FTP access rulle has me baffled

FTP access rulle has me baffled (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Access Policies

Message

LLigetfa -> FTP access rulle has me baffled (3.Nov.2006 10:43:06 AM)
I've done FTP access rules in the past, but the last few sites I tried to add to existing rules are just not working for me. I read through Stefaan's article on how the FTP protocol affects my sanity but to no avail. A quick background: Server is ISA Std. 2004 Version: 4.0.2165.610 Clients have FWC installed IE has Enable Folder view and Use Passive FTP checked Testing with both CL FTP and IE Some CL FTP commands not working for me: FTP opfa.ca FTP demo.technolinux.com If I allow a user all outbound trtaffic to external it works If I allow all users FTP to External it works If I allow all users FTP to a domain name set it fails If I allow a user FTP to External it fails If I allow a user all outbound traffic to a domain name set it fails I've been away from ISA for too long and had a few too many birthdays. Please help!!!

spouseele -> RE: FTP access rulle has me baffled (3.Nov.2006 3:16:59 PM)
Hi Les, good to see you are back! [:)] quote: Server is ISA Std. 2004 Version: 4.0.2165.610 Hmm... I no longer have an ISA 2004 in my lab, but of the top of my head isn't that ISA 2004 SP2 with KB916106? If so, you should be in a good shape! As you probably know I hate IE as FTP client. So, let stay with the Microsoft command-line FTP client or the free FTP command line client MoveIt Freely from Standard Networks (supports passive and Secure FTP too). quote: If I allow all users FTP to a domain name set it fails. If I allow all users FTP to a domain name set it fails. For non-Web Proxy requests the clients send their requests by IP address. Therefore, are you sure that ISA server can reverse lookup those IP addresses and match them to the domain name set? What does the ISA logging show for all those cases? Also, did you test with a simplified firewall policy and/or by placing the test rules at the top? HTH, Stefaan

LLigetfa -> RE: FTP access rulle has me baffled (3.Nov.2006 8:10:24 PM)
Hi Stefaan, Yes, 2004 SP2 with KB916106. I only mentioned IE and settings but 99% of my testing was with the commandline FTP. I created a test rule at the top but getting denied by the last rule. I'm not sure what you mean by a reverse lookup. If I ping -a 206.162.164.141, for demo.technolinux.com, I get mtl.demo.qc.ca instead. I have not tried creating a rule using the IP instead of domain set. I know custom protocols don't support domain sets and I have had to call site admins to get all the IPs that can possibly respond to a FQDN. Please don't tell me FTP through ISA is that lame? I can run some more tests on Monday when I am back in the office. Thanks

spouseele -> RE: FTP access rulle has me baffled (4.Nov.2006 6:45:59 PM)
Hi Les, in my article Understanding the ISA 2004 Access Rule Processing I discuss Domain Name Sets and the reverse DNS lookup issue. It's a very common problem, partly because people are too lazy to populate properly their DNS reverse zones. Even Microsoft makes the same mistakes (cfr Microsoft and Windows Update issue). Now, for the two FQDN's you listed, this are the results: quote: C:\>nslookup Default Server: dnspool042.isp.belgacom.be Address: 195.238.2.22 > demo.technolinux.com Server: dnspool042.isp.belgacom.be Address: 195.238.2.22 Non-authoritative answer: Name: demo.technolinux.com Address: 206.162.164.141 > 206.162.164.141 Server: dnspool042.isp.belgacom.be Address: 195.238.2.22 Name: mtl.demo.qc.ca Address: 206.162.164.141 > opfa.ca Server: dnspool042.isp.belgacom.be Address: 195.238.2.22 Non-authoritative answer: Name: opfa.ca Address: 69.27.97.144 > 69.27.97.144 Server: dnspool042.isp.belgacom.be Address: 195.238.2.22 *** dnspool042.isp.belgacom.be can't find 69.27.97.144: Non-existent domain > exit C:\> For the first FQDN the reverse DNS lookup gives a different FQDN. For the second FQDN, no reverse DNS record (PTR record) exist. How do you think ISA will react on that? Right, if no match can be found with a reverse DNS lookup the request will be denied. In your first post you wrote also: quote: I've done FTP access rules in the past, but the last few sites I tried to add to existing rules are just not working for me. So, you just added some sites to an existing working rule. Correct? If that's the case then it should be an issue related to those particular sites. HTH, Stefaan

LLigetfa -> RE: FTP access rulle has me baffled (5.Nov.2006 8:27:39 AM)
OK, that all makes sense but... Why when I allow a user FTP to External it fails? That really has me baffled.

spouseele -> RE: FTP access rulle has me baffled (5.Nov.2006 8:44:45 AM)
Hi Les, quote: Why when I allow a user FTP to External it fails? I think the keyword here is user! Did you verify that the request was indeed intercepted by the Firewall client and redirected to the ISA server? The ISA logging should tell you that! I've tried it on a ISA 2004 SP2 and ISA 2006 server and I've not encountered any problem as shown below: quote: C:\>ftp ftp> open opfa.ca Connected to opfa.ca. 220 ProFTPD 1.2.9 Server (ProFTPD) [69.27.97.144] User (opfa.ca:(none)): anonymous 331 Anonymous login ok, send your complete email address as your password. Password: 230 Anonymous access granted, restrictions apply. ftp> dir 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxrws-wx 2 99 site58 4096 Jun 19 01:32 incoming drwxr-sr-x 7 500 site58 4096 Apr 20 2005 user drwxr-sr-x 7 500 site58 4096 Apr 20 2005 vsite 226 Transfer complete. ftp: 188 bytes received in 0,00Seconds 188000,00Kbytes/sec. ftp> close 221 Goodbye. ftp> bye C:\> The rules I tested were all users or all authenticated users for the FTP protocol or all outbound traffic. So, both SecureNAT clients (all users) and Firewall clients (all authenticated users) are working perfectly. BTW --- I've seen workstations with the Firewall client installed where the Firewall client didn't intercept the WinSock calls. The reason for it was that some other third-party product was the first LSP in the chain. I have seen it different times after re-installing/upgrading the Firewall client. Of course this is a 'local' client problem and nothing should be redirected in that case. HTH, Stefaan

LLigetfa -> RE: FTP access rulle has me baffled (5.Nov.2006 10:01:49 AM)
Testing is with the commandline FTP and the ISA log indicates denied by the (last) default rule. Since it is commandline FTP, I have to assume there is none other than the FWC to intercept the request. WP and WinHTTP should have no bearing, right? When I add the same user to another rule allowing all outbound, it works... again, testing my sanity. Thanks

spouseele -> RE: FTP access rulle has me baffled (5.Nov.2006 10:14:37 AM)
Hi Les, quote: Testing is with the commandline FTP and the ISA log indicates denied by the (last) default rule. Are the fields 'Client Username' and 'Client Agent' properly filled in? quote: When I add the same user to another rule allowing all outbound, it works... again, testing my sanity That indicates there is something 'wrong' with that rule or with the rule order. BTW --- don't assume too much! Always verify things... [;)] HTH, Stefaan

LLigetfa -> RE: FTP access rulle has me baffled (6.Nov.2006 12:23:15 PM)
Stefaan, I managed to get through this with a couple different approaches. For the opfa.ca site I hard-coded the IP in the rule. For a couple others that were not returning the same FQDN on a reverse lookup, I added the real FQDN to the rule and had the user access by that FQDN instead. I know, cheap and dirty, but it works. My user is happy, so I am happy. Some day when I have more time, I will dig into this a bit more to understand why some combinations worked and others failed. Thanks!

spouseele -> RE: FTP access rulle has me baffled (6.Nov.2006 2:52:13 PM)
Hi Les, good to hear you have it working and thanks for the follow up! [:)] Stefaan

Page: [1]