Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I've done FTP access rules in the past, but the last few sites I tried to add to existing rules are just not working for me. I read through Stefaan's article on how the FTP protocol affects my sanity but to no avail.
A quick background: Server is ISA Std. 2004 Version: 4.0.2165.610 Clients have FWC installed IE has Enable Folder view and Use Passive FTP checked Testing with both CL FTP and IE
Some CL FTP commands not working for me: FTP opfa.ca FTP demo.technolinux.com
If I allow a user all outbound trtaffic to external it works If I allow all users FTP to External it works If I allow all users FTP to a domain name set it fails If I allow a user FTP to External it fails If I allow a user all outbound traffic to a domain name set it fails
I've been away from ISA for too long and had a few too many birthdays. Please help!!!
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
Hmm... I no longer have an ISA 2004 in my lab, but of the top of my head isn't that ISA 2004 SP2 with KB916106? If so, you should be in a good shape!
As you probably know I hate IE as FTP client. So, let stay with the Microsoft command-line FTP client or the free FTP command line client MoveIt Freely from Standard Networks (supports passive and Secure FTP too).
quote:
If I allow all users FTP to a domain name set it fails. If I allow all users FTP to a domain name set it fails.
For non-Web Proxy requests the clients send their requests by IP address. Therefore, are you sure that ISA server can reverse lookup those IP addresses and match them to the domain name set?
What does the ISA logging show for all those cases? Also, did you test with a simplified firewall policy and/or by placing the test rules at the top?
Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Hi Stefaan, Yes, 2004 SP2 with KB916106. I only mentioned IE and settings but 99% of my testing was with the commandline FTP. I created a test rule at the top but getting denied by the last rule. I'm not sure what you mean by a reverse lookup. If I ping -a 206.162.164.141, for demo.technolinux.com, I get mtl.demo.qc.ca instead. I have not tried creating a rule using the IP instead of domain set. I know custom protocols don't support domain sets and I have had to call site admins to get all the IPs that can possibly respond to a FQDN. Please don't tell me FTP through ISA is that lame? I can run some more tests on Monday when I am back in the office.
Thanks
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
in my article Understanding the ISA 2004 Access Rule Processing I discuss Domain Name Sets and the reverse DNS lookup issue. It's a very common problem, partly because people are too lazy to populate properly their DNS reverse zones. Even Microsoft makes the same mistakes (cfr Microsoft and Windows Update issue).
Now, for the two FQDN's you listed, this are the results:
For the first FQDN the reverse DNS lookup gives a different FQDN. For the second FQDN, no reverse DNS record (PTR record) exist. How do you think ISA will react on that? Right, if no match can be found with a reverse DNS lookup the request will be denied.
In your first post you wrote also:
quote:
I've done FTP access rules in the past, but the last few sites I tried to add to existing rules are just not working for me.
So, you just added some sites to an existing working rule. Correct? If that's the case then it should be an issue related to those particular sites.
I think the keyword here is user! Did you verify that the request was indeed intercepted by the Firewall client and redirected to the ISA server? The ISA logging should tell you that!
I've tried it on a ISA 2004 SP2 and ISA 2006 server and I've not encountered any problem as shown below:
quote:
C:\>ftp ftp> open opfa.ca Connected to opfa.ca. 220 ProFTPD 1.2.9 Server (ProFTPD) [69.27.97.144] User (opfa.ca:(none)): anonymous 331 Anonymous login ok, send your complete email address as your password. Password: 230 Anonymous access granted, restrictions apply. ftp> dir 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxrws-wx 2 99 site58 4096 Jun 19 01:32 incoming drwxr-sr-x 7 500 site58 4096 Apr 20 2005 user drwxr-sr-x 7 500 site58 4096 Apr 20 2005 vsite 226 Transfer complete. ftp: 188 bytes received in 0,00Seconds 188000,00Kbytes/sec. ftp> close 221 Goodbye. ftp> bye C:\>
The rules I tested were all users or all authenticated users for the FTP protocol or all outbound traffic. So, both SecureNAT clients (all users) and Firewall clients (all authenticated users) are working perfectly.
BTW --- I've seen workstations with the Firewall client installed where the Firewall client didn't intercept the WinSock calls. The reason for it was that some other third-party product was the first LSP in the chain. I have seen it different times after re-installing/upgrading the Firewall client. Of course this is a 'local' client problem and nothing should be redirected in that case.
HTH, Stefaan
< Message edited by spouseele -- 5.Nov.2006 9:55:35 AM >
Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Testing is with the commandline FTP and the ISA log indicates denied by the (last) default rule. Since it is commandline FTP, I have to assume there is none other than the FWC to intercept the request. WP and WinHTTP should have no bearing, right?
When I add the same user to another rule allowing all outbound, it works... again, testing my sanity.
Thanks
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Stefaan, I managed to get through this with a couple different approaches. For the opfa.ca site I hard-coded the IP in the rule. For a couple others that were not returning the same FQDN on a reverse lookup, I added the real FQDN to the rule and had the user access by that FQDN instead. I know, cheap and dirty, but it works.
My user is happy, so I am happy. Some day when I have more time, I will dig into this a bit more to understand why some combinations worked and others failed.
Thanks!
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> FTP access rulle has me baffled 
FTP access rulle has me baffled - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread