Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: ftp access require ftp server??

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> RE: ftp access require ftp server?? Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: ftp access require ftp server?? - 12.Oct.2003 10:08:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Asuh,

if nothing is working with an open protocol and site&content rule, and you are sure the deny rules are not creating havoc, I suggest you run the FDISK command on ISA and install from scratch. It will be the fastest way to resolve the problem.

Note: in http://www.isaserver.org/articles/Getting_Started_with_ISA_Server300.html it is suggested to create an 'Open All Packet Filters'. I strongly advise NOT to do that. It creates more problems then it solves. Just use an open protocol and site&content rule for testing purposes.

I have one important remark about your design. If you want to let external users in through a host-to-gateway or gateway-to-gateway VPN tunnel, then ISA server must be the VPN gateway. The reason for it is that if you terminate the VPN tunnel outside of ISA, ISA isn't aware of that and the VPN users will have only access to the published services through ISA.

HTH,
Stefaan

(in reply to asuh)
Post #: 21
RE: ftp access require ftp server?? - 14.Oct.2003 5:41:00 PM   
asuh

 

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline 		Stefaan,

We have decided to try and implement a new ISA server to see if that clears the issue.

quote:
Note: in http://www.isaserver.org/articles/Getting_Started_with_ISA_Server300.html it is suggested to create an 'Open All Packet Filters'. I strongly advise NOT to do that.
I wanted to comment on your note. If I don't create an 'open all packet filters' rule, I can't properly access the Internet. Others might find this to be true as well. I think that what you should have mentioned is the "instead of creating 'Open All Packet Filters', you should...". I think that you have to create a packet filter to open port 80 or allow http requests.

(in reply to asuh)
Post #: 22
RE: ftp access require ftp server?? - 14.Oct.2003 6:59:00 PM   
asuh

 

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline 		I have a follow-up pertaining to the mystery routes in the routing table!

I opened up Routing and Remote Access in the Administrative tools to see what we had created there. Well, after taking a look at the Static Routes, I saw all of the 192.168.3.x's AND 192.168.100.7x's. So I deleted some interfaces and here is the current routing table.

===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.101.1 192.168.101.225 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.100.0 255.255.255.0 192.168.100.9 192.168.100.9 1
192.168.100.9 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.100.255 255.255.255.255 192.168.100.9 192.168.100.9 1
192.168.101.0 255.255.255.0 192.168.101.225 192.168.101.225 1
192.168.101.225 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.101.255 255.255.255.255 192.168.101.225 192.168.101.225 1
224.0.0.0 224.0.0.0 192.168.100.9 192.168.100.9 1
224.0.0.0 224.0.0.0 192.168.101.225 192.168.101.225 1
255.255.255.255 255.255.255.255 192.168.100.9 192.168.100.9 1
Default Gateway: 192.168.101.1
===========================================================================

and here again is the ipconfig

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dsl1
Primary DNS Suffix . . . . . . . : carole.kim
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : carole.kim

Ethernet adapter South:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139(A) PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-48-54-61-1A-7B

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.100.9

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.100.10
192.168.100.100

Ethernet adapter North:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SMC EZ Card 10/100 (SMC1211TX)
Physical Address. . . . . . . . . : 00-E0-29-68-86-7D

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.101.225

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.101.1

DNS Servers . . . . . . . . . . . : 151.164.1.8
151.164.1.7
151.164.11.201
NetBIOS over Tcpip. . . . . . . . : Disabled

Although this is a step in the right direction, we still cannot use FTP. Something I should mention is when we had previously tried to setup VPN access on the ISA a few months ago, it went a little screwy. Starting the RRAS services caused outages in the Internet access. Finally, after some playing around we were able to have RRAS running and use the Internet. Maybe this FTP problem has something to do with the way RRAS is setup?

(in reply to asuh)
Post #: 23
RE: ftp access require ftp server?? - 14.Oct.2003 8:54:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Asuh,

good! That looks already much better but doesn't seems to solve the problem yet!

Now, if you *have* to create IP packet filters to give internal hosts outbound access then that means there is something fundamentally wrong with your ISA server installation. Protocol and site&content rules should create *dynamically* the necessary IP packet filters when needed. The only time you must create *static* IP packet filters yourself is for applications running on ISA itself and in a trihomed DMZ scenario.

Did you enable RRAS NAT on ISA? The RRAS NAT driver is *NOT* compatible with the ISA NAT driver!

Have you already looked in the event log for any warnings and errors?

HTH,
Stefaan

[ October 14, 2003, 09:02 PM: Message edited by: spouseele ]

(in reply to asuh)
Post #: 24
RE: ftp access require ftp server?? - 20.Oct.2003 7:05:00 PM   
asuh

 

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline 		i haven't had a chance to check the NAT for the server and if it was created after using RRAS. I'll post results when I find something.

We have recently begun building a new ISA server. After installation and setting up the server, all rules and filters allow anything and everything. Technically this should allow us to use FTP from the client behind the ISA server. Unfortunately, we're getting the exact same problem as we are in the other LAN. This ISA server has nothing else installed except ISA software.

The application filter is enabled.
I don't have to create protocol rules because it is the "allow all" rule.
I don't have to create site and content rules because it allows all sites and content right now.

When trying to use FTP on the command prompt to connect to ftp.adobe.com, it says:
"Unknown host ftp.adobe.com"

We are running out of ideas!

(in reply to asuh)
Post #: 25
RE: ftp access require ftp server?? - 20.Oct.2003 8:14:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Asuh,

I hope you are testing from an internal hosts behind ISA server, not from ISA itself. Right?

If the client gets "Unknown host ftp.adobe.com" then there is a DNS resolving problem. Try 'ftp 207.46.133.140' in a command window. This is the ftp.microsoft.com site.

HTH,
Stefaan

(in reply to asuh)
Post #: 26
RE: ftp access require ftp server?? - 20.Oct.2003 8:28:00 PM   
asuh

 

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline 		*forgot about the DNS absence* (oops)

Well, after trying 'ftp 207.46.133.140' on the internal client, it says:

'ftp: connect :Connection timed out'

Yes, obviously the ISA server can easily use the ftp protocol but it's the one client we have connected at the moment. We're using this as a test setup to see if we can isolate the problem with just one client and one server.

(in reply to asuh)
Post #: 27
RE: ftp access require ftp server?? - 20.Oct.2003 8:34:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Asuh,

how is the client configured: Firewall or SecureNAT?

HTH,
Stefaan

(in reply to asuh)
Post #: 28
RE: ftp access require ftp server?? - 20.Oct.2003 8:41:00 PM   
asuh

 

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline 		it was first just a secureNAT, but then I decided to install the Firewall client software.

and thank you for quick replies!

[ October 20, 2003, 08:43 PM: Message edited by: asuh ]

(in reply to asuh)
Post #: 29
RE: ftp access require ftp server?? - 20.Oct.2003 8:54:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Asuh,

please post the following information:
- ip config /all on ISA
- route print on ISA
- ipconfig /all on client
- excerpt of the firewall log

Just make sure you enabled the logging of ALL fields and the log format is set to ISA format, *not* W3C.

HTH,
Stefaan

(in reply to asuh)
Post #: 30
RE: ftp access require ftp server?? - 20.Oct.2003 9:04:00 PM   
asuh

 

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline 		firewall log
10/20/2003, 14:13:55, 66.135.208.201, 192.168.101.3, Tcp, 80, 3832, -, ALLOWED, 192.168.101.3, -, -
10/20/2003, 14:13:55, 192.168.101.3, 66.135.208.201, Tcp, 3832, 80, -, ALLOWED, 192.168.101.3, -, -
10/20/2003, 14:13:55, 192.168.101.3, 65.65.70.232, Tcp, 3787, 80, -, ALLOWED, 192.168.101.3, -, -
10/20/2003, 14:13:55, 65.65.70.232, 192.168.101.3, Tcp, 80, 3787, -, ALLOWED, 192.168.101.3, -, -
10/20/2003, 14:13:55, 192.168.101.3, 65.65.70.232, Tcp, 3787, 80, -, ALLOWED, 192.168.101.3, -, -

ipconfig /all on ISA

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dsl100
Primary DNS Suffix . . . . . . . : carole.kim
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : carole.kim

Ethernet adapter south:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-0A-E6-AC-E0-DC

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.100.90

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . :

Ethernet adapter north:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SMC EZ Card 10/100 (SMC1211TX)
Physical Address. . . . . . . . . : 00-E0-29-6F-29-0B

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.101.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.101.1

DNS Servers . . . . . . . . . . . : 151.164.1.7
151.164.1.8
NetBIOS over Tcpip. . . . . . . . : Disabled

route print on ISA

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.101.1 192.168.101.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.100.0 255.255.255.0 192.168.100.90 192.168.100.90 1
192.168.100.90 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.100.255 255.255.255.255 192.168.100.90 192.168.100.90 1
192.168.101.0 255.255.255.0 192.168.101.3 192.168.101.3 1
192.168.101.3 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.101.255 255.255.255.255 192.168.101.3 192.168.101.3 1
224.0.0.0 224.0.0.0 192.168.100.90 192.168.100.90 1
224.0.0.0 224.0.0.0 192.168.101.3 192.168.101.3 1
255.255.255.255 255.255.255.255 192.168.101.3 192.168.101.3 1
Default Gateway: 192.168.101.1

ipconfig /all on client

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : joe-1600
Primary DNS Suffix . . . . . . . : kim.com
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : kim.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : SiS 900 PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-D0-09-E8-4A-2D

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.100.50

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.100.1

DNS Servers . . . . . . . . . . . : 151.164.11.201

[ October 20, 2003, 09:05 PM: Message edited by: asuh ]

(in reply to asuh)
Post #: 31
RE: ftp access require ftp server?? - 20.Oct.2003 9:14:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Asuh,

first of all, the client has as default gateway '192.168.100.1' but the ISA internal interface is '192.168.100.90'.

Secondly, it seems you have *not* enabled the logging of ALL fields on ISA server. Moreover, I don't see any FTP protocol request in the logging. Are you sure the Firewall client is talking to the right ISA server?

HTH,
Stefaan

(in reply to asuh)
Post #: 32
RE: ftp access require ftp server?? - 20.Oct.2003 9:52:00 PM   
asuh

 

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline 		gosh, i am sorry for being so beginner at this. I'm sure you feel like you're dealing with a two year old and having to hold his hand. But thanks for your patience!

So after I put in the correct gateway, guess what worked? FTP! So now that this is successfully working, it's now time to go back to the other LAN and solve that problem. My first task will be checking the RRAS NAT. And I'll get back to you when that happens.

As for the logging, I went to check the log components and properties of both the Firewall service and Web proxy service to see about all the fields. Low and behold, there were a few missing. It seems that the default for these logs states not to have all the info checked.

FTP service for the client computer doesn't seem to be showing up in the log. In fact, I've checked the IPPDxxxxxxx log more and more and haven't seen the client IP address in the logs. ... AND now having JUST checked the log, I see that after pointing the computer to the correct gateway the logging started for the firewall.

So thank you VERY MUCH and I'll be back in touch as soon as I look at the other ISA!

(in reply to asuh)
Post #: 33
RE: ftp access require ftp server?? - 20.Oct.2003 10:24:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Asuh,

very glad to hear you have that working! [Smile]

We are here to help you as much as possible and I'm sure you are learning very fast how ISA server really works! [Cool]

Now for the logging, by default not all fields are logged and I find that a pitty. Therefore I strongly recommend to always enable the logging of all fields. Also, ISA has 3 log files: one for the Web Proxy services (WEB*), one for the Firewall service (FW*) and one for the IP packet filter service (IP*). Keep in mind that by default only denied packets will be logged in the IP packet filter log. I suggest you keep it that way for performance reasons unless you are testing out the ISA server in a lab environment.

So, check out the Firewall log again and match it with the examples given in my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html . You should get used to reading the log files. They are your primary resource for debugging the ISA server.

HTH,
Stefaan

(in reply to asuh)
Post #: 34
RE: ftp access require ftp server?? - 22.Oct.2003 7:33:00 PM   
asuh

 

Posts: 69
Joined: 2.Jul.2001
From: Houston, Texas
Status: offline 		Just to put closure on the initial FTP problem, we fixed it! The whole time that we were having problems in the first LAN not being able to FTP out, I was clued in when Stefaan said 'If the client gets "Unknown host ftp.adobe.com" then there is a DNS resolving problem.' We had the exact same problem in the real LAN. So, having read a few other articles, I saw that the primary DHCP/DNS server did not have forwarders enabled. I had to delete the "." entry, or what could be known as the root entry to enable forwarders. Once I added the DNS addresses into the forwarders, the FTP service instantly worked in the LAN.

So, even after uninstalling RRAS, installing Firewall software on a few clients, deleting FTP packet filters, and reviewing the initial setup for the ISA server, it turns out the whole problem was contributed by the DNS server and the Forwarding, or lack there of. Hope that someone else finds this thread of use!

Now onto solving the problem of Terminal Services and PCAnywhere! Remote users can log in using both services but internal clients cannot log onto remote computers! And away we go...

PCAnywhere and Terminal Services thread

(in reply to asuh)
Post #: 35
RE: ftp access require ftp server?? - 22.Oct.2003 9:17:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Asuh,

good to hear you got it working and thanks for the follow up! [Smile]

BTW --- never forget that your internal and external interface MUST be on different network ID's too! [Big Grin]

Thanks,
Stefaan

(in reply to asuh)
Post #: 36

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> RE: ftp access require ftp server?? Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts