• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

pop3 and firewall client

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> pop3 and firewall client Page: [1]
Login
Message << Older Topic   Newer Topic >>
pop3 and firewall client - 12.Apr.2006 5:55:43 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
I have install the firewall client to enable ftp access upload and download to/from external sites.  What should the access policy look like to allow ftp?  Also my pop3 wont work anymore with the firewall client running.  I have created access rules to allow in and out pop3 but that dosent seem to help. 
Post #: 1
RE: pop3 and firewall client - 19.Apr.2006 3:41:23 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The Firewall client is NOT required for FTP upload and download.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to plna)
Post #: 2
RE: pop3 and firewall client - 19.Apr.2006 11:49:24 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

ORIGINAL: plna
Also my pop3 wont work anymore with the firewall client running.  I have created access rules to allow in and out pop3 but that dosent seem to help. 



check this : Using Outlook 2003 with the Firewall Client


HTH

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to plna)
Post #: 3
RE: pop3 and firewall client - 19.Apr.2006 3:31:43 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
Thank you.
I guess I am doing something wrong since the only way we can use ftp with the securenat client is to route the ftp traffic around the ISA server.  I have tried creating access rules for ftp traffic however they do not seem to affect the ftp access.

(in reply to elmajdal)
Post #: 4
RE: pop3 and firewall client - 19.Apr.2006 3:55:20 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
lets work on this step by step.

did u finish from the pop3 issue ??

and whats wrong with the ftp ? can u access the site , or u r not able to access it at all ?

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to plna)
Post #: 5
RE: pop3 and firewall client - 19.Apr.2006 4:22:27 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
Ok.  If I can use ftp without the FWC then pop3 is fine.  So lets address the ftp issue.
When attempting to access ftp sites using a securenat client I receive the following error:


FTP Folder error.
Windows cannot access this folder. Make sure you typed the file name correctly and have persmissions to access this folder.

Details:
The operation timed out.

When I route the connection around the ISA server it connects fine.

(in reply to elmajdal)
Post #: 6
RE: pop3 and firewall client - 19.Apr.2006 5:39:17 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

When I route the connection around the ISA server it connects fine.

Sounds like ISA is not truly a firewall if you can route around it.  How then can you be certain the return packets would traverse the firewall and not go around it?

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to plna)
Post #: 7
RE: pop3 and firewall client - 19.Apr.2006 5:56:52 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
I am sure that when I route ftp traffic around the isa server the inbound is routed around the isa server as well.

I have all the users default route to a 3com core builder and the default route for the corebuilder is the isa server which them routes out a 3com netbuilder on port 2.  Port 1 on the 3com netbuilder is accessable as well and I can rout etraffic via the pc routing table to that port and thus get ftp traffic around the isa server.

< Message edited by plna -- 19.Apr.2006 5:59:56 PM >

(in reply to LLigetfa)
Post #: 8
RE: pop3 and firewall client - 19.Apr.2006 6:32:57 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Ahem... but... you missed my point entirely.  I am not talking about deliberately routing around the ISA but rather the inverse, to get ISA S-NAT clients inbound traffic to NOT route around it.  Take a network sniff to see what truly is happening.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to plna)
Post #: 9
RE: pop3 and firewall client - 19.Apr.2006 7:23:11 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
I have done that in the past and traffic that routes out the isa server comes back through the isa server.  It has to because of the packet information. 
when we were using isa 2000 we had no problem with ftp.  Now that we are using isa 2004 we are.  I am trying to figure that out.

(in reply to plna)
Post #: 10
RE: pop3 and firewall client - 19.Apr.2006 7:58:48 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
hi again,

is there a specific website ?? can u give us an example ?

or its an issue with all ftp sites?


_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to plna)
Post #: 11
RE: pop3 and firewall client - 19.Apr.2006 8:11:18 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
it is with all sites.  I have been able to get connected using ftp://username:password@ftpsite.name however i have to disable folder view in internet options under the advanced tab.  This is ok for you and I but the end user may get confussed seeing this.  But with this set up I can download files but I cannot upload files.  So I am getting closer but not quite there yet.

(in reply to elmajdal)
Post #: 12
RE: pop3 and firewall client - 19.Apr.2006 8:17:09 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

ORIGINAL: plna
But with this set up I can download files but I cannot upload files.  So I am getting closer but not quite there yet.


right click your rule , configure FTP , and then remove the tick inside Read Only. in this way u will be able to upload.

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to plna)
Post #: 13
RE: pop3 and firewall client - 19.Apr.2006 8:21:28 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
I have done that.  That is what is so confusing.  I think I have everything in place but still no joy.  I have a rule to allow ftp from internal to external and unchecked the read only very confusing.

(in reply to elmajdal)
Post #: 14
RE: pop3 and firewall client - 19.Apr.2006 8:30:49 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
u better check spouseele article:

How the FTP protocol Challenges Firewall Security


also iam quoting these from him :

quote:


there are two ISA related configuration settings that might enforce the FTP read only mode, that is not having the ability to upload files:

1. on the rule, check the FTP configuration setting 'read only' in the rule properties. By clearing this flag you will be able to upload files.

2. if the FTP client is acting as a Web Proxy client, that means that FTP through HTTP is used instead of plain FTP, then the Web Proxy component is handling the FTP request and by design, a CERN compatible Web Proxy does only support FTP download. So, to overcome that limitation you should make sure that the FTP client is *not* acting as a Web Proxy client.




quote:


Assuming that IE is configured as a Web Proxy client *and* that the Firewall client is installed too:

1. If the IE setting Enable folder view for FTP sites is not checked, then the FTP request is sent by IE as a Web Proxy client request, in other words as FTP over HTTP.

2. If the IE setting Enable folder view for FTP sites is checked, then the FTP request is sent by IE as a Firewall client request.


HTH

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to plna)
Post #: 15
RE: pop3 and firewall client - 19.Apr.2006 8:49:19 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
i have read his artilcle and will read it again shortly.  When attempting to access ftp sites i am using internet explorer is this what you mean by web proxy?  when i attemp via command line that dosent work either and i am also trying to use FTP Explorer but it dosent work.

(in reply to elmajdal)
Post #: 16
RE: pop3 and firewall client - 19.Apr.2006 8:52:47 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi plna,

is this related to the topic http://forums.isaserver.org/m_2002014007/mpage_1/key_/tm.htm#2002014163?

Thanks,
Stefaan

(in reply to elmajdal)
Post #: 17
RE: pop3 and firewall client - 19.Apr.2006 9:14:27 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
I have been trying several things.  I was under the impression that you needed the fwc to ftp so I was attempting that.  When I have the fwc running I cant receive pop3.  However I have since been made aware that the fwc client is not needed for ftp so the pop3 issue is gone.  However i cannot get the ftp inbound and outbound working smoothly.

(in reply to spouseele)
Post #: 18
RE: pop3 and firewall client - 19.Apr.2006 10:12:26 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Beacause your ISA is not setup as a *real* firewall (can route around it) and your other thread reports FWX_E_TCP_NOT_SYN_PACKET_DROPPED, I suspect that return traffic is circumnavigating the ISA. 
quote:

when we were using isa 2000 we had no problem with ftp

My guess is that in 2K4, you have a route rule while 2000 only did NAT.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to plna)
Post #: 19
RE: pop3 and firewall client - 19.Apr.2006 10:54:50 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
The isa 2000 was set up the same way and it worked.  All we did was a rebuild of the server and and installed isa 2004.  No different rules. Still just doing natting.  I will keep pugging away at it.

(in reply to LLigetfa)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> pop3 and firewall client Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts