Custom Protocols and Application Filters (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Access Policies


mwi@isa -> Custom Protocols and Application Filters (30.Dec.2004 1:23:00 PM)

Hi all

I encountered an interesting behaviour in one of our customers ISA2004 box today.

The customer needs a custom application which transfers encrypted and signed XML data files over FTP. The point is, that the application doesn't use the standard FTP command set but it's own command codes.
Of course, ISA's FTP application filter doesn't like those commands and blocks the connection.

So what can we do to allow this special FTP?

I tried to create a custom protocol definition, which uses also port 21 but doesn't use the FTP application filter. Then, I created a special policy using this protocol and placed the policy above the common LAN to External web access rule (in which FTP is included).
But this doesn't work. As long as the FTP application filter is activated in whatever protocol definition, the custom FTP communication is blocked by ISA - no mather in what order the policies are. Does that mean that the only solution for this is to completely disable the FTP application filter...? "[Confused]"

Any thoughts or hints on this would be greatly appreciated!


[ December 30, 2004, 01:23 PM: Message edited by: Martin ]

tshinder -> RE: Custom Protocols and Application Filters (31.Dec.2004 5:18:00 AM)

Hi Martin,

If there secondary connections must be negotiated, how will the ISA firewall determine what ports to open on behalf of the client if the session is encrypted?


mwi@isa -> RE: Custom Protocols and Application Filters (31.Dec.2004 11:46:00 AM)

Thanks Tom

I think it's not the session that is encrypted, it's only the XML file that is hashed/scrambled. But I have to verify that with network monitor.

But you mentioned a ggod point. If it IS the session that is encrypted, how could *any* firewall open the necessary secondary connections? How can I solve that??


Page: [1]