Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Unable to publish multiple FTP servers correctly
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Unable to publish multiple FTP servers correctly - 9.Nov.2005 9:35:00 AM
|
|
|
smaher
Posts: 26
Joined: 9.Nov.2005
Status: offline
|
Server A is the ISA server/ FTP server (i.e. companyA.com). Server B is just a FTP server (i.e. companyB.com). IÆve published the following rules:
FTP Company A Allow FTP Server External 192.168.1.1
FTP Company B Allow FTP Server External 192.168.1.50
My problem is the following: In the office (same network) if I go to ftp.companyA.com works great. If I go to ftp.companyB.com also works great. When I test outside the office and go to ftp.companyA.com or ftp.companyB.com it will only appear that I am in companyA ftp site despite which URL I enter.
If I publish FTP Company B rule before companyA, the opposite applies. I only see companyB ftp site. What am I doing wrong?
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 9.Nov.2005 9:16:00 PM
|
|
|
TitusHoc
Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline
|
Are the 192.168.1.1 and 192.168.1.50 the external IP addresses of the ISA machine?
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 10.Nov.2005 10:10:16 PM
|
|
|
smaher
Posts: 26
Joined: 9.Nov.2005
Status: offline
|
Nope, 192.168.2.2 is the external address to the ISA Server.
192.168.1.1 and 192.168.1.50 is the internal address "To" the servers hosting the FTP sites.
< Message edited by smaher -- 10.Nov.2005 10:18:45 PM >
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 10.Nov.2005 10:43:38 PM
|
|
|
TitusHoc
Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline
|
Then the answer is very simple
Since you are trying to publish two internal FTP server and you are having only one IP address on external ISA server – this will not work
The first FTP publishing rule will bind to the TCP 21 – but the second rule will fail binding since the socket is already in use by the first rule
You need two IP address on external interface of ISA – and publish each FTP server to a different IP address
Regards,
Titus
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 15.Nov.2005 2:30:22 PM
|
|
|
smaher
Posts: 26
Joined: 9.Nov.2005
Status: offline
|
Titus, sorry I’m trying to follow you here. I’m thinking that the first FTP publishing rule will bind to the TCP 21 on the server in which I published it to (192.168.1.1). Now if I have a second server with FTP running on it and I published a FTP server rule pointing to its IP address of 192.168.1.50 it should be using that server TCP 21. Please explain if I’m wrong.
Thanks, smaher
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 15.Nov.2005 4:18:07 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Whoa, hold on.
Is the FTP on the ISA firewall?
If so, the first step is to get the FTP off the firewall before your firewall gets owned and bad things happen.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 15.Nov.2005 5:36:50 PM
|
|
|
smaher
Posts: 26
Joined: 9.Nov.2005
Status: offline
|
Thanks Tom for the quick response.
Yes, I have FTP on the ISA server for one domain, and FTP on a member server for another domain. (both read only access).
So what your telling me is if I only have read only access for my FTP it still should not have FTP installed on the ISA server for security reasons?
Thanks,
smaher
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 15.Nov.2005 9:45:23 PM
|
|
|
TitusHoc
Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline
|
Let’s review a little bit your configuration
To publish an FTP server you use Server publishing
On the server publishing wizard you need to configure the external IP address of the ISA (in you case it seems that you have only one external IP address 192.168.2.2)
So, when you trying to access the first FTP site from outside the first server publishing rule will bind the TCP 21 port to your ISA external IP address 192.168.2.2 – everything is fine until now
Now, when you are trying to access the second FTP server the second FTP publish rule will try to bind also to TCP 21 on 192.168.2.2 but this will fail since the socket is used by the first rule.
So the solution for you is to use two external IP addresses on ISA and publish each FTP server on different external IP address
Titus
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 15.Nov.2005 10:37:01 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: smaher
Thanks Tom for the quick response.
Yes, I have FTP on the ISA server for one domain, and FTP on a member server for another domain. (both read only access).
So what your telling me is if I only have read only access for my FTP it still should not have FTP installed on the ISA server for security reasons?
Thanks,
smaher
Most definitely YES. Do not run FTP servers on firewalls of any kind.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 16.Nov.2005 7:23:25 PM
|
|
|
smaher
Posts: 26
Joined: 9.Nov.2005
Status: offline
|
quote:
ORIGINAL: tshinder
Most definitely YES. Do not run FTP servers on firewalls of any kind.
Tom, does the same apply for web servers?
quote:
ORIGINAL: TitusHoc
Now, when you are trying to access the second FTP server the second FTP publish rule will try to bind also to TCP 21 on 192.168.2.2 but this will fail since the socket is used by the first rule.
So the solution for you is to use two external IP addresses on ISA and publish each FTP server on different external IP address
Titus, what if I publish the second rule to a different TCP port. Will that work? I have one internal NIC and one external NIC how do I create two external IP address on ISA?
Thanks,
smaher
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 16.Nov.2005 10:14:46 PM
|
|
|
TitusHoc
Posts: 114
Joined: 17.Nov.2004
From: Canada - Toronto
Status: offline
|
You have actually two options here:
1) Like you said you can publish the second FTP to a different port – a little bit difficult since you need to change that on the FTP server itself – on the server publishing you cannot do port redirection
2) Add a second IP address to the external ISA NIC -see below
On the TCP/IP properties of the external NIC- Advanced – Under IP settings tab you can add extra IP address on the same NIC
But like Tom said is not a good idea to run FTP on ISA. If you still want to do that (again bad idea) you need to disable socket pooling on ISA – By default the IIS is binding to all IP address.
Follow this article to disable socket pooling on ISA:
http://support.microsoft.com/kb/813368/EN-US/
Let me know if you have additional questions
Titus
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 13.Feb.2006 11:49:18 PM
|
|
|
smaher
Posts: 26
Joined: 9.Nov.2005
Status: offline
|
Okay, I’m back at it again. I went ahead and moved the FTP site off the ISA server. Now I have a server (192.168.1.91) with 2 FTP sites that look like the following:
Description: abc.com
IP address: (All Unassigned)
TCP port: 20
Description: xyz.com
IP address: (All Unassigned)
TCP port: 21
Now on the ISA Server I have 2 NIC’s (Internal 192.168.1.1) (External 192.168.2.2 and 192.168.2.3). So I created the following publishing rules.
xyz
Action: Allow
Protocols: FTP Server (parameters 20-21)
From: External (192.168.2.3)
To: 192.168.1.91
abc
Action: Allow
Protocols: FTP Server (parameters 20-21)
From: External (192.168.2.2)
To: 192.168.1.91
And I’m still have the same problem.
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 24.Feb.2006 12:11:54 AM
|
|
|
poiuy
Posts: 50
Joined: 20.Oct.2005
Status: offline
|
Now on the ISA Server I have 2 NIC’s (Internal 192.168.1.1) (External 192.168.2.2 and 192.168.2.3). So I created the following publishing rules.
xyz
Action: Allow
Protocols: FTP Server (parameters 20-21)
From: External (192.168.2.3)
To: 192.168.1.91
abc
Action: Allow
Protocols: FTP Server (parameters 20-21)
From: External (192.168.2.2)
To: 192.168.1.92 <---------- Add this IP address to the NIC of your FTP server.
In your scenario you still have the same problem because you are still trying to run two FTP servers off the same IP address. If you have two IP's on your external interface you still need to have two IP's on your Internal Interface where the FTP sites are hosted.
And I’m still have the same problem.
|
|
|
|
|
RE: Unable to publish multiple FTP servers correctly - 25.Feb.2006 3:10:59 AM
|
|
|
smaher
Posts: 26
Joined: 9.Nov.2005
Status: offline
|
First I would like to thank you all, everyone has been a great help. So a recap of what I’ve done. I added an ip address to the external NIC (192.168.2.3) of the ISA server. Suggested last by poiuy I added an additional ip address to the NIC (192.168.1.92) of the FTP server. Bingo it works.
I believe now I have a problem with our LAN DNS. Because now when I test the FTP sites on the office LAN, I get the FTP site xyz.com for both FTP sites. If I test the FTP sites outside the office everything works great like it should.
Anyone with any ideas?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
