 41 42 4c 00 00 20 00 01 | - |
There is nothing in Firewall log.
This is pretty much it...
I appreciate your help, Stefaan!
Andre.
|
|
|
|
|
RE: FTP server on the ISA machine - 30.Sep.2003 8:06:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Andre,
hmm... no blocked packets in the IP Packet log related to the FTP protocl BUT *no* entries at all in the Firewall log too !?! Are you sure about that?
When you use a server publishing rule, you *must* find entries in the Firewall log!
Do you see errors/warnings in the Event log?
HTH,
Stefaan
|
|
|
|
|
RE: FTP server on the ISA machine - 30.Sep.2003 9:08:00 PM
|
|
|
andre@freaking.info
Posts: 68
Joined: 23.Sep.2003
From: New York
Status: offline
|
Stefaan, you're right. Here is what firewall logs:
| client-ip | usrname | agent | auth | date | time | service | srvname | rfrsrv | d-host | d-host-ip | d-host-port | p-time | b-sent | b-rcvd | prot | transport | operation | uri | mimetype | objsrc | rsltcode | cacheinfo | rule 1 | rule 2 | sesid | connid
| 192.168.0.111 | - | - | N | 9/30/2003 | 2:56:25 PM | fwsrv | AK2003 | - | - | 192.168.2.30 | 2191 | 0 | 0 | 0 | 21 | TCP | Accept | - | - | - | 0 | 0 | FTP server | - | 2 | 2
| 192.168.0.111 | - | - | N | 9/30/2003 | 2:56:26 PM | fwsrv | AK2003 | - | - | - | 0 | 0 | 0 | 0 | 0 | TCP | Bind | - | - | - | 0 | 0 | FTP server | - | 2 | 138
| 192.168.0.111 | - | - | N | 9/30/2003 | 2:56:26 PM | fwsrv | AK2003 | - | - | - | 11428 | 0 | 0 | 0 | 0 | TCP | Listen | - | - | - | 0 | 0 | - | - | 2 | 138
| 192.168.0.111 | - | - | N | 9/30/2003 | 2:56:26 PM | fwsrv | AK2003 | - | - | 192.168.2.30 | 2192 | 156 | 0 | 0 | 0 | TCP | Accept | - | - | - | 0 | 0 | FTP server | - | 2 | 138
| 192.168.0.111 | - | - | N | 9/30/2003 | 2:56:26 PM | fwsrv | AK2003 | - | - | - | 0 | 188 | 0 | 0 | 0 | TCP | Bind | - | - | - | 20000 | 0 | FTP server | - | 2 | 138
| 192.168.0.111 | - | - | N | 9/30/2003 | 2:56:29 PM | fwsrv | AK2003 | - | - | 192.168.2.30 | 2191 | 3703 | 0 | 0 | 21 | TCP | Accept | - | - | - | 20000 | 0 | FTP server | - | 2 | 2
These records represent 1 connection attempt. Firewall logs 6 packets.
Accept (21) - Bind (21) - Listen (11428) ... Looks like normal sequence. Nothing special in it.. Why the connection is dropped afterwards - that's the question...
Andre.
[ September 30, 2003, 09:18 PM: Message edited by: andre ]
|
|
|
|
|
RE: FTP server on the ISA machine - 13.Oct.2003 12:36:00 PM
|
|
|
stants
Posts: 40
Joined: 16.Feb.2003
From: Corroios, Lisboa, Portugal
Status: offline
|
i have ftp server on isa with publishing rules and i get no problem!
the only think that you must change is in your ftp client. in passive connection works for me!
sorry if you tried that!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
![[Smile]](/image/smiles/smile.gif)
