Welcome to ISAserver.org

WS_FTP Woes

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> General >> WS_FTP Woes

Page: [1]

Message

<< Older Topic Newer Topic >>

WS_FTP Woes - 10.Dec.2004 11:50:00 PM

rpitney

Posts: 9
Joined: 10.Dec.2004
Status: offline

Hi,

I recently installed ISA 2004 on a network of about 30 users that previously had no proxy. Since then, I have been unsuccessful in getting WS_FTP (even the latest version) to be able upload anything. Downloads works fine, but uploads or anything else that requires disk access to a ftp site fails with a 550 error. This is in spite of having the admin-level username and password for the FTP site.

I searched through the KB at IpSwitch and found only a suggestion to disable passive mode (which then breaks everything--I cannot even connect at all) and to enter my ISA server's address along with port 8080 in the firewall config of WS_FTP. Other than the passive mode suggestion, nothing seemed to make a difference.

Thus, I did a google search as well as poured through some articles and posts on this site. From this information, I added the following entries into the firewall, but it didn't make any difference:

Allow Ports1024-1224 From:internal To:external AllUsers
Allow Ports20-21 From:internal To:external AllUsers
Allow Ports20-21 From:external To:internal AllUsers
Allow Ports1024-1224 From:external To:internal All Users

I should mention that this ISA Server is actually behind a NAT router provided by ISP which cannot be eliminated from the loop. ISA Server takes the incoming Internet connection (on a NAT address) on its "WAN" NIC and all users connect to the "LAN" NIC (which is a different subnet). All clients are Windows 2000/XP machines with the ISA client installed. I don't really care about username tracking at the moment, so that is why I have chosen AllUsers option above.

Although being behind a NAT router helps, I don't like opening up these wide ranges (1024-1224, whose numbers I got from a posting at the IpSwitch web site) from external to internal. Do I have to have all of these ports open as suggested by both the IpSwitch site and by an article here at ISAServer.org?

What am I doing wrong? I have worked a little with ISA2000 in the past and do not recall any issues like this, but maybe my memory is fuzzy. I am sure it is something simple, and I am greatly looking forward to Dr. Shinder's new ISA2004 book! Thanks in advance for any advice.

Post #: 1

Featured Links*

RE: WS_FTP Woes - 10.Dec.2004 11:52:00 PM

Ara.A

Posts: 259
Joined: 21.Oct.2004
Status: offline

Hello
Don't mess with ports at all
Go to firewall policy, right click on your ftp access rule and choose configure ftp. Then remove the read only
[Big Grin]

[ December 10, 2004, 11:53 PM: Message edited by: Ara ]

(in reply to rpitney)

Post #: 2

RE: WS_FTP Woes - 14.Dec.2004 4:31:00 PM

rpitney

Posts: 9
Joined: 10.Dec.2004
Status: offline

Thanks! I was confused when I didn't see FTP as a protocol in the common protocols, I didn't think to check in "web" area. Thus, I had neglected to look far enough and had tried to make my own FTP protocol, which obviously did not have this checkbox.

Anyway, long story short is that you pointed me in the right direction, and now all the users (and myself) are happy. [Smile]