• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Force isa-server to use passiv mode ftp for forwarded WebProxy requests

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Misc.] >> ISA Server Wish List >> Force isa-server to use passiv mode ftp for forwarded WebProxy requests Page: [1]
Login
Message << Older Topic   Newer Topic >>
Force isa-server to use passiv mode ftp for forwarded W... - 3.Jul.2002 1:24:00 PM   
AndiSHFR

 

Posts: 3
Joined: 27.Jun.2002
From: Germany
Status: offline
The Problem:
If isa-server is behind a fw or router that does not allow incoming data connections for ftp there is no way to access ftp-sites thru WebProxy.

(See thread: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=10;t=000268 )

If the clients use the firewall client and they do ftp in passiv mode it will be ok.

If the clients use WebProxy to access ftp-sites they still use passiv mode ftp for their request to isa-server.
But - isa-server will forward the request as a 'real' active mode ftp session and will get an "Can't open data connection" error.

Solution:
a configuration option to force isa-server to use passiv mode ftp when forwarding ftp requests for WebProxy.

Thanx
Andreas
Post #: 1
RE: Force isa-server to use passiv mode ftp for forward... - 9.May2003 10:58:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Andreas,

the Web Proxy service will use active mode FTP by default. You can alter this behaviour by editing the registry on the ISA server to allow FTP requests made through the Web Proxy service to use passive mode. Check out the Microsoft Knowledge Base Article http://support.microsoft.com/default.aspx?scid=kb;en-us;300641 for more info.

Check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html for full details.

HTH,
Stefaan

(in reply to AndiSHFR)
Post #: 2
RE: Force isa-server to use passiv mode ftp for forward... - 28.Jul.2003 5:08:00 AM   
svend

 

Posts: 2
Joined: 28.Jul.2003
Status: offline
I think that for such a commonly used protocol, ISAs handling of FTP is appaulingly dificult to get working.

You should not need to know the intricacies of ftp protocol handshaking to configure a connection (at least I never did up to now).

Svend.

(in reply to AndiSHFR)
Post #: 3
RE: Force isa-server to use passiv mode ftp for forward... - 28.Jul.2003 8:51:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Svend,

I do *not* agree! Using the FTP protocol through the Firewall service is very easy. However, if you want to use FTP through the Web Proxy service, the client is *not* talking FTP but HTTP to the ISA server, and the ISA server is talking FTP to the destination. So, the FTP client is the ISA Web Proxy service, not the internal host. That's true for every Web Proxy server with FTP support.

BTW --- knowing how the protocol works is the key to succesfully implement any firewall.

HTH,
Stefaan

[ July 28, 2003, 08:53 PM: Message edited by: spouseele ]

(in reply to AndiSHFR)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Misc.] >> ISA Server Wish List >> Force isa-server to use passiv mode ftp for forwarded WebProxy requests Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts