Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to publish SFTP Server?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> How to publish SFTP Server? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to publish SFTP Server? - 16.Jul.2007 10:33:15 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		Need help to publish SFTP Server? What rule I create?

I have configured the below rule>
Publish server rule with FTP protocol selected and I changed Firewall Port and publish server port to 22.
In the log file i can see that connection has being initiated but I cannot connect to the SFTP server.

Is it something wrong on SFTP Server or ISA server? I am using VShell server from vandyke software as my sftp server.

< Message edited by bhavin78 -- 16.Jul.2007 10:38:50 PM >
Post #: 1
RE: How to publish SFTP Server? - 18.Jul.2007 4:17:50 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Won't work.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to bhavin78)
Post #: 2
RE: How to publish SFTP Server? - 18.Jul.2007 4:32:26 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		any other suggestion? What should I do to make it work?

(in reply to tshinder)
Post #: 3
RE: How to publish SFTP Server? - 18.Jul.2007 4:46:39 PM   
ferrix

 

Posts: 369
Joined: 16.Mar.2005
Status: offline 		Two things.
1)
If you mean FTP over SSL (FTP-S), which I don't think you really do:
My understanding of the problem is that ISA's ftp filter can't work in this scenario, because it can't see inside the SSL connection between the ftp client and server. 

Therefore it has no way to enable the secondary connections needed by the FTP protocol.  To ISA it's not "FTP", it's just encrypted traffic that can't be inspected.

It seems to me it would be possible to have a third party filter solve this by terminating the SFTP connection at the ISA perimeter (similar to how the ISA web proxy does HTTPS publishing).  This is just in theory however.. I'd have to proof-of-concept it if a client ever seriously asked for something like that.

With this scenario you can use regular FTP clients as long as they support SSL encryption (smartftp, etc).

2)
But I think instead you are talking about "SFTP" which is a file transfer sub-protocol that runs over the SSH2 protocol.
It just uses port 22 and doesn't need secondary connections.  If this is what you're doing, you should not publish "FTP Server", you publish the "SSH server" protocol.  And you cannot use an "ftp" client, you have to use an ssh client that knows about file transfer.  And if you don't understand this stuff or the distinction between (1) and (2), I suggest you RTM a little before asking further ISA questions :)

(in reply to bhavin78)
Post #: 4
RE: How to publish SFTP Server? - 18.Jul.2007 4:57:13 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I am trying to do what u said in option 2. How do I publish SSH? Like FTP I do not see SSH as an option in the list of protocol or may be i missed it. If it's not there than I need to create protocol named ssh with port num 22, right?

(in reply to ferrix)
Post #: 5
RE: How to publish SFTP Server? - 18.Jul.2007 5:00:12 PM   
ferrix

 

Posts: 369
Joined: 16.Mar.2005
Status: offline 		Oh sorry, I thought ssh server was in there.  Yeah it'd just be tcp port 22 inbound

(in reply to bhavin78)
Post #: 6
RE: How to publish SFTP Server? - 19.Jul.2007 10:26:11 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		You are correct regarding the FTP Access Filter. Since the tunnel is encrypted, the ISA Firewall can't enable the dynamic port assignments.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ferrix)
Post #: 7
RE: How to publish SFTP Server? - 19.Jul.2007 10:27:22 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		If you have problems with SSH, check my blog regarding SSH configuration -- it's a very odd config.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to bhavin78)
Post #: 8
RE: How to publish SFTP Server? - 19.Jul.2007 10:34:28 AM   
ferrix

 

Posts: 369
Joined: 16.Mar.2005
Status: offline 		That's just weird.. I've been using SSH for years (albeit not on networks with ISA) and it's one of the easiest protocols to use that I've ever seen.  In fact it can be a network admin's headache, because savvy employees can easily use ssh to tunnel other protocols and defeat network rules.

Now my curiosity is piqued, after reading Tom's blog entry:
http://blogs.isaserver.org/shinder/2006/05/11/possible-ssh-publishing-solution/

Is this an issue that could have been resolved by toggling the "request appears to come from" field? 

(in reply to tshinder)
Post #: 9
RE: How to publish SFTP Server? - 21.Jul.2007 4:22:40 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		My SFTP Server is on DMZ?
I created a server protocol for SSH [SSH inbound TCP 22]
I published SFTP server on DMZ using the protocol I created above.
I also create route relationship between DMZ and External but I still cannot hit SFTP server in dmz from external. It works from internal to DMZ

(in reply to ferrix)
Post #: 10
RE: How to publish SFTP Server? - 23.Jul.2007 9:04:03 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: ferrix

That's just weird.. I've been using SSH for years (albeit not on networks with ISA) and it's one of the easiest protocols to use that I've ever seen.  In fact it can be a network admin's headache, because savvy employees can easily use ssh to tunnel other protocols and defeat network rules.

Now my curiosity is piqued, after reading Tom's blog entry:
http://blogs.isaserver.org/shinder/2006/05/11/possible-ssh-publishing-solution/

Is this an issue that could have been resolved by toggling the "request appears to come from" field? 


Hi Ferrix,

That's a good question. The entire solution never made much sense to me, so I can't really say.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ferrix)
Post #: 11
RE: How to publish SFTP Server? - 24.Jul.2007 10:28:47 AM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		Hi Tom,
  Need your help!

My SFTP Server is on DMZ?
I created a server protocol for SSH [SSH inbound TCP 22]
I published SFTP server on DMZ using the protocol I created above.
I also create route relationship between DMZ and External but I still cannot hit SFTP server in dmz from external. It works from internal to DMZ

(in reply to tshinder)
Post #: 12
RE: How to publish SFTP Server? - 24.Jul.2007 10:47:28 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		SSH is a different protocol than SFTP.

ISA doesn't support SFTP AFAIK.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to bhavin78)
Post #: 13
RE: How to publish SFTP Server? - 24.Jul.2007 11:30:08 AM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		May be the way I said was wrong.
I want to publish secure ftp server which uses SSH protocol.

ssh is supported right?

(in reply to tshinder)
Post #: 14
RE: How to publish SFTP Server? - 24.Jul.2007 3:00:50 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi bhavin78,

SFTP uses indeed SSH as outer protocol. So a simple SSH Server (TCP port 22 inbound) publishing rule should do the trick unless the SSH implementation doesn't like NAT.

So, I suggest you create the server publishing rule and test it first out with Jim's excellent Winsock Tool. You can not only test the connection setup but also transfer some data!

HTH,
Stefaan

(in reply to bhavin78)
Post #: 15
RE: How to publish SFTP Server? - 25.Jul.2007 2:40:34 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

Thanks! I didn't know that SFTP used SSH to tunnel FTP connections.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to spouseele)
Post #: 16
RE: How to publish SFTP Server? - 25.Jul.2007 3:18:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Tom,

well that's the way I understand  how it should work...!

Kindly,
Stefaan

(in reply to tshinder)
Post #: 17
RE: How to publish SFTP Server? - 25.Jul.2007 3:36:59 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I downloaded winsocktool, now I am trying to figureout on how to use it.

Thanks

(in reply to tshinder)
Post #: 18
RE: How to publish SFTP Server? - 9.Aug.2007 6:49:34 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		 I am not able to caputre any thing using winsock client. this is what I am doing, please check and let me know if I am doing something wrong

When I try to connect to SSH Server from Ext:
Mode: Server
Port :22
IP: ext IP of ISA ( I get this errror: Address in use
** Error 0x2740: Winsock.Closed in frmMain.OpenIt; Address in use)
Protocol : TCP

When I try to connect to ssh server from INT
Mode: Server
Port :22
IP: Tried both int address and dmz address but no result or error
Protocol : TCP

How do I use this tool?

(in reply to spouseele)
Post #: 19
RE: How to publish SFTP Server? - 10.Aug.2007 3:31:49 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi bhavin78,

the Winsock Tool can act as a server or a client:

1. to emulate a server you choose server mode, select the protocol TCP or UDP, and configure the Local IP address and port you want the listener to bind to. Of course, make sure you don't have a listener conflict with an already running service.

2. to emulate a client you choose client mode, select the protocol TCP or UDP, and configure the Remote IP address and port you want to connect to.

In your case you would run the Winsock Tool in client mode on a workstation on the outside. You connect than to the published FQDN or IP address. On the inside you would run the Winsock Tool in server mode on a workstation or server. Again, watch out for listener conflicts (i.e. ** Error 0x2740: Winsock. Closed in frmMain.OpenIt; Address in use). When both the client and server are the Winsock Tool you can use the Auto Ping feature.

HTH,
Stefaan

(in reply to bhavin78)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> How to publish SFTP Server? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts