I am having the most frustrating problem trying to connect to a FTP server in a remote subnet. We have a network that has a "main" site, and about ten "remote office" subnets (imagine a "hub and spoke" type layout). These subnets are all accessible directly (no firewalls) via cisco routers. We also have a ISA 2004 server on the main network that acts as our gateway to the Internet. All of the PCs on the main network have the ISA server set as their default gateway. I have read all of the "network within a network" articles on this site and have got everything working no problems. I can access resources on both the Internet and the remote subnets without issue (except for the cursed FTP server). The event log on the ISA 2004 server is clean with no configuration errors. When I try to access a resource on one of the remote subnets, the request is first sent to the ISA server, since it is the default gateway, and then the ISA immediately redirects the traffic to the correct router. I have an access policy that allows ALL protocols from ALL addresses on the "Internal" network destined to the "Internal" network for ALL USERS (we don't feel there is a need to firewall internal traffic). I can use RDP on remote servers, as well as access web servers and other services on these remote subnets. However, when I try to log into an FTP server on one of the remote subnets, I get blocked by ISA. The ISA logs show "Denied Connection." The weird thing is I can ping this FTP server no problem, as well as connect to a web server that is running on the same box. If I put a static route on my PC, pointing to the correct router for that subnet, I can log in no sweat. I don't see why I should have to put static routes on all 300 of our PCs, just so we can reach remote subnets without being filtered by the firewall. The access rule I have created should allow the traffic to flow, but it doesn't. We had an ISA 2000 server before this, also set as the default gateway, and there was no problem getting to any remote subnet servers.
As for the config on the PC, I have tried connecting as SecureNAT, Web Proxy, and Firewall Client, all with the same result - Denied Coneection. I have also put the IP address of the FTP server in the "bypass proxy server" field in the IE 6 proxy setup dialog. I have also tried it with the FGDN instead of the IP and the result is always the same - Denied Connection
I have also tried setting the "Enable folder view for FTP sites" (IE6 Internet Options Advanced tab) both on and off, still with Denied Connection. Ditto for the "Use passive FTP" setting.
Please help me avoid a trip to the funny farm and give me some good advice! What on earth could possibly be causing this "Denied Connection" when the access rule is set to ALL protocols for ALL USERS???
When I try to access a resource on one of the remote subnets, the request is first sent to the ISA server, since it is the default gateway, and then the ISA immediately redirects the traffic to the correct router.
The solution to the problem is that internal traffic should *never* loop through the ISA server internal interface. You can accomplish that in two ways:
Thanks for the quick reply. Your second suggestion is one that I was thinking about doing already. I just don't see why it should be neccessary. Practically all of the documentation I have read, including articles on this site and from Microsoft, says you should use the ISA server as your default gateway. If you follow this advice though, and you have routes to other subnets on your Internal network, trouble arises, because with ISA 2004, it filters on all interfaces, unlike ISA 2000, which "trusted" the internal interface. I don't mind this, as it just means you need to set some more access rules to allow this "Internal to Internal" traffic. I have done all of that, and I can do anything I want on any of our remote subnets, with the exception of this one FTP server. I just don't understand why the firewall would block this traffic, but allow all other types. I can connect to FTP sites on the Internet no problem. I don't really like the idea of adding static routes to hundreds of PCs just so they can bypass the ISA server, but if that is what it takes to solve my problem, I will do it. I have taken a closer look at the logs to see if I can see why it is being blocked, and the error code it records is:
According to MS, this means:
A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.
I think maybe this has something to do with how the FTP protocol works.
I strongly suggest you implement my suggestion 1. The good thing is that you implement it once and you will never have such routing problems again. My suggestion 2 is only a solution of last resort and is in my opinion too cumbersome on the client part.