• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Problem with FTP access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Problem with FTP access Page: [1]
Login
Message << Older Topic   Newer Topic >>
Problem with FTP access - 6.Jun.2005 11:35:00 PM   
hensome2004

 

Posts: 6
Joined: 6.Jun.2005
From: Macau
Status: offline
Hello, I am using ISA server 2000 Standard Edition with Windows 2000, all with latest service packs installed.

The problem is that all internal web proxy clients and firewall clients are not able to access external FTP sites.

I have already created protocol rule that allows FTP acess (21 outbound port) to all sites at all times. However, all internal clients are not able to access any of the external FTP sites.

This worked just fine a long time ago. But all of a sudden, without changing any settings, it fails. Anyone could help? Thanks.

B. Regards,
Henry Chang
Post #: 1
RE: Problem with FTP access - 8.Jun.2005 5:32:00 AM   
geoffcox

 

Posts: 7
Joined: 21.Mar.2003
From: London
Status: offline
Hello,

I have read Stefan's "FTP protocol challenges Firewall Security" article but am not sure what to do to allow ftp access to remote sites using SBS 2000 / ISA and the firewall client on the workstations ...

Para 4.3 mentions user having access to the predefined FTP protocol definition and making sure that the FTP Application Filter is enabled ...

I can see under Policy Elements for the ISA Server a Protocol definition which under the "defined by" heading has the entry "application filter" and uses port 21 for outbound.

Under Access Policy the only Protocol Rule is for Backoffice Internet Access and there is nothing re FTP under IP Packet Filters ...

In other words I am lost!

Cheers

Geoff

(in reply to hensome2004)
Post #: 2
RE: Problem with FTP access - 8.Jun.2005 4:27:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Geoff,

just make sure you have a protocol rule in place that allows the FTP protocol for the clients and it should work.

BTW --- I strongly suggest you test it first out with the standard Microsoft commandline FTP client. If that works, than the ISA server is correctly configured.

HTH,
Stefaan

(in reply to hensome2004)
Post #: 3
RE: Problem with FTP access - 9.Jun.2005 12:11:00 AM   
hensome2004

 

Posts: 6
Joined: 6.Jun.2005
From: Macau
Status: offline
Hello,

But in my case, I have already setup an protocol rule that allows FTP outbound access. Additionally, I have also created a rule that enables all IP traffic. The clients all use Internet Explorer to access external FTP sites, but without success. I have also tried both enabling and disabling the "Enable folder view for FTP sites" option in IE.

Anyone could help??? Thanks.

(in reply to hensome2004)
Post #: 4
RE: Problem with FTP access - 9.Jun.2005 4:01:00 AM   
geoffcox

 

Posts: 7
Joined: 21.Mar.2003
From: London
Status: offline
Thanks Stefaan,

I have created a new rule under Protocol Rules and will wait to see if that works when colleague is in the office.

In your FTP Protocol Challenges Firewall Security - you have a description and an image for FTP Client control connection + data connection passive settings (page 9)- what situtation does that apply to? Presumably not what I want which is workstations able to use ws_ftp to access remote servers?

Cheers

Geoff

(in reply to hensome2004)
Post #: 5
RE: Problem with FTP access - 9.Jun.2005 9:09:00 AM   
geoffcox

 

Posts: 7
Joined: 21.Mar.2003
From: London
Status: offline
Stefaan,

Adding the Protocol Rule hgas done the trick!

Thanks

Geoff

(in reply to hensome2004)
Post #: 6
RE: Problem with FTP access - 9.Jun.2005 2:22:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi hensome2004,

please, test it first out with the standard Microsoft commandline FTP client. If that works, than the ISA server is correctly configured.

HTH,
Stefaan

(in reply to hensome2004)
Post #: 7
RE: Problem with FTP access - 9.Jun.2005 2:26:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Geoff,

glad to hear you have it working and thanks for the follow up! [Smile]

BTW --- that figure in my article is for a scenario where you have to support the FTP protocol on a unstandard port number.

Stefaan

(in reply to hensome2004)
Post #: 8
RE: Problem with FTP access - 10.Jun.2005 4:10:00 AM   
hensome2004

 

Posts: 6
Joined: 6.Jun.2005
From: Macau
Status: offline
Hi Spouseele,

I have tried in the command prompt:

ftp
open ftp.nero.com

After appropriate 20 seconds, it shows
connected to ftp.nero.com

Then after another 20 seconds, it shows
connection closed by remote host.

Any idea on what is happening? And I cannot connect with Internet Explorer. Thanks.

(in reply to hensome2004)
Post #: 9
RE: Problem with FTP access - 11.Jun.2005 10:47:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Henry,

to be able to ckeck out your basic ISA setup, please post the following info *unmodified*:
- ipconfig /all on ISA
- route print on ISA
- content of the LAT on ISA
- ipconfig /all on intenal host

HTH,
Stefaan

(in reply to hensome2004)
Post #: 10
RE: Problem with FTP access - 14.Jun.2005 10:57:00 PM   
hensome2004

 

Posts: 6
Joined: 6.Jun.2005
From: Macau
Status: offline
Hi Spouseele,

Following please find my ISA server information:

-ipconfig /all

Ethernet adapter LAN:
DHCP enabled: No
IP addresss: 192.168.2.1
Subnet mask: 255.255.255.0
Default Gateway:
DNS server: 192.168.2.2
202.175.3.3

Ethernet adapter WAN:
DHCP enabled: No
IP address: 172.16.122.179
Subnet mask: 255.255.255.0
Default Gateway: 172.16.122.254
DNS server: 202.175.3.3
202.175.3.8

(in reply to hensome2004)
Post #: 11
RE: Problem with FTP access - 14.Jun.2005 11:08:00 PM   
hensome2004

 

Posts: 6
Joined: 6.Jun.2005
From: Macau
Status: offline
- LAT content of ISA:

From to
10.0.0.0 10.255.255.255
169.254.0.0 169.254.255.255
192.168.0.0 192.168.255.255
192.168.2.0 192.168.2.255

(in reply to hensome2004)
Post #: 12
RE: Problem with FTP access - 14.Jun.2005 11:42:00 PM   
hensome2004

 

Posts: 6
Joined: 6.Jun.2005
From: Macau
Status: offline
- ipconfig /all on internal host

DHCP enabled: Yes
Autoconfiguration enabled: Yes
IP address: 192.168.2.31
Subnet mask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS server: 192.168.2.2

(in reply to hensome2004)
Post #: 13
RE: Problem with FTP access - 16.Jun.2005 10:23:00 AM   
veluvarthi

 

Posts: 1
Joined: 27.May2005
From: hyderabad
Status: offline
hai

am also suffering from the same problem that am not able to connect to my ftp server through isa server.

i have loaded the isa server client software in my client system.

through cute ftp am not able to connect my ftp server. i have configured the firewall tab in cute ftp.

any body plz. . help me.

regards
pandu

(in reply to hensome2004)
Post #: 14
RE: Problem with FTP access - 16.Jun.2005 4:20:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Henry,

1. LAT on ISA:
--------------

your internal NetworkID seems to be '192.168.2.0/24'. Therefore *only* 192.168.2.0 192.168.2.255 should be in the LAT.

2. DNS configuration:
---------------------

you seems to have an internal DNS server '192.168.2.2'. Therefore, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .

Next, perform the following configuration steps:

1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.

2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ˘Do not use recursion÷ box.

3) create on ISA a client address set containing your internal DNS server.

4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.

5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.

Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.

Another very good option is to install on ISA itself a caching-only DNS server. Check out Tom's article http://www.isaserver.org/articles/snatdns.html for more info.

HTH,
Stefaan

(in reply to hensome2004)
Post #: 15
RE: Problem with FTP access - 16.Jun.2005 4:23:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Pandu,

do *NOT* configure any firewall setting in the FTP client. ISA server supports the FTP protocol complete transparently.

HTH,
Stefaan

(in reply to hensome2004)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Problem with FTP access Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts