• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FTP Access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> FTP Access Page: [1]
Login
Message << Older Topic   Newer Topic >>
FTP Access - 17.Jun.2006 1:50:47 AM   
nickw1969

 

Posts: 28
Joined: 30.Dec.2005
Status: offline
I had my ISA server setup with the internal interface on the lan and the external interface going into a DMZ on a pix firewall - the external interface in this config had a 192.168 address and was natted at the PIX.

The PIX had an allow any IP outbound rule and from the ISA server I could connect to FTP sites.

However ISA all firewall clients were unable to connect to FTP sites.

After weeks of head scratching I took the external interface out of the PIX DMZ and changed the IP add to one of our external IP's and located it on the outside and at this point FTP started to work without issue.

| had the Internet access network rule set to NAT in both configs - should I have had it set to route while connected to the PIX DMZ?

Or does anyone know what the problem is? The only thing I changed was the IP and the location of the external interface to directly connect to the outside world - all other ISA configs are the same.

This is how I currently have the isa server configured, but im not happy in not having a hardware firewall as first line of defence.

Thanks
Nick
Post #: 1
RE: FTP Access - 17.Jun.2006 12:12:18 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Nick,

first of all make sure you are running ISA 2004 SP2 with the KB916106 update. Some FTP issues are resolved in ISA 2004 SP2.

quote:

The PIX had an allow any IP outbound rule and from the ISA server I could connect to FTP sites.

As you probably know, FTP uses a primary (the control connection) and a secondary (the data connection) connection. The Control connection is outbound but the Data connection can be inbound (Active mode FTP) or outbound (Passive mode FTP). Moreover, ISA supports plain FTP as well as tunneled FTP (FTP over HTTP). So, a lot of possible variations.

I suggest you first check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html and blog http://blogs.isaserver.org/pouseele/2006/05/15/about-the-ftp-protocol-support-in-isa-server/ to determine and understand fully how you want to use FTP (plain or tunneled, active versus passive, etc...). With that knowledge it should be possible to better diagnoses the problem.

HTH,
Stefaan

(in reply to nickw1969)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> FTP Access Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts