FTP Access (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> General


nickw1969 -> FTP Access (17.Jun.2006 1:50:47 AM)

I had my ISA server setup with the internal interface on the lan and the external interface going into a DMZ on a pix firewall - the external interface in this config had a 192.168 address and was natted at the PIX.

The PIX had an allow any IP outbound rule and from the ISA server I could connect to FTP sites.

However ISA all firewall clients were unable to connect to FTP sites.

After weeks of head scratching I took the external interface out of the PIX DMZ and changed the IP add to one of our external IP's and located it on the outside and at this point FTP started to work without issue.

| had the Internet access network rule set to NAT in both configs - should I have had it set to route while connected to the PIX DMZ?

Or does anyone know what the problem is? The only thing I changed was the IP and the location of the external interface to directly connect to the outside world - all other ISA configs are the same.

This is how I currently have the isa server configured, but im not happy in not having a hardware firewall as first line of defence.


spouseele -> RE: FTP Access (17.Jun.2006 12:12:18 PM)

Hi Nick,

first of all make sure you are running ISA 2004 SP2 with the KB916106 update. Some FTP issues are resolved in ISA 2004 SP2.


The PIX had an allow any IP outbound rule and from the ISA server I could connect to FTP sites.

As you probably know, FTP uses a primary (the control connection) and a secondary (the data connection) connection. The Control connection is outbound but the Data connection can be inbound (Active mode FTP) or outbound (Passive mode FTP). Moreover, ISA supports plain FTP as well as tunneled FTP (FTP over HTTP). So, a lot of possible variations.

I suggest you first check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html and blog http://blogs.isaserver.org/pouseele/2006/05/15/about-the-ftp-protocol-support-in-isa-server/ to determine and understand fully how you want to use FTP (plain or tunneled, active versus passive, etc...). With that knowledge it should be possible to better diagnoses the problem.


Page: [1]