I am trying to set up FTP rules that allow specific users to go to only specific sites. For instance, my Virus Administrator needs to ftp download DAT files from McAfee, he does not need to FTP anywhere else. So, I create the FTP rule for - his user account - from internal - to ftp.nai.com.
I have defined the "to" as a network, an address set, a domain set...you name it. The only thing that works in the "To" tab is "External".
I was forced to create 2 FTP rules until I can get this resolved. My first FTP rule is to - Allow - FTP Protocol - From Internal - To **** - Condition Virus DAT Administrators (a list of Windows User names). The second rule is - Allow - FTP Protocol - From Internal - To External - Condition All Users.
Currently, the To of the first rule is a Domain Name Set. While watching the logging monitor, I see that my user is being allowed out by the second rule, NOT the first, even though the User name and destination IP match the first rule properties. I have tried all manner of definitions in the To of the first rule. The only thing that will allow that specific user to be processed by the first rule, is if the To of the first rule is External. Unfortuneatly, this gives that user FTP rights to anywhere.
I am fighting with the precise same problem as you! And it is driving me utterly insane!
In monitoring, when rule two is applied, do you see the IP address of the site you are trying to access in the "destination IP" column? Is it always the same IP?
Is this the same IP address you have defined in rule one? Or have you used some other means of identifying the site you are accessing, eg. "Domain Name Sets".
On of my problems (amongst others) is, that ftp.symantec.com uses different IP addresses all the time. It's not just ONE IP address. On top of this, when trying to define what site to connect "To" using Domain Name Sets, the rule specifying this Domain Name Set is ignored, because the name is resolved to an IP address immediately.
To make it all worse, I don't have a human administrator assigned the task of updating virus files. Because of this I am unable to put a condition on the rule requiring a specific user account to be used. I rely on scripts to do the job. When these scripts run, they do so under some sort of account that is anonymous. I have been unable to find out what account or whatever its called the scripts run under, as I have no information in the monitoring indicating anything.
Hope you get a useful answer from somebody. I'll monitor this post anyway.
I was running ISA 2000 and this FTP issue was my biggest gripe. I was told that it would be fixed in ISA 2004, so I jumped on it immediately. Still fighting the issue. I have used every method of defining the "To" as I can. No matter what I do, rule one does not process the attempt. The log shows the correct souce, destination ip addresses, etc. The destination network is "External". But the rule that is being shown is my rule 2 - Any Any.
I may be able to help with your other issue though. We created a user account - Virus Admin - and assign permissions and run scripts using that account.
Rule = FTP Access to Virus DAT files. Action = Allow Protocol = FTP From = Internal To = URL Set - ftp://ftp.nai.speedera.net Users = User Set - Virus Admins (my domain account)
My FTP Rule number 2
Rule = FTP ANY ANY Action = Allow Protocol = FTP From = Internal To = External Users = All Users
While watching the monitor, I see that if I use my browser and ftp://ftp.nai.speedera.net, I am being processed through by FTP ANY ANY. As soon as I click on a text file to view, or any other type file to download, I am being processed by the FTP Access to Virus DAT Files rule.
From a Command Prompt, if I ftp ftp.nai.speedera.net I am processed by the FTP ANY ANY rule, whether I am doing an ls or a get.
This is confusing. Is anyone creating FTP access rules to allow SPECIFIC users access to SPECIFIC sites? How?
in August 2005 I sent a bug report to Microsoft PSS regarding a problem with active mode FTP and SecureNAT clients. The problem *only* occures if you restrict the destination to a domain name set (FQDN). If you use a computer set (IP addresses) or just External then everything works.
I've tested two scenarios and this were the results:
1. NAT relationship between source and destination network: the embedded IP address and Port number in the FTP Port command is *not* translated to external values. They are exactly the same as those used by the FTP client. Therefore the FTP server can't establish the FTP Data connection.
2. Route relationship between source and destination network: no NAT must be done but when the FTP server tries to establish the FTP Data connection, the ISA server refuses the FTP data connection with the Result Code 0xc004000d FWX_E_POLICY_RULES_DENIED.
The problem has been reproduced by Microsoft PSS and a bug has been submitted to the ISA Dev team for this issue. A couple of weeks ago I received an unsupported private fix for testing purposes only and it did solve the problem. They assured me that this FTP issue will be fixed in ISA 2004 SP2 (SE+ EE). For your information, SP2 should be available by the end of January 2006.
In the mean time, the only workarounds I know of are: - allow all External destinations - use a computer set (IP addresses) for the allowed destinations - use passive mode FTP
I'm facing the same problem. hopefully, u would have solved this issue. following is the issue.
sub: users can't access external FTP sites for downloading?
A customer is running 2 different ISA servers. Each ISA is dedicated to a different ISP.
1. ISA 2000 that allows some specific users to access everything. Doesn't filter any thing. traffic pass through Cisco pix firewall. users can access external FTP sites. that verifies that FTP traffic (port 20 and 21 ) is allowed from pix firewall.
2. MS ISA 2004 Standard edition with SP3 from here users can access HTTP,HTTPs but can't access external FTP sites. some ISA clients are web proxy and firewall. initially users can access ftp sites ie, ftp://ftp.symentic.com now if a user try this IE returns following error.
Windows cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder. Details The server name or address could not be resolved
on isa 2004 a rule is made that allows external ftp traffic.