Welcome to ISAserver.org

ftp access require ftp server??

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> General >> ftp access require ftp server??

Page: [1] 2 next > >>

Message

<< Older Topic Newer Topic >>

ftp access require ftp server?? - 7.Oct.2003 9:54:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

I am looking for a way to enable users in a LAN to ftp out to a server on the Internet. I have read so many articles in the forums and tried so many different methods but am not producing results unfortunately.

The application filter for the ftp is enabled. I have created packet filters to allow connections. I have installed the firewall client software on the one client who NEEDS to have ftp access. However, everytime I use ws_ftp to access an FTP server on the internet (for instance ftp.adobe.com), it only allows read access mode.

So my question is, must this LAN have an FTP server created in order for any client to use the File Transfer Protocol? Does the firewall client all it to use any tcp based application, such as ftp, without having to authenticate with the ISA server everytime? I'm so confused and need help!

Post #: 1

Featured Links*

RE: ftp access require ftp server?? - 7.Oct.2003 11:38:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan

(in reply to asuh)

Post #: 2

RE: ftp access require ftp server?? - 8.Oct.2003 6:18:00 AM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

Thanks for replying, Stefaan. I have read your article and it has a lot of great information. However, I can't find an answer to if we must have an FTP server in order to let clients use FTP. I have followed your article with the SecureNAT and the Firewall Clients until you mention something about an alternative port to get out.

How can I get my clients to work with the normal ports 20 and 21 based on the information I have already provided?

(in reply to asuh)

Post #: 3

RE: ftp access require ftp server?? - 8.Oct.2003 10:18:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

no, you don't need an internal FTP server to get outbound FTP access! [Big Grin]

Reading again this topic, I see you have created IP packet filters to give internal users outbound access. That will not work! So, delete those ugly IP packet filters you created for FTP.

ISA's outbound access control is based on protocol and site&content rules. Basically a client is granted/denied access to a service with a protocol rule and to a destination with a site&content rule. So, in your case allow the FTP protocol in a protocol rule and make sure the FTP server you want to connect to is allowed in a site&content rule.

Keep in mind that ISA will handle the FTP protocol transparent. That means that the FTP client must NOT be configured for any firewall settings. Also, remember that the Web Proxy service on ISA only supports FTP download. So, for full FTP access the internal client must be configured as Firewall and/or SecureNAT client and do NOT use FTP through HTTP.

As explained in my article, if something isn't working as expected you should consult the ISA logfiles. They are your primary resource for debugging. Just make sure that you enable the logging of all fields and that log file format is set to ISA format.

HTH,
Stefaan

(in reply to asuh)

Post #: 4

RE: ftp access require ftp server?? - 9.Oct.2003 12:09:00 AM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

I deleted those ftp packet filters. No more ftp packet filters!

I guess my next question would be about the protocol rule for ftp. There are two ftp protocols for outbound traffic on port 21. I added another for ftp inbound traffic on port 21. Is there anything else in this protocol rule that I need to add to make ftp work?

We have added ftp.adobe.com to the site and content rule for ftp. I once again used ws_ftp to try and log onto adobe's ftp. We are still getting read-access only.

I also checked the log file for port 21 and it doesn't even show the computer we were trying to use ws_ftp for ftp logon. It shows other computers which supposedly were successful using the port 21 to get to an ftp server. I have yet to have full ftp logon rights to any remote server on the internet! help!

[ October 09, 2003, 12:15 AM: Message edited by: asuh ]

(in reply to asuh)

Post #: 5

RE: ftp access require ftp server?? - 9.Oct.2003 7:51:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

to get full FTP access you need to allow the FTP protocol, not the FTP server or FTP download only protocol.

Which log file did you check? I suppose it was the Firewall log. Right?

Let us first check if it works with the standard Microsoft command line. So, open a command window and try to access ftp.adobe.com with the command FTP. That should work without any problem. If not, check out the Firewall log.

HTH,
Stefaan

(in reply to asuh)

Post #: 6

RE: ftp access require ftp server?? - 9.Oct.2003 9:04:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

I checked with all three logs to see if I could find anything. I did not find anything helpful.

With the ISA server, I can easily log onto ftp.adobe.com with command prompt and command ftp. With SecureNAT clients, I cannot.

In the firewall log, it shows the secureNAT client I was using to ftp, but it does not list a port number or action referring to ftp.

And in the protocol rules, ftp is allowed. I have unchecked ftp download and don't have ftp server checked. When I go to ftp properties in the protocol rules, I click on the 3rd tab protocol. Where it says "This rule applies to:" I have "Selected Protocols" which includes ftp instead of "all IP traffic". However, I have another protocol rule which allows all.

(in reply to asuh)

Post #: 7

RE: ftp access require ftp server?? - 9.Oct.2003 9:32:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

as said in another topic, you should first check out your basic ISA server configuration. It makes no sense at all to hop from one problem to another before the above is fully tested out.

You said "With the ISA server, I can easily logon to ftp.adobe.com with command prompt and command ftp. With SecureNAT clients, I cannot". Unless I understood you incorrectly, if you can FTP from ISA itself that means to me you have created IP packet filters for FTP or have disabled IP packet filters completely. [Confused]

So, I'm a little bit confused about your *exact* configuration. Please post the result of the commands 'ipconfig /all' and 'route print' on ISA server.

HTH,
Stefaan

(in reply to asuh)

Post #: 8

RE: ftp access require ftp server?? - 9.Oct.2003 10:10:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

this is a copy of my route print.

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 48 54 61 1a 7b ...... NDIS 5.0 driver
0x3000003 ...00 e0 29 68 86 7d ...... NDIS 5.0 driver
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.225 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.3.1 255.255.255.255 0.0.0.0 ffffffff 1
192.168.3.2 255.255.255.254 0.0.0.0 ffffffff 1
192.168.3.4 255.255.255.252 0.0.0.0 ffffffff 1
192.168.3.8 255.255.255.248 0.0.0.0 ffffffff 1
192.168.3.16 255.255.255.240 0.0.0.0 ffffffff 1
192.168.3.32 255.255.255.224 0.0.0.0 ffffffff 1
192.168.3.64 255.255.255.192 0.0.0.0 ffffffff 1
192.168.3.128 255.255.255.192 0.0.0.0 ffffffff 1
192.168.3.192 255.255.255.224 0.0.0.0 ffffffff 1
192.168.3.224 255.255.255.240 0.0.0.0 ffffffff 1
192.168.3.240 255.255.255.248 0.0.0.0 ffffffff 1
192.168.3.248 255.255.255.252 0.0.0.0 ffffffff 1
192.168.3.252 255.255.255.254 0.0.0.0 ffffffff 1
192.168.3.254 255.255.255.255 0.0.0.0 ffffffff 1
192.168.100.0 255.255.255.0 192.168.100.9 192.168.100.9 1
192.168.100.0 255.255.255.0 192.168.100.225 192.168.100.225 1
192.168.100.9 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.100.70 255.255.255.254 0.0.0.0 ffffffff 1
192.168.100.72 255.255.255.248 0.0.0.0 ffffffff 1
192.168.100.225 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.100.255 255.255.255.255 192.168.100.9 192.168.100.9 1
192.168.100.255 255.255.255.255 192.168.100.225 192.168.100.225 1
224.0.0.0 224.0.0.0 192.168.100.9 192.168.100.9 1
224.0.0.0 224.0.0.0 192.168.100.225 192.168.100.225 1
255.255.255.255 255.255.255.255 192.168.100.9 192.168.100.9 1
Default Gateway: 192.168.100.1
===========================================================================
Persistent Routes:
None

*and here is the ipconfig /all*

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dsl1
Primary DNS Suffix . . . . . . . : carole.kim
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : carole.kim

Ethernet adapter South:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139(A) PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-48-54-61-1A-7B

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.100.9

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.100.10
192.168.100.100

Ethernet adapter North:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SMC EZ Card 10/100 (SMC1211TX)
Physical Address. . . . . . . . . : 00-E0-29-68-86-7D

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.100.225

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.100.1

DNS Servers . . . . . . . . . . . : 151.164.1.8
151.164.1.7
151.164.11.201
NetBIOS over Tcpip. . . . . . . . : Disabled

(in reply to asuh)

Post #: 9

RE: ftp access require ftp server?? - 9.Oct.2003 10:34:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

BINGO... your internal and external interface MUST be on different network ID's (or subnets) ! [Eek!]

Some more remarks:
- why are you using private IP's for your external interface?
- why have you configured DNS servers on your external interface if you have an internal DNS server?
- how is the adapter order set?

Check out again http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html ! [Wink]

HTH,
Stefaan

(in reply to asuh)

Post #: 10

RE: ftp access require ftp server?? - 9.Oct.2003 10:58:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

*Well, I have been caught*

Truthfully, we weren't thinking about it. What we're doing, as you might have seen in my other post, is trying to reinforce our network with more firewalls. So we have a router in front of the ISA server and behind the DSL modem. There are other reasons it sits there as well but that's the gist.

So, to answer your questions:

1. Private IPs are there because of the fact that we have a router in front of the ISA server. Again, it's there for many reasons including firewall protection.

2. DNS servers are in the external are there to log onto the Internet. Otherwise, we couldn't find the Internet through the router. This will probably change when we change the subnet.

3. The adapter order is set correctly.

Because we have already had prior problems, I RE-read the article on setting up the ISA interface settings. Not once did I ever read about it being different subnets, but I did see how they were completely different IP ranges. It never dawned on my that the similar IP subnets RIGHT next to each other would cause such a problem. That article has all the answers, however I was blind to the problem. So, in summary, I need to change the subnet between the router and the External NIC on the ISA server.

I will update our progress as we won't get to this until the weekend because of so many users on the network. Thanks SOOOO much for your help!

(in reply to asuh)

Post #: 11

RE: ftp access require ftp server?? - 9.Oct.2003 11:19:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

some more comments...

1) If you *have* to use private IP's for the ISA external interface, watch out for the LAT configuration. The LAT should *only* contain your internal IP range. Nothing more, nothing less!

2) The internal and external interface of ISA should not only be on different network ID's or subnets but also on different physical segments. In other words, security is all about isolating different zones from each other, also physically. Therefore, I'm not an advocate to use VLAN's for that purpose. VLAN's are a handy feature but not a security solution.

Good luck!
Stefaan

(in reply to asuh)

Post #: 12

RE: ftp access require ftp server?? - 10.Oct.2003 7:11:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

I have double checked our LAT config and it's setup correctly.

As for VLAN, well, no comment. But we are still having the same trouble.

Here is the new route print:

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.101.1 192.168.101.225 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.3.1 255.255.255.255 0.0.0.0 ffffffff 1
192.168.3.2 255.255.255.254 0.0.0.0 ffffffff 1
192.168.3.4 255.255.255.252 0.0.0.0 ffffffff 1
192.168.3.8 255.255.255.248 0.0.0.0 ffffffff 1
192.168.3.16 255.255.255.240 0.0.0.0 ffffffff 1
192.168.3.32 255.255.255.224 0.0.0.0 ffffffff 1
192.168.3.64 255.255.255.192 0.0.0.0 ffffffff 1
192.168.3.128 255.255.255.192 0.0.0.0 ffffffff 1
192.168.3.192 255.255.255.224 0.0.0.0 ffffffff 1
192.168.3.224 255.255.255.240 0.0.0.0 ffffffff 1
192.168.3.240 255.255.255.248 0.0.0.0 ffffffff 1
192.168.3.248 255.255.255.252 0.0.0.0 ffffffff 1
192.168.3.252 255.255.255.254 0.0.0.0 ffffffff 1
192.168.3.254 255.255.255.255 0.0.0.0 ffffffff 1
192.168.100.0 255.255.255.0 192.168.100.9 192.168.100.9 1
192.168.100.9 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.100.70 255.255.255.254 0.0.0.0 ffffffff 1
192.168.100.72 255.255.255.248 0.0.0.0 ffffffff 1
192.168.100.255 255.255.255.255 192.168.100.9 192.168.100.9 1
192.168.101.0 255.255.255.0 192.168.101.225 192.168.101.225 1
192.168.101.225 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.101.255 255.255.255.255 192.168.101.225 192.168.101.225 1
224.0.0.0 224.0.0.0 192.168.100.9 192.168.100.9 1
224.0.0.0 224.0.0.0 192.168.101.225 192.168.101.225 1
255.255.255.255 255.255.255.255 192.168.100.9 192.168.100.9 1
Default Gateway: 192.168.101.1

(in reply to asuh)

Post #: 13

RE: ftp access require ftp server?? - 10.Oct.2003 11:04:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

where is the result of the 'ipconfig /all' command? Also, don't forget to post the LAT too.

HTH,
Stefaan

(in reply to asuh)

Post #: 14

RE: ftp access require ftp server?? - 10.Oct.2003 11:22:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dsl1
Primary DNS Suffix . . . . . . . : carole.kim
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : carole.kim

Ethernet adapter South:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139(A) PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-48-54-61-1A-7B

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.100.9

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.100.10
192.168.100.100

Ethernet adapter North:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SMC EZ Card 10/100 (SMC1211TX)
Physical Address. . . . . . . . . : 00-E0-29-68-86-7D

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.101.225

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.101.1

DNS Servers . . . . . . . . . . . : 151.164.1.8
151.164.1.7
151.164.11.201
NetBIOS over Tcpip. . . . . . . . : Disabled

LAT: 192.168.100.2 - 192.168.100.224

(in reply to asuh)

Post #: 15

RE: ftp access require ftp server?? - 10.Oct.2003 11:29:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

If you decide to comment on how the External and Internal should be different IPs and subnets (which I think they are), please educate me why having 192.168.100.X right next to 192.168.101.X is a problem. Thanks and sorry for not knowing more.

(in reply to asuh)

Post #: 16

RE: ftp access require ftp server?? - 11.Oct.2003 12:09:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

OK, the ISA internal interface has as network ID '192.168.100.0/24' and the external interface has as network ID '192.168.101.0/24'. So they are different. That's good!

Because the ISA internal interface has as network ID '192.168.100.0/24', the LAT should contain '192.168.100.0 - 192.168.100.255'.

Now, take a look at the new routing table. There are a lot of entries 192.168.3.X which shouldn't be there. Also, the entries '192.168.100.70 255.255.255.254 0.0.0.0 ffffffff 1' and '192.168.100.72 255.255.255.248 0.0.0.0 ffffffff 1' sounds rather strange to me.

So, is there something else installed on the box?

HTH,
Stefaan

(in reply to asuh)

Post #: 17

RE: ftp access require ftp server?? - 11.Oct.2003 12:26:00 AM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

I have changed the LAT so that is is now 100.0-100.255.

To tell you the truth about the routing table, we have no idea what the 192.168.3.X and 192.168.100.72 or 192.168.100.70 refer to. Here's what we just did.

We disabled the South. Ran route print again. *3*, *72*, and *70* showed up. So we thought maybe it was from the North side.

We disabled the North. Once again, all those foreign IPs were still in the route table.

My guess with the 192.168.3.X's is that they are attached to the VPN setup in the router that's in front of the ISA. But I don't know how they are getting into the route table.

As for the 192.168.100.70 and 72, we have no idea where that is coming from. It's like it's appearing out of nowhere.

The network setup from the Internet to the client goes like this

Internet--DSLmodem--4portSwitch--Router--Switch--ISAserver--switch--clients

That's it. Hope we can solve this SOON.

And thanks for your QUICK replies!

[ October 11, 2003, 12:30 AM: Message edited by: asuh ]

(in reply to asuh)

Post #: 18

RE: ftp access require ftp server?? - 11.Oct.2003 11:04:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Asuh,

without sitting at front of the ISA server, it's rather hard to tell what might cause these strange route entries and whether they are part of the problem.

You said that the router is used for the VPN. Is this a gateway-to-gateway VPN setup to a remote location or for remote users VPNing in? Can you elaborate on this setup.

Let's now assume for a moment that the strange route entries and the VPN setup have nothing to do with the actual problem. Create an open protocol rule (any request, all IP traffic) and an open site&content rule (any request, any destination, any content). What is working then and what is not working?

HTH,
Stefaan

(in reply to asuh)

Post #: 19

RE: ftp access require ftp server?? - 11.Oct.2003 10:07:00 PM

asuh

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline

I hope this better explains what we're doing. The reason the Linksys router is in front of the North is for security and scalability reasons. And I left out all the switches as they don't make an inpact to the signal flow.

The allow all rules as defined in here are still created and applied in the LAN. Basically, everything should be opened except for those sites and protocols which have been manually denied access, which aren't many.

Initially, the VPN will be used to let remote users login and use the LAN but we might eventually utilize gateway to gateway VPN. It'll be a BEFVP41 to BEFVP41 VPN. Then we'll have to figure out how to setup the ISA server to use the BEFVP41 for the VPN into the network.

What works at the moment is the Internet. We are able to go to websites and see all the information. What we cannot do is ftp, use terminal services, use PC-Anywhere, etc. All the rules to use these services were created via the guides on isaserver.org, but nothing has been successful yet inside the LAN. To make sure that it wasn't the router causing problems, we plugged a PC directly into one of the BEFVP41 ports and successfully ftp'ed out and used PC-Anywhere.

We are able to remotely use Terminal Services to get into one of the servers but cannot make a connection to the remote site from the LAN. I hope this helps! If we don't figure this out soon, we might have to reload ISA from scratch and set everything back up, which I hope it doesn't come down to.

(in reply to asuh)

Post #: 20