• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SecureNAT can't connect to FTP site

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> SecureNAT can't connect to FTP site Page: [1]
Login
Message << Older Topic   Newer Topic >>
SecureNAT can't connect to FTP site - 24.Mar.2006 5:59:00 PM   
kritt

 

Posts: 29
Joined: 19.Apr.2001
Status: offline
My network configuration is Edge Firewall.
I have create access rule to allow FW client and SecureNAT Client to access internet as followings :
1. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Users
2. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Authenticated Users

All FW clients can browse internet, Upload file to FTP Site and receive/send mail.
All SecureNAT clients can browse internet, receive/send mail but can't connect to FTP Site.

I have tested both FW Client and SecureNAT Client with CuteFTP .
SecureNAT client display these status messages

STATUS:> Getting listing "/pub"...
STATUS:> Resolving host name ftp.globalscape.com...
STATUS:> Host name ftp.globalscape.com resolved: ip = 64.243.64.21.
STATUS:> Connecting to FTP server ftp.globalscape.com:21 (ip = 64.243.64.21)...
STATUS:> Socket connected. Waiting for welcome message...

ERROR:> Timeout (60000 ms) occurred on receiving server response.

STATUS:> Waiting 30 seconds...


While FW Clients display these status messages

STATUS:> Getting listing "/pub"...
STATUS:> Resolving host name ftp.globalscape.com...
STATUS:> Host name ftp.globalscape.com resolved: ip = 64.243.64.21.
STATUS:> Connecting to FTP server ftp.globalscape.com:21 (ip = 64.243.64.21)...
STATUS:> Socket connected. Waiting for welcome message...

220 GlobalSCAPE Secure FTP Server (v. 3.0)

STATUS:> Connected. Authenticating...

COMMAND:> USER anonymous

331 Password required for anonymous.

COMMAND:> PASS *****

230 Login OK. Proceed.

STATUS:> Login successful.


Please help me config SecureNAT client to connect to FTP site.
Post #: 1
RE: SecureNAT can't connect to FTP site - 24.Mar.2006 7:59:35 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
hi,

check this article to understand it:
http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html

and this thread:
http://forums.isaserver.org/Error_in_FTP%3f/m_2002009690/tm.htm



_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to kritt)
Post #: 2
RE: SecureNAT can't connect to FTP site - 25.Mar.2006 3:47:20 PM   
kritt

 

Posts: 29
Joined: 19.Apr.2001
Status: offline
As explain in the articles :
  • The client opens a primary connection (control connection) to the FTP server.
  • The ISA Server computer notifies the filter about the connection.
  • The filter examines the data that is flowing through the primary connection and determines which secondary connection (data connection) the client is going to use.
  • The filter informs the ISA Server computer to allow that particular secondary connection.
  • The ISA Server computer opens the specific port, as indicated by the application filter.

Because a SecureNAT client doesn't support secondary connections without the help of an application filter, you are not able to access or publish FTP servers on alternate port ...

Hi elmajdal,

Do you know how to config application filter to help SecureNAT client access External FTP Server ?

thanks

(in reply to elmajdal)
Post #: 3
RE: SecureNAT can't connect to FTP site - 25.Mar.2006 4:21:39 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Why not use FWC?  Since Secure-NAT cannot authenticate, it is an oxymoron.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to kritt)
Post #: 4
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 3:38:06 AM   
moTaro

 

Posts: 13
Joined: 25.Mar.2006
Status: offline
kritt explained well.

FTP is pretty complicated to setup up. Well for me it was.

21 is the initial connector for FTP and this port needs to be mapped, after that, then ftp communicates on the second connection which is 20. This is for active mod.

(in reply to LLigetfa)
Post #: 5
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 11:37:01 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

out of the box ISA server fully supports the FTP protocol for SecureNAT and Firewall clients, including active and passive FTP mode. For Web Proxy clients, that means FTP over HTTP, ISA is CERN Proxy compatible what means only FTP downloads and active or passive FTP mode determined by a global configuration setting on the ISA itself.

For more, info check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html. Most of the stuff is still valid for ISA 2004.

HTH,
Stefaan

(in reply to moTaro)
Post #: 6
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 4:19:50 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

1. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Users
2. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Authenticated Users

What is the point of rule #2?  Where is the security if rule #1 lets everyone out without authentication?

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to spouseele)
Post #: 7
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 5:19:27 PM   
kritt

 

Posts: 29
Joined: 19.Apr.2001
Status: offline
I'm sorry for the mistake the actual configuration are
1. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Authenticated Computer Set -- To External -- Condition All Users
2. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Authenticated Users

I need SecureNAT client for non-windows based client such as MAC or Linux Server.
I create Authenticated Computer Set for MAC or Linux (ip ranges) and allow them to access internet in Rule #1.
For the Rule#2 allow windows based client to access internet.
So I would like to solve the FTP problem for SecureNAT client as inform above.
Anyone help ?

(in reply to LLigetfa)
Post #: 8
RE: SecureNAT can't connect to FTP site - 26.Mar.2006 5:22:14 PM   
kritt

 

Posts: 29
Joined: 19.Apr.2001
Status: offline
I'm sorry againg for the mistake. The actual configuration are
1. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Authenticated Computer Set -- To External -- Condition All Users
2. Allow -- Protocol FTP,HTTP,HTTPS,POP3,SMTP -- From Internal -- To External -- Condition All Authenticated Users

I need SecureNAT client for non-windows based such as MAC or Linux Client.
I create Authenticated Computer Set for MAC or Linux (ip ranges) and allow them to access internet in Rule #1.
For the Rule#2 allow windows based client to access internet.
So I would like to solve the FTP problem for SecureNAT client as inform above.
Anyone help ?

(in reply to kritt)
Post #: 9
RE: SecureNAT can't connect to FTP site - 31.Mar.2006 2:44:43 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
 
try this to solve this issue, you have to use the "Do not use proxy server for addresses beginning with:" configured to bypass the FTP server's IP address or FQDN name/Domain Name.

this can be found in :

Tools > Internet Options > Connections > LAN Settings > Advanced >

HTH

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to kritt)
Post #: 10
RE: SecureNAT can't connect to FTP site - 31.Mar.2006 11:19:45 AM   
kritt

 

Posts: 29
Joined: 19.Apr.2001
Status: offline
Hi elmajdal,

I'm not use IE to connect FTP server. I'm use CuteFTP please see log detail (blue text) on my first post.
Do you have another solution ?

(in reply to elmajdal)
Post #: 11
RE: SecureNAT can't connect to FTP site - 31.Mar.2006 1:09:05 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
i am aware of that , but have u tried it ?

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to kritt)
Post #: 12
RE: SecureNAT can't connect to FTP site - 20.Oct.2010 6:07:38 AM   
Lukeh

 

Posts: 1
Joined: 20.Oct.2010
Status: offline
I appreciate that this thread was orginally posted over 4 years ago, but did you ever get to the bottom of the issue? We have a very similar problem at present.

Firewall clients can access external FTP without issue.

However, if we try to connect to an external FTP from a SecureNAT client (Windows Server for example) then the connection to FTP connects, but when you try to authenticate (after you enter the username) to the external FTP server the connection drops with a 'Connection closed by remote host.' error.

Example below:-

C:\Documents and Settings\SomeUser>ftp ftp.someftp.net
Connected to ftp.someftp.net.
220-Microsoft FTP Service
220 Welcome to SomeFTP
User (ftp.someftp.net:(none)):
Connection closed by remote host.

If we install the firewall client on the server then it works fine. However, best practice is to only have your workstations (users) setup as 'Firewall Clients' and have servers as SecureNAT.

Any ideas?

Thanks in advance.

Lukeh

(in reply to elmajdal)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> SecureNAT Client >> SecureNAT can't connect to FTP site Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts