• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Publishing FTP Server behind ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> Publishing FTP Server behind ISA 2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Publishing FTP Server behind ISA 2006 - 16.May2007 5:28:02 AM   
simonz

 

Posts: 5
Joined: 14.May2007
Status: offline
Hi all,

   I facing a problem on publishing FTP server behind ISA 2006, where I can ftp the server ftp server from internal network but from external it doesn't seem to able to pass throught the ISA.

   I have check the ISA monitor log but ain get any "denial connection" error, that's make me wonder what goes wrong. My server connection is pretty straight forward and as below:-

      FTP server -> ISA server -> internet

   Thanks and hope can someone help on this. Very very appreciate it...
Post #: 1
RE: Publishing FTP Server behind ISA 2006 - 16.May2007 9:24:33 AM   
BrandonOz

 

Posts: 25
Joined: 30.Jan.2007
Status: offline
 
I followed the tutorial which I have listed below. I had no issues at all.

http://www.isaserver.org/tutorials/Publishing-Secure-FTP-Servers.html

If that doesn’t help, post back a reply.

B


(in reply to simonz)
Post #: 2
RE: Publishing FTP Server behind ISA 2006 - 22.May2007 3:52:11 AM   
amundb

 

Posts: 1
Joined: 22.May2007
Status: offline
I'm having the same problem.

Using ISA2006 Standard to publish an internal FTP server.
The server works internally, but when I try to connect from the internet. It just times out. The logs on ISA gives no errors. I'm totally lost here.

(in reply to BrandonOz)
Post #: 3
RE: Publishing FTP Server behind ISA 2006 - 23.May2007 1:47:19 AM   
simonz

 

Posts: 5
Joined: 14.May2007
Status: offline
Hi BrandonOz,

      I'm still having the same problem after follow the link you ask me to do. What else did I miss out. It not only happen to me but amundb also get into that.

      btw, thanks for your reply on my post.

Regards,
Simon.

  

(in reply to amundb)
Post #: 4
RE: Publishing FTP Server behind ISA 2006 - 29.May2007 4:30:32 PM   
BrandonOz

 

Posts: 25
Joined: 30.Jan.2007
Status: offline
Do you have this resolved yet? If not, let me know the basic set up you have so I can assist further.

Make sure your IIS is set up correctly by testing the FTP site within IIS. Also try hitting your FTP site via cmd prompt on the appropriate port you used.

B

(in reply to simonz)
Post #: 5
RE: Publishing FTP Server behind ISA 2006 - 29.May2007 9:57:28 PM   
simonz

 

Posts: 5
Joined: 14.May2007
Status: offline
Hi Brandon0z,

    I have not resolved the problem yet. FYI, I have test the ftp server in local lan and it seems to be working via cmd prompt. The enviroment that i setup here is pretty straight forward where the ftp server is just behind the ISA server and the ISA server is the gateway.

Simon.

(in reply to BrandonOz)
Post #: 6
RE: Publishing FTP Server behind ISA 2006 - 30.May2007 2:58:14 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

any chance of getting some more info on how things are *exactly*configured?

Thanks,
Stefaan

(in reply to simonz)
Post #: 7
RE: Publishing FTP Server behind ISA 2006 - 30.May2007 9:45:49 PM   
simonz

 

Posts: 5
Joined: 14.May2007
Status: offline
Hi guys,

    I create the rule by using the wizard, and i have tried "Publishing Non-Web Server Protocol" and the "Create Access Rule" and it doesn't seem to work.

   When "Publishing the Non-Web Server Protocol" it ask for the server IP then i put my internal FTP Server IP. Then it ask to select the Protocol, I choose FTP Server and I did not change any setting there.

   Basically i have follow what BrandonOz gave me the link on how to publish the FTP and it seem doesn't work. Does your environment works?

Thanks,
Simon.

(in reply to spouseele)
Post #: 8
RE: Publishing FTP Server behind ISA 2006 - 31.May2007 3:27:30 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Simon,

I did ask for *exact* info!

What's the result of an 'ipconfig /all' on ISA?
What network relationship is defined between the Internal and External interface?
What is the *exact* content of the FTP Server publishing rule?
Is de FTP server configured as a SecureNAT client only?
Something useful in the event viewer on ISA?
What is the ISA log telling you?
....

BTW --- you must test from an external location, not by looping through the ISA server!

HTH,
Stefaan


(in reply to simonz)
Post #: 9
RE: Publishing FTP Server behind ISA 2006 - 31.May2007 10:50:58 PM   
simonz

 

Posts: 5
Joined: 14.May2007
Status: offline
Hi Stefaan,

   Sorry, I'm newbie in ISA . How to configure FTP as a SecureNAT Client? And i can't find anything in the ISA log about denied connection on ftp.

Thanks,
Simon.

(in reply to spouseele)
Post #: 10
RE: Publishing FTP Server behind ISA 2006 - 1.Jun.2007 2:10:45 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Simon,

check out A different look at the ISA Clients.

HTH,
Stefaan


(in reply to simonz)
Post #: 11
RE: Publishing FTP Server behind ISA 2006 - 24.Jul.2007 11:00:01 AM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
Hi Stefaan,

question on SFTP server publishing (SSH protocol), I got FTP server publishing working fine but not abel to make ssh work.

here's what I have done so far>
My SFTP Server is on DMZ?
I created a server protocol for SSH [SSH inbound TCP 22]
I published SFTP server on DMZ using the protocol I created above.
I also create route relationship between DMZ and External but I still cannot hit SFTP server in dmz from external. It works from internal to DMZ

(in reply to spouseele)
Post #: 12
RE: Publishing FTP Server behind ISA 2006 - 24.Jul.2007 3:02:02 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi bhavin78,

check out http://forums.isaserver.org/m_2002049063/mpage_1/key_/tm.htm#2002049699.

HTH,
Stefaan

(in reply to bhavin78)
Post #: 13
RE: Publishing FTP Server behind ISA 2006 - 27.Jul.2007 3:39:28 PM   
lazyman

 

Posts: 6
Joined: 4.Dec.2006
Status: offline
Stefaan (or any other able person),

We are having a similar problem and also are fairly new to ISA.  We have the FTP server on DMZ2 and have access to it from the internal network.  We can not access it from the external network though.  The configuration is as follows:

ipconfig /all :
Windows IP Configuration
  Host Name . . . . . . . . . . . . : STU
  Primary Dns Suffix  . . . . . . . : 'domain'
  Node Type . . . . . . . . . . . . : Broadcast
  IP Routing Enabled. . . . . . . . : Yes
  WINS Proxy Enabled. . . . . . . . : Yes
  DNS Suffix Search List. . . . . . : 'domain'
                                      'domain'
PPP adapter RAS Server (Dial In) Interface:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
  Physical Address. . . . . . . . . : 00-53-45-00-00-00
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 172.22.0.190
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . :
Ethernet adapter LAN:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection #6
  Physical Address. . . . . . . . . : 00-01-69-00-B6-0C
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 172.22.0.1
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . :
  DNS Servers . . . . . . . . . . . : 172.22.0.150
  NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter WAN:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection #5
  Physical Address. . . . . . . . . : 00-01-69-00-B6-0D
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 'external ip'
  Subnet Mask . . . . . . . . . . . : 255.255.255.192
  Default Gateway . . . . . . . . . : 'gateway ip'
  NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter DMZ1:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection #4
  Physical Address. . . . . . . . . : 00-01-69-00-B6-0E
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 10.22.0.1
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . :
Ethernet adapter DMZ2:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection
  Physical Address. . . . . . . . . : 00-01-69-00-B6-0F
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 10.0.22.1
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Default Gateway . . . . . . . . . :

The relationship between the FTP DMZ (DMZ2) and the External network has been tried as both Route and NAT.  The relationship between the Internal and the FTP DMZ is NAT.

The FTP publish rule is:
Allow
FTP Server
from: Anywhere
to: 10.0.22.100 (FTP server ip on DMZ)
networks: External (w/ external ip specified)
               Internal (w/ internal ip specified)
               Local Host (all ip's)
               VPN Clients (all ip's)
               Wireless DMZ (w/ wireless DMZ ip specified)
schedule: always

The FTP server is not a SecureNAT client I do not believe (It is actually a terastation running an FTP server).

When trying to access the FTP from the 'outside', I see nothing in the ISA logs or event viewer that appears to be from that traffic.

I am trying from an external location ... actually halfway across the US.

The physical setup of the ISA is ISA 2006 on a celestix appliance running SurfControl.  It is attached on the external side to a Netopia R5300 router provided by our T1 provider in a route setup.

Hopefully, you can see something here that can be done to resolve our situation.

Thank you in advance to anyone that can help.
Jeremy

(in reply to spouseele)
Post #: 14
RE: Publishing FTP Server behind ISA 2006 - 27.Jul.2007 4:45:52 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jeremy,

1. the FTP server must be configured as a SecureNAT client, that means his default gateway must point to the ISA DMZ2 interface, unless you have enabled in the To tab of the server publishing rule the setting Requests appear to come from the ISA Server computer.

2. because the DMZ2 uses private IP's, the network relationship from the DMZ2 to External must be NAT, otherwise it won't work.

3. why have you enabled all those networks in the Networks tab of the server publishing rule? Normally you only need to publish to the external world. Therefore select only the External network. For the other networks you can use acces rules.

BTW --- keep in mind you have to test from an external host. You can place a workstation on the same segment as the ISA external interface to test from there, at least if you have a spare public IP.

HTH,
Stefaan

(in reply to lazyman)
Post #: 15
RE: Publishing FTP Server behind ISA 2006 - 31.Jul.2007 1:52:20 PM   
adminX

 

Posts: 1
Joined: 31.Jul.2007
Status: offline
I'm in the exact same situation.  My FTP server works internally, but not externally.  The only message I get when I try to connect externally (from my ftp client software) is "Connected to FTP Server, Waiting for Welcome Message.", then "Disconnected from server".  Other than that, the ISA server logs don't tell me anything.  Has anybody had any success in getting this to work?  Thanks in advance.

(in reply to simonz)
Post #: 16
RE: Publishing FTP Server behind ISA 2006 - 31.Jul.2007 3:24:24 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi adminX,

*exact* info please!

HTH,
Stefaan

(in reply to adminX)
Post #: 17
RE: Publishing FTP Server behind ISA 2006 - 3.Aug.2007 1:40:04 PM   
lazyman

 

Posts: 6
Joined: 4.Dec.2006
Status: offline
Ok.  I can't find anything in the configuration that is different then how you describe it should be done.  I have verified that our external t! router is not the problem by moving the ftp server from behind the isa to a public ip and I can connect fine.  One thing I have found is that when the 'non-web server publishing rule' is created, an error is generated in the Application Event Log.  The error is as follows:

Source: Microsoft Firewall
Event ID: 21174
Description:
The server publishing rule GLW FTP failed because there was no valid network listener. For requests to reach the published server there must be a network relationship between the selected listener networks and the published server. Error location: 325.957.5.0.5720.157.
Data (words):
0000: 8007000d

I searched on MS support and can find no information about this.

Hopefully this helps determine our issue here.

Thanks again,
Jeremy

**UPDATE**
It Works!!

I changed the network relationship to include 'All Networks (and Local Host)' on one side and my FTP DMZ and a 'computer object' for the exact ip of the server on the DMZ on the other side and have two network relationship rules specifying a NAT relationship.  One with the DMZ as the destination and one with the DMZ as the source.  Also I updated the rule mentioned in my previous post to only have the 'External' network and added a new publishing rule for all protected networks.  I know the protected could be achived through access rules but the publishing was much easier to me.  Hope this helps anyone else with these issues.

< Message edited by lazyman -- 3.Aug.2007 2:37:37 PM >

(in reply to spouseele)
Post #: 18
RE: Publishing FTP Server behind ISA 2006 - 3.Aug.2007 3:11:28 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jeremy,

you'll have to cleanup your networking rules!

Again, because the DMZ uses private IP's a simple network rule from DMZ (source) to External (destination) with a NAT relationship should be all what is needed.

HTH,
Stefaan

(in reply to lazyman)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> Publishing FTP Server behind ISA 2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts