• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Cannot destination limit Outbound FTP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Cannot destination limit Outbound FTP Page: [1]
Login
Message << Older Topic   Newer Topic >>
Cannot destination limit Outbound FTP - 13.Jan.2005 11:58:00 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
I am running ISA 2004 on Server 2003.

I am trying to set up FTP rules that allow specific users to go to only specific sites. For instance, my Virus Administrator needs to ftp download DAT files from McAfee, he does not need to FTP anywhere else. So, I create the FTP rule for - his user account - from internal - to ftp.nai.com.

I have defined the "to" as a network, an address set, a domain set...you name it. The only thing that works in the "To" tab is "External".

Anybody have any ideas here?
Post #: 1
RE: Cannot destination limit Outbound FTP - 16.Jan.2005 12:25:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Wanman,

It should work. What error do you see in the ISA firewall's log files?

Thanks!
Tom

(in reply to Kerry.Kriegel)
Post #: 2
RE: Cannot destination limit Outbound FTP - 17.Jan.2005 5:21:00 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
I was forced to create 2 FTP rules until I can get this resolved. My first FTP rule is to - Allow - FTP Protocol - From Internal - To **** - Condition Virus DAT Administrators (a list of Windows User names). The second rule is - Allow - FTP Protocol - From Internal - To External - Condition All Users.

Currently, the To of the first rule is a Domain Name Set. While watching the logging monitor, I see that my user is being allowed out by the second rule, NOT the first, even though the User name and destination IP match the first rule properties. I have tried all manner of definitions in the To of the first rule. The only thing that will allow that specific user to be processed by the first rule, is if the To of the first rule is External. Unfortuneatly, this gives that user FTP rights to anywhere.

(in reply to Kerry.Kriegel)
Post #: 3
RE: Cannot destination limit Outbound FTP - 19.Jan.2005 3:30:00 PM   
jgbruun

 

Posts: 5
Joined: 4.Nov.2002
From: Luxembourg
Status: offline
Hi,

I am fighting with the precise same problem as you! And it is driving me utterly insane! [Mad]

In monitoring, when rule two is applied, do you see the IP address of the site you are trying to access in the "destination IP" column? Is it always the same IP?

Is this the same IP address you have defined in rule one? Or have you used some other means of identifying the site you are accessing, eg. "Domain Name Sets".

On of my problems (amongst others) is, that ftp.symantec.com uses different IP addresses all the time. It's not just ONE IP address. On top of this, when trying to define what site to connect "To" using Domain Name Sets, the rule specifying this Domain Name Set is ignored, because the name is resolved to an IP address immediately.

To make it all worse, I don't have a human administrator assigned the task of updating virus files. Because of this I am unable to put a condition on the rule requiring a specific user account to be used.
I rely on scripts to do the job. When these scripts run, they do so under some sort of account that is anonymous. I have been unable to find out what account or whatever its called the scripts run under, as I have no information in the monitoring indicating anything.

Hope you get a useful answer from somebody. I'll monitor this post anyway.

Cheers,
JGB

(in reply to Kerry.Kriegel)
Post #: 4
RE: Cannot destination limit Outbound FTP - 19.Jan.2005 6:34:00 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
Hi jgbruun -

I was running ISA 2000 and this FTP issue was my biggest gripe. I was told that it would be fixed in ISA 2004, so I jumped on it immediately. Still fighting the issue. I have used every method of defining the "To" as I can. No matter what I do, rule one does not process the attempt. The log shows the correct souce, destination ip addresses, etc. The destination network is "External". But the rule that is being shown is my rule 2 - Any Any.

I may be able to help with your other issue though. We created a user account - Virus Admin - and assign permissions and run scripts using that account.

(in reply to Kerry.Kriegel)
Post #: 5
RE: Cannot destination limit Outbound FTP - 19.Jan.2005 9:10:00 PM   
Kerry.Kriegel

 

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline
Clarification.

My FTP Rule number 1

Rule = FTP Access to Virus DAT files.
Action = Allow
Protocol = FTP
From = Internal
To = URL Set - ftp://ftp.nai.speedera.net
Users = User Set - Virus Admins (my domain account)

My FTP Rule number 2

Rule = FTP ANY ANY
Action = Allow
Protocol = FTP
From = Internal
To = External
Users = All Users

While watching the monitor, I see that if I use my browser and ftp://ftp.nai.speedera.net, I am being processed through by FTP ANY ANY. As soon as I click on a text file to view, or any other type file to download, I am being processed by the FTP Access to Virus DAT Files rule.

From a Command Prompt, if I ftp ftp.nai.speedera.net I am processed by the FTP ANY ANY rule, whether I am doing an ls or a get.

This is confusing. Is anyone creating FTP access rules to allow SPECIFIC users access to SPECIFIC sites? How?

(in reply to Kerry.Kriegel)
Post #: 6
RE: Cannot destination limit Outbound FTP - 25.Nov.2005 10:27:18 AM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
11 Months later and I am facing the same problem, and wondering if anyone resolved this or if there was a fix or statment to say that it was not supported for FTP?

(in reply to Kerry.Kriegel)
Post #: 7
RE: Cannot destination limit Outbound FTP - 25.Nov.2005 10:48:01 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Money,

in August 2005 I sent a bug report to Microsoft PSS regarding a problem with active mode FTP and SecureNAT clients. The problem *only* occures if you restrict the destination to a domain name set (FQDN). If you use a computer set (IP addresses) or just External then everything works.

I've tested two scenarios and this were the results:

1. NAT relationship between source and destination network: the embedded IP address and Port number in the FTP Port command is *not* translated to external values. They are exactly the same as those used by the FTP client. Therefore the FTP server can't establish the FTP Data connection.

2. Route relationship between source and destination network: no NAT must be done but when the FTP server tries to establish the FTP Data connection, the ISA server refuses the FTP data connection with the Result Code 0xc004000d FWX_E_POLICY_RULES_DENIED.

The problem has been reproduced by Microsoft PSS and a bug has been submitted to the ISA Dev team for this issue. A couple of weeks ago I received an unsupported private fix for testing purposes only and it did solve the problem. They assured me that this FTP issue will be fixed in ISA 2004 SP2 (SE+ EE). For your information, SP2 should be available by the end of January 2006.

In the mean time, the only workarounds I know of are:
- allow all External destinations
- use a computer set (IP addresses) for the allowed destinations
- use passive mode FTP

HTH,
Stefaan

(in reply to Money Penney)
Post #: 8
RE: Cannot destination limit Outbound FTP - 2.Jan.2006 11:18:48 AM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
Hi Stefaan,

thanks heaps for the info and heads up on the coming fix.  I might contact MS about this myself so I can test it before SP2 is released.

Regards
Mark

(in reply to spouseele)
Post #: 9
RE: Cannot destination limit Outbound FTP - 24.Jul.2007 11:10:29 AM   
shahry baba

 

Posts: 1
Joined: 24.Jul.2007
Status: offline
Hi dear,

I'm facing the same problem. hopefully, u would have solved this issue. following is the issue.

sub: users can't access external FTP sites for downloading?

A customer is running 2 different ISA servers. Each ISA is dedicated to a different ISP.

1. ISA 2000 that allows some specific users to access everything. Doesn't filter any thing. traffic pass through Cisco pix firewall. users can access external FTP sites. that verifies that FTP traffic (port 20 and 21 ) is allowed from pix firewall.

2. MS ISA 2004 Standard edition with SP3 from here users can access HTTP,HTTPs but can't access external FTP sites. some ISA clients are web proxy and firewall. initially users can access ftp sites ie, ftp://ftp.symentic.com now if a user try this IE returns following error.

Windows cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder.
Details
The server name or address could not be resolved

on isa 2004 a rule is made that allows external ftp traffic.

what could be the problem?

any suggestion would highly be appreciated!



_____________________________

Regards,

Baba

(in reply to Money Penney)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Cannot destination limit Outbound FTP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts