• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SFTP with tunnelier client

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> SFTP with tunnelier client Page: [1]
Login
Message << Older Topic   Newer Topic >>
SFTP with tunnelier client - 3.Aug.2009 7:34:52 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
I am rebuilding an ISA server on a new location. Everything seems to work fine, except one thing.
One client is use tunnelier ssh-sftp client and wants to connect to an external sftp site. The port that is used is port 22.
All rules are imported from the old working ISA server. Also a port check with isa_tpr.js give no differences.
Only when a user tries to connect he recieves:
Connection failed. HTTP CONNECT request failed: status 403, reason: Forbidden ( The ISA Server denied the specified Uniform Resource Locator (URL).  ).
In the ISA log I recieve:
12202 The ISA Server denied the specified Uniform Resource Locator (URL).
 
Any suggestions what I am not seeing?
Post #: 1
RE: SFTP with tunnelier client - 5.Aug.2009 11:47:21 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

what does ISA logs tells you?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to frank_hoof)
Post #: 2
RE: SFTP with tunnelier client - 6.Aug.2009 2:28:05 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
The ISA log states that the acces is denied by default rule. It only happens when users are trying to setup a ftp connection (regardles if it is FTP or SFTP).
Browsing to the domain works.
Also it mentions that it is ssl trafic (even for ftp).

(in reply to paulo.oliveira)
Post #: 3
RE: SFTP with tunnelier client - 6.Aug.2009 6:59:19 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
Here are the isa log from the old and newproxy:
Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
0.0.0.0  Yes Proxy newproxy  ftp.cexp.nl TCP  Internet - -  - "Req ID: 0bc015f8; Compression: client=No, server=No, compress rate=0% decompress rate=0%" - - - ######## 0 0 4314 0  12202 The ISA Server denied the specified Uniform Resource Locator (URL).  0x0 0x0 Web Proxy Filter  ######## ######## 22 SSL-tunnel Denied Connection Default rule ######## anonymous Internal Local Host  ftp.cexp.nl:22
0.0.0.0  Yes Proxy oldproxy  128.244.246.206 TCP  Upstream - -  - Req ID: 0f55ae0e  - - - ######## 0 0 3496 2106  0 The operation completed successfully.  0x0 0x100 Web Proxy Filter  ######## ######## 80 SSL-tunnel Allowed Connection SFTP SSL ######## anonymous Internal External  ftp.cexp.nl:22

(in reply to frank_hoof)
Post #: 4
RE: SFTP with tunnelier client - 6.Aug.2009 12:52:57 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

when ISA blocks traffic using Default Rule, means that ISA could not find any match access rule. Do you have an access rule in place allowing 22 port?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to frank_hoof)
Post #: 5
RE: SFTP with tunnelier client - 7.Aug.2009 1:44:59 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
Yes it has. Also making a rule that is allowing all trafic from that server does not work.
Strange enough, the current rule set is a copy of the production machine. On this machine all rules work like a charm.
All ISA settings are identical and both machines operate on the LAN.

(in reply to paulo.oliveira)
Post #: 6
RE: SFTP with tunnelier client - 10.Aug.2009 10:57:49 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

what type of client are you using SecureNAT, Web proxy or FWC?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to frank_hoof)
Post #: 7
RE: SFTP with tunnelier client - 10.Aug.2009 11:01:40 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
The client is a windows 2003 server with an scheduled ftp job.
It works fine on the old server, but not on the new server.
If you look closely to the log, you see that the old servers proxys the traffic to the upstream server on port 80. The new server gives a deny on port 22 to the same request from the same server.

(in reply to paulo.oliveira)
Post #: 8
RE: SFTP with tunnelier client - 11.Aug.2009 8:59:37 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

it seems your problem is not related to ISA firewall, but some misconfiguration on the new server.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to frank_hoof)
Post #: 9
RE: SFTP with tunnelier client - 13.Aug.2009 4:43:05 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
Any idea what this could be? I have looked in all properties and settings as far as I know.

(in reply to paulo.oliveira)
Post #: 10
RE: SFTP with tunnelier client - 18.Aug.2009 8:36:15 AM   
frank_hoof

 

Posts: 52
Joined: 27.Mar.2008
Status: offline
Problem is solved. Internal network was missing a part of the network and therefore denied acces.
In a few weeks I have to build up again. Hope I have written down everything so I can make it work in no time.

(in reply to frank_hoof)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> SFTP with tunnelier client Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts