Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SecureNAT can't connect to FTP site
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SecureNAT can't connect to FTP site - 24.Mar.2006 5:59:00 PM
|
|
|
kritt
Posts: 27
Joined: 19.Apr.2001
Status: offline
|
My network configuration is Edge Firewall.
I have create access rule to allow FW client and SecureNAT Client to access internet as followings :
1. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Users
2. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Authenticated Users
All FW clients can browse internet, Upload file to FTP Site and receive/send mail.
All SecureNAT clients can browse internet, receive/send mail but can't connect to FTP Site.
I have tested both FW Client and SecureNAT Client with CuteFTP .
SecureNAT client display these status messages
STATUS:> Getting listing "/pub"...
STATUS:> Resolving host name ftp.globalscape.com...
STATUS:> Host name ftp.globalscape.com resolved: ip = 64.243.64.21.
STATUS:> Connecting to FTP server ftp.globalscape.com:21 (ip = 64.243.64.21)...
STATUS:> Socket connected. Waiting for welcome message...
ERROR:> Timeout (60000 ms) occurred on receiving server response.
STATUS:> Waiting 30 seconds...
While FW Clients display these status messages
STATUS:> Getting listing "/pub"...
STATUS:> Resolving host name ftp.globalscape.com...
STATUS:> Host name ftp.globalscape.com resolved: ip = 64.243.64.21.
STATUS:> Connecting to FTP server ftp.globalscape.com:21 (ip = 64.243.64.21)...
STATUS:> Socket connected. Waiting for welcome message...
220 GlobalSCAPE Secure FTP Server (v. 3.0)
STATUS:> Connected. Authenticating...
COMMAND:> USER anonymous
331 Password required for anonymous.
COMMAND:> PASS *****
230 Login OK. Proceed.
STATUS:> Login successful.
Please help me config SecureNAT client to connect to FTP site.
|
|
|
|
RE: SecureNAT can't connect to FTP site - 25.Mar.2006 3:47:20 PM
|
|
|
kritt
Posts: 27
Joined: 19.Apr.2001
Status: offline
|
As explain in the articles :
- The client opens a primary connection (control connection) to the FTP server.
- The ISA Server computer notifies the filter about the connection.
- The filter examines the data that is flowing through the primary connection and determines which secondary connection (data connection) the client is going to use.
- The filter informs the ISA Server computer to allow that particular secondary connection.
- The ISA Server computer opens the specific port, as indicated by the application filter.
Because a SecureNAT client doesn't support secondary connections without the help of an application filter, you are not able to access or publish FTP servers on alternate port ...
Hi elmajdal,
Do you know how to config application filter to help SecureNAT client access External FTP Server ?
thanks
|
|
|
|
|
RE: SecureNAT can't connect to FTP site - 25.Mar.2006 4:21:39 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Why not use FWC? Since Secure-NAT cannot authenticate, it is an oxymoron.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 3:38:06 AM
|
|
|
moTaro
Posts: 13
Joined: 25.Mar.2006
Status: offline
|
kritt explained well.
FTP is pretty complicated to setup up. Well for me it was.
21 is the initial connector for FTP and this port needs to be mapped, after that, then ftp communicates on the second connection which is 20. This is for active mod.
|
|
|
|
|
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 11:37:01 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hey guys,
out of the box ISA server fully supports the FTP protocol for SecureNAT and Firewall clients, including active and passive FTP mode. For Web Proxy clients, that means FTP over HTTP, ISA is CERN Proxy compatible what means only FTP downloads and active or passive FTP mode determined by a global configuration setting on the ISA itself.
For more, info check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html. Most of the stuff is still valid for ISA 2004.
HTH,
Stefaan
|
|
|
|
|
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 4:19:50 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
quote:
1. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Users
2. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Authenticated Users
What is the point of rule #2? Where is the security if rule #1 lets everyone out without authentication?
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 5:19:27 PM
|
|
|
kritt
Posts: 27
Joined: 19.Apr.2001
Status: offline
|
I'm sorry for the mistake the actual configuration are
1. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Authenticated Computer Set -- To External -- Condition All Users
2. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Authenticated Users
I need SecureNAT client for non-windows based client such as MAC or Linux Server.
I create Authenticated Computer Set for MAC or Linux (ip ranges) and allow them to access internet in Rule #1.
For the Rule#2 allow windows based client to access internet.
So I would like to solve the FTP problem for SecureNAT client as inform above.
Anyone help ?
|
|
|
|
|
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 5:22:14 PM
|
|
|
kritt
Posts: 27
Joined: 19.Apr.2001
Status: offline
|
I'm sorry againg for the mistake. The actual configuration are
1. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Authenticated Computer Set -- To External -- Condition All Users
2. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Authenticated Users
I need SecureNAT client for non-windows based such as MAC or Linux Client.
I create Authenticated Computer Set for MAC or Linux (ip ranges) and allow them to access internet in Rule #1.
For the Rule#2 allow windows based client to access internet.
So I would like to solve the FTP problem for SecureNAT client as inform above.
Anyone help ?
|
|
|
|
|
RE: SecureNAT can't connect to FTP site - 31.Mar.2006 2:44:43 AM
|
|
|
elmajdal
Posts: 5071
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
try this to solve this issue, you have to use the "Do not use proxy server for addresses beginning with:" configured to bypass the FTP server's IP address or FQDN name/Domain Name.
this can be found in :
Tools > Internet Options > Connections > LAN Settings > Advanced >
HTH
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: SecureNAT can't connect to FTP site - 31.Mar.2006 11:19:45 AM
|
|
|
kritt
Posts: 27
Joined: 19.Apr.2001
Status: offline
|
Hi elmajdal,
I'm not use IE to connect FTP server. I'm use CuteFTP please see log detail (blue text) on my first post.
Do you have another solution ?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
