Using ISA2006 Standard to publish an internal FTP server. The server works internally, but when I try to connect from the internet. It just times out. The logs on ISA gives no errors. I'm totally lost here.
I have not resolved the problem yet. FYI, I have test the ftp server in local lan and it seems to be working via cmd prompt. The enviroment that i setup here is pretty straight forward where the ftp server is just behind the ISA server and the ISA server is the gateway.
I create the rule by using the wizard, and i have tried "Publishing Non-Web Server Protocol" and the "Create Access Rule" and it doesn't seem to work.
When "Publishing the Non-Web Server Protocol" it ask for the server IP then i put my internal FTP Server IP. Then it ask to select the Protocol, I choose FTP Server and I did not change any setting there.
Basically i have follow what BrandonOz gave me the link on how to publish the FTP and it seem doesn't work. Does your environment works?
What's the result of an 'ipconfig /all' on ISA? What network relationship is defined between the Internal and External interface? What is the *exact* content of the FTP Server publishing rule? Is de FTP server configured as a SecureNAT client only? Something useful in the event viewer on ISA? What is the ISA log telling you? ....
BTW --- you must test from an external location, not by looping through the ISA server!
question on SFTP server publishing (SSH protocol), I got FTP server publishing working fine but not abel to make ssh work.
here's what I have done so far> My SFTP Server is on DMZ? I created a server protocol for SSH [SSH inbound TCP 22] I published SFTP server on DMZ using the protocol I created above. I also create route relationship between DMZ and External but I still cannot hit SFTP server in dmz from external. It works from internal to DMZ
We are having a similar problem and also are fairly new to ISA. We have the FTP server on DMZ2 and have access to it from the internal network. We can not access it from the external network though. The configuration is as follows:
The relationship between the FTP DMZ (DMZ2) and the External network has been tried as both Route and NAT. The relationship between the Internal and the FTP DMZ is NAT.
The FTP publish rule is: Allow FTP Server from: Anywhere to: 10.0.22.100 (FTP server ip on DMZ) networks: External (w/ external ip specified) Internal (w/ internal ip specified) Local Host (all ip's) VPN Clients (all ip's) Wireless DMZ (w/ wireless DMZ ip specified) schedule: always
The FTP server is not a SecureNAT client I do not believe (It is actually a terastation running an FTP server).
When trying to access the FTP from the 'outside', I see nothing in the ISA logs or event viewer that appears to be from that traffic.
I am trying from an external location ... actually halfway across the US.
The physical setup of the ISA is ISA 2006 on a celestix appliance running SurfControl. It is attached on the external side to a Netopia R5300 router provided by our T1 provider in a route setup.
Hopefully, you can see something here that can be done to resolve our situation.
Thank you in advance to anyone that can help. Jeremy
1. the FTP server must be configured as a SecureNAT client, that means his default gateway must point to the ISA DMZ2 interface, unless you have enabled in the To tab of the server publishing rule the setting Requests appear to come from the ISA Server computer.
2. because the DMZ2 uses private IP's, the network relationship from the DMZ2 to External must be NAT, otherwise it won't work.
3. why have you enabled all those networks in the Networks tab of the server publishing rule? Normally you only need to publish to the external world. Therefore select only the External network. For the other networks you can use acces rules.
BTW --- keep in mind you have to test from an external host. You can place a workstation on the same segment as the ISA external interface to test from there, at least if you have a spare public IP.
I'm in the exact same situation. My FTP server works internally, but not externally. The only message I get when I try to connect externally (from my ftp client software) is "Connected to FTP Server, Waiting for Welcome Message.", then "Disconnected from server". Other than that, the ISA server logs don't tell me anything. Has anybody had any success in getting this to work? Thanks in advance.
Ok. I can't find anything in the configuration that is different then how you describe it should be done. I have verified that our external t! router is not the problem by moving the ftp server from behind the isa to a public ip and I can connect fine. One thing I have found is that when the 'non-web server publishing rule' is created, an error is generated in the Application Event Log. The error is as follows:
Source: Microsoft Firewall Event ID: 21174 Description: The server publishing rule GLW FTP failed because there was no valid network listener. For requests to reach the published server there must be a network relationship between the selected listener networks and the published server. Error location: 325.9126.96.36.19920.157. Data (words): 0000: 8007000d
I searched on MS support and can find no information about this.
Hopefully this helps determine our issue here.
Thanks again, Jeremy
**UPDATE** It Works!!
I changed the network relationship to include 'All Networks (and Local Host)' on one side and my FTP DMZ and a 'computer object' for the exact ip of the server on the DMZ on the other side and have two network relationship rules specifying a NAT relationship. One with the DMZ as the destination and one with the DMZ as the source. Also I updated the rule mentioned in my previous post to only have the 'External' network and added a new publishing rule for all protected networks. I know the protected could be achived through access rules but the publishing was much easier to me. Hope this helps anyone else with these issues.
< Message edited by lazyman -- 3.Aug.2007 2:37:37 PM >