• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ftp client issue

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> ftp client issue Page: [1]
Login
Message << Older Topic   Newer Topic >>
ftp client issue - 14.May2004 11:27:00 PM   
Justintkw

 

Posts: 6
Joined: 14.May2004
Status: offline
Hi List:

When I try to ftp to an external site using Windows Explorer on a computer behind the ISA firewall, I cannot establish a connection. I get the error: "HTTP 502 Proxy Error - The login request was denied"

However, if I try to do the same on the ISA firewall machine itself (which is the SBS2000 server machine - and it IS set to use proxy sever in the internet connection tab), I can connect without a problem (the site will show up with a user ID and password box which, upon my entering the correct information, will let me access files).

Why is that the case? What do I need to do with the Firewall configuration so that I can access external ftp sites from computers behind the firewall?

Thanks for your help!
Post #: 1
RE: ftp client issue - 15.May2004 9:56:00 AM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline
Hi Justintkw,

You have to create a protocol rule allowing ftp access to your internal hosts.

If you are using user level authentication, you also need to configure your http redirector to send requests directly to the requested server instead of forwarding 'em to the webproxy. I hope this helps.

(in reply to Justintkw)
Post #: 2
RE: ftp client issue - 15.May2004 5:16:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Justintkw,

check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan

(in reply to Justintkw)
Post #: 3
RE: ftp client issue - 16.May2004 9:23:00 AM   
Justintkw

 

Posts: 6
Joined: 14.May2004
Status: offline
Hi Stefaan and RedBull:

Thanks for your help. I read the article and I have all the protocol rules set up, but in the mean time, I've discovered something else:

My ISA server is connected to other computers in two ways: (1) traditional Cat5 cables with a hub, and (2) a wireless sharepoint.

As it turns out, all the computers that are connected to the ISA server via Cat5 cable CAN ftp with no problems (so I know that the protocol rules are set up correctly). However, all the computers that connects to the ISA server via wireless sharepoint receive the HTTP 502 Proxy error while trying to ftp out!

Now this is very strange, and I have no idea where to even begin to resolve this problem. Can you please point me to the right direction?

Thanks!

(in reply to Justintkw)
Post #: 4
RE: ftp client issue - 16.May2004 2:35:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Justintkw,

I strongly suggest you debug your FTP issues first with the standard Microsoft commandline FTP client instead of IE. Once that is working you can experiment with IE. [Wink]

The reason for it is that in my opinion IE is not designed as a full blown FTP client. Moreover, there are so many settings determining how IE behaves as an FTP client that it is sometimes hard to determine where the problem lies.

HTH,
Stefaan

(in reply to Justintkw)
Post #: 5
RE: ftp client issue - 16.May2004 5:13:00 PM   
Justintkw

 

Posts: 6
Joined: 14.May2004
Status: offline
Hi Stefaan:

The commandline ftp client actually worked! So does that mean that the problem is with IE and not with ISA firewall settings? I've tried also using other Widows-based product such as ws-ftp and that, too, does NOT work. So it's really more like an issue with windows vs. dos?

Thanks for your help, pal!

(in reply to Justintkw)
Post #: 6
RE: ftp client issue - 16.May2004 7:22:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Justintkw,

NO! If it works with the commandline ftp client it should equally works well for any real FTP client such as WS-FTP and SmartFTP. Just remember you should *not* configure those FTP clients for any firewall type.

For IE, I suggest you read again my article, particular section '4.4. Web Proxy client'.

HTH,
Stefaan

(in reply to Justintkw)
Post #: 7
RE: ftp client issue - 16.May2004 7:34:00 PM   
mohsindabomb

 

Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline
Hi Justintkw,

Good to know we're getting somewhere. Stefaan's advice worked well for you.

HTTP 502 is an authentication erorr. Seeing this error message means that accessing the requested resource violates a security permission/policy. Why an authentication policy would stop only the wireless clients is weird... but interesting.

At your network, you can happily access ftp servers from the wired nodes and can't only from the wireless nodes. This clearly means something is happening where the data is being bridged to the wired network. Logically it shouldnt but... we all know computer technologies.. nothing to say! What stumps me is why it doesn't hurt the MS ftp client and prevents all others like Ws-ftp or so to connect to ftp servers. W.E.I.R.D!

Are you using user level authentication? I suggest you try and disable user level authentication and give open access to any request or a set of IPs for testing purposes. See if that solves the problem. I'll tell you later what i'm thinking. Just try it for a while and see if that solves the problem.

I searched on the net and found some related information about this issue. You might want to check this forum thread at Gaia technologies' site.

http://broadband.gaia-tech.com/modules.php?name=Forums&file=viewtopic&p=537

In the first post, the writer is clearly saying that he doesn't have any problem if he uses the regular modem connection instead of the wireless connection by GAIA. This confirms my hunch that it is an issue with the wireless thingie especially in the wireless to wired bridging.

You can try plugging a wi-fi card into the ISA box so that the wireless nodes can talk to it directly without involving wireless-to-wired bridging. That may solve the problem and that may not. But at least you'll get a better picture of what's really happening on your network. And that might help.

And you can also try changing the authentication policy as I described earlier. I hope it helps. Keep us posted on your situation. We are interested in the problem.. err.. the solution to the problem [Big Grin] .. and will be happy to find a solution together. Good luck. [Smile]

(in reply to Justintkw)
Post #: 8
RE: ftp client issue - 16.May2004 8:15:00 PM   
Justintkw

 

Posts: 6
Joined: 14.May2004
Status: offline
Thanks again, Stefaan and Redbull!

Stefaan is correct - I had the ws-ftp set to use proxy that that's what caused the problem. I removed that, and ws-ftp works as well. So now, it seems that IE ftp is the only culprit. . . and only under a wireless connection!

I'll read the articles posted by Redbull and try the method suggested.

Thanks again for the help!

(in reply to Justintkw)
Post #: 9
RE: ftp client issue - 16.May2004 9:16:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Justintkw,

now that any real FTP client is working, it is time to take a closer look at the IE settings. As stated in my article, you will find two important settings that influence how IE handles the FTP protocol:
- Enable folder view for FTP sites.
- Use Passive FTP (for firewall and DSL modem compatibility).

If you want to use IE as an FTP client, then you should make sure that the setting 'Enable folder view for FTP sites' is checked. Only then the FTP request is sent by IE to the Firewall service on ISA. In other words as a real FTP session. Which FTP mode active or passive IE will use is determined by the setting Use Passive FTP (for firewall and DSL modem compatibility).

HTH,
Stefaan

(in reply to Justintkw)
Post #: 10
RE: ftp client issue - 17.May2004 5:52:00 AM   
Justintkw

 

Posts: 6
Joined: 14.May2004
Status: offline
Alright, Stefaan! You're the man! I made those adjustments in IE and now it's working like a charm. Thanks so much!

Justin

(in reply to Justintkw)
Post #: 11
RE: ftp client issue - 17.May2004 9:04:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Justintkw,

glad to hear you got it working and thanks for the follow up! [Smile]

Stefaan

(in reply to Justintkw)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> ftp client issue Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts