• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

I cannot connect to a FTP server on a remote subnet

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> I cannot connect to a FTP server on a remote subnet Page: [1]
Login
Message << Older Topic   Newer Topic >>
I cannot connect to a FTP server on a remote subnet - 10.Sep.2006 8:49:03 AM   
kernel32

 

Posts: 19
Joined: 13.Jan.2002
From: Canada
Status: offline
Hello all:

I am having the most frustrating problem trying to connect to a FTP server in a remote subnet. We have a network that has a "main" site, and about ten "remote office" subnets (imagine a "hub and spoke" type layout). These subnets are all accessible directly (no firewalls) via cisco routers. We also have a ISA 2004 server on the main network that acts as our gateway to the Internet. All of the PCs on the main network have the ISA server set as their default gateway. I have read all of the "network within a network" articles on this site and have got everything working no problems. I can access resources on both the Internet and the remote subnets without issue (except for the cursed FTP server). The event log on the ISA 2004 server is clean with no configuration errors. When I try to access a resource on one of the remote subnets, the request is first sent to the ISA server, since it is the default gateway, and then the ISA immediately redirects the traffic to the correct router. I have an access policy that allows ALL protocols from ALL addresses on the "Internal" network destined to the "Internal" network for ALL USERS (we don't feel there is a need to firewall internal traffic). I can use RDP on remote servers, as well as access web servers and other services on these remote subnets. However, when I try to log into an FTP server on one of the remote subnets, I get blocked by ISA. The ISA logs show "Denied Connection." The weird thing is I can ping this FTP server no problem, as well as connect to a web server that is running on the same box. If I put a static route on my PC, pointing to the correct router for that subnet, I can log in no sweat. I don't see why I should have to put static routes on all 300 of our PCs, just so we can reach remote subnets without being filtered by the firewall. The access rule I have created should allow the traffic to flow, but it doesn't. We had an ISA 2000 server before this, also set as the default gateway, and there was no problem getting to any remote subnet servers.

As for the config on the PC, I have tried connecting as SecureNAT, Web Proxy, and Firewall Client, all with the same result - Denied Coneection.
I have also put the IP address of the FTP server in the "bypass proxy server" field in the IE 6 proxy setup dialog. I have also tried it with the FGDN instead of the IP and the result is always the same - Denied Connection

Denied Connection
Denied Connection
Denied Connection
Denied Connection

This is driving me CRAZY!!!!

I have also tried setting the "Enable folder view for FTP sites" (IE6 Internet Options Advanced tab) both on and off, still with Denied Connection. Ditto for the "Use passive FTP" setting.

Please help me avoid a trip to the funny farm and give me some good advice! What on earth could possibly be causing this "Denied Connection" when the access rule is set to ALL protocols for ALL USERS???

Thanks in advance
Post #: 1
RE: I cannot connect to a FTP server on a remote subnet - 10.Sep.2006 10:33:38 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi kernel32,

the cause of the problem is:
quote:

When I try to access a resource on one of the remote subnets, the request is first sent to the ISA server, since it is the default gateway, and then the ISA immediately redirects the traffic to the correct router.


The solution to the problem is that internal traffic should *never* loop through the ISA server internal interface. You can accomplish that in two ways:  

1. use a design as suggested in my article http://www.isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html section 'Network Design'. This is my preferred design because it is simple and very stable. Because you have already a central layer-3 device for the remote sites it should be easy to implement in your case.

2. make all hosts on the main network aware of all the routes to the remote sites. That means that no traffic destined for any remote network should ever touch the ISA server again.

HTH,
Stefaan

(in reply to kernel32)
Post #: 2
RE: I cannot connect to a FTP server on a remote subnet - 11.Sep.2006 1:55:50 AM   
kernel32

 

Posts: 19
Joined: 13.Jan.2002
From: Canada
Status: offline
Hello Stefaan:

Thanks for the quick reply. Your second suggestion is one that I was thinking about doing already. I just don't see why it should be neccessary. Practically all of the documentation I have read, including articles on this site and from Microsoft, says you should use the ISA server as your default gateway. If you follow this advice though, and you have routes to other subnets on your Internal network, trouble arises, because with ISA 2004, it filters on all interfaces, unlike ISA 2000, which "trusted" the internal interface. I don't mind this, as it just means you need to set some more access rules to allow this "Internal to Internal" traffic. I have done all of that, and I can do anything I want on any of our remote subnets, with the exception of this one FTP server. I just don't understand why the firewall would block this traffic, but allow all other types. I can connect to FTP sites on the Internet no problem.
I don't really like the idea of adding static routes to hundreds of PCs just so they can bypass the ISA server, but if that is what it takes to solve my problem, I will do it.
I have taken a closer look at the logs to see if I can see why it is being blocked, and the error code it records is:







 
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
 
According to MS, this means:

A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.


I think maybe this has something to do with how the FTP protocol works.

(in reply to spouseele)
Post #: 3
RE: I cannot connect to a FTP server on a remote subnet - 11.Sep.2006 7:35:32 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi kernel32,

I strongly suggest you implement my suggestion 1. The good thing is that you implement it once and you will never have such routing problems again. My suggestion 2 is only a solution of last resort and is in my opinion too cumbersome on the client part.

Also, check out http://blogs.isaserver.org/pouseele/2006/05/21/a-different-look-at-the-isa-clients/.

HTH,
Stefaan


(in reply to kernel32)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> I cannot connect to a FTP server on a remote subnet Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts