• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FTP problems with Firewall Client ISA2K4SP1

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> FTP problems with Firewall Client ISA2K4SP1 Page: [1]
Login
Message << Older Topic   Newer Topic >>
FTP problems with Firewall Client ISA2K4SP1 - 6.Apr.2005 5:38:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I have an MS Proxy2 server, an ISA 2000 server and an ISA 2004 server. All of them are behind a PIX firewall.

The MSP2 server has a single NIC with a rule through the PIX.

Both ISA servers have dual NICs connected to different subnets in our 10.0.0.0 scope. Their External NICs have a rule through the PIX.
Web proxy is not used and neither is sNAT.

If I use the Firewall Client for ISA 2000, pointed at either my MSP2 or ISA2K, I can FTP in/out no problem. When I installed ISA2K4, I did not allow downlevel client support, so I cannot test the 2K4 Firewall Client against the ISA2K4 server.

If I use the Firewall Client for ISA 2004 SP1, I cannot FTP no matter which ISA or MSP2 server I point it at. This would indicate that it is a Firewall Client issue and not a server or rule issue.

I presumed that when I applied the SP1 to the ISA server, that the \\ISAserver\mspclnt\ files would also have SP1 applied. I did a sanity check of the version on the files in \\ISAserver\mspclnt\Program Files\Microsoft Firewall Client 2004\ which report as 4.0.3440.81 and when I check on the client PC, they are the same.

What am I missing?
Post #: 1
RE: FTP problems with Firewall Client ISA2K4SP1 - 7.Apr.2005 4:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi L,

Have you refreshed the configuration of the Firewall client so that its connecting to the correct ISA firewall? Make sure to check the ISA firewall logs file to troubleshoot this issue.

HTH,
Tom

(in reply to LLigetfa)
Post #: 2
RE: FTP problems with Firewall Client ISA2K4SP1 - 7.Apr.2005 5:05:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Tom,
Thanks for the reply. Yes, I always make sure that I refresh the client whenever I switch servers but it is fruitless. Using the FWC2K4SP1, I cannot get FTP or HTTPS to work on any of the three servers. If I use FWC2K it works. I have verified this on several computers and using several rules on my ISA2K4SP1.

The ISA2K server is a good test because it is wide open. Before you flame me for having a wide open firewall, it is not my (DivIT) but rather CorpIT's server and I do not have admin rights to it. Since it is wide open, it makes for good testing of the FWC but I cannot look at the logs.

The MSP2 server is in my control and the ISA server is slated to replace it. I routinely switch between the ISA and MSP2 servers to verify that everything works on ISA as it does on MSP2. Is the FWC2K4SP1 not downlevel compatible with ISA 2K and MSP2? I really did not want to enable downlevel support on my ISA2K4 server, nor do I want to test all my rules on FWC2K and then change out the client after the go-live {{shudder}}!

I have only made it half way through your book, and have not read anything about changing any of the FWC2K4 settings. They are out-of-the-box settings now. If you do cover the settings, let me know what pages to read and I will skip ahead. I do plan to finish the book this weekend but want to get past this hurdle now. It works much better when you can put into practice right away, what you read rather than having to read the last chapter before trying any hands-on.

(in reply to LLigetfa)
Post #: 3
RE: FTP problems with Firewall Client ISA2K4SP1 - 7.Apr.2005 8:15:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Has anybody tested FWC2K4SP1 against ISA2K or MSP2? I have an incident open with MS Premier and so far they have not been able to confirm whether the client is downlevel compatible.

Tom,
Would you be able to take a look at an Ethereal capture if I emailed it to you? BTW, you've got mail... I sent you some screenshots and the only two lines that make it into the firewall log.

(in reply to LLigetfa)
Post #: 4
RE: FTP problems with Firewall Client ISA2K4SP1 - 7.Apr.2005 9:37:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Hmmm... no takers huh? I do try to give back what I can to this board. [Frown]

Here is the summary of packets from Ethereal:
code:
No.     Time        Source                Destination           Protocol Info
47 3.356467 10.198.40.20 10.198.10.5 TCP 1413 > 1745 [PSH, ACK] Seq=0 Ack=0 Win=63832 Len=340
48 3.357133 10.198.10.5 10.198.40.20 TCP 1745 > 1413 [PSH, ACK] Seq=0 Ack=340 Win=64515 Len=340
49 3.358165 10.198.40.20 10.198.10.5 TCP 1413 > 1745 [PSH, ACK] Seq=340 Ack=340 Win=63492 Len=340
50 3.525188 10.198.10.5 10.198.40.20 TCP 1745 > 1413 [ACK] Seq=340 Ack=680 Win=64175 Len=0
53 3.552583 209.217.87.120 10.198.40.20 TCP ftp > 1709 [RST, ACK] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
81 6.559930 209.217.87.120 10.198.40.20 TCP ftp > 1709 [RST, ACK] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
137 12.574447 209.217.87.120 10.198.40.20 TCP ftp > 1709 [RST, ACK] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
242 24.417867 10.198.10.5 10.198.40.20 TCP 1745 > 1413 [PSH, ACK] Seq=340 Ack=680 Win=64175 Len=340
243 24.595587 10.198.40.20 10.198.10.5 TCP 1413 > 1745 [ACK] Seq=680 Ack=680 Win=63152 Len=0

The client is 10.198.40.20, the ISA server is 10.198.10.5, and the FTP site is 209.217.87.120. The network rule on the ISA server is defined as route, not NAT. The NAT is done on the PIX.

(in reply to LLigetfa)
Post #: 5
RE: FTP problems with Firewall Client ISA2K4SP1 - 7.Apr.2005 10:24:00 PM   
WyldWolf

 

Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline
LLigetfa,

Which ISA server is 10.198.10.5? It seems from the trace that the FTP server is receiving traffic and sending a reset.

Have you tried to FTP directly from the ISA server?

[ April 07, 2005, 10:27 PM: Message edited by: WyldWolf ]

(in reply to LLigetfa)
Post #: 6
RE: FTP problems with Firewall Client ISA2K4SP1 - 7.Apr.2005 11:44:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
10.198.10.5 is my ISA2K4SP1 server. FTP works fine from it directly since no FWC is involved. FTP works fine through it too from the client if I downgrade it to the FWC2K.

I will have to do a trace with the old FWC2K and compare. Maybe by the time MS calls me, I will be able to tell them where the problem is. This feels so much like it is still a beta product. I guess the strategy is to RTM beta and then fix it later and call it a Feature Release. {sigh}

(in reply to LLigetfa)
Post #: 7
RE: FTP problems with Firewall Client ISA2K4SP1 - 7.Apr.2005 11:47:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi LLigetfa,

check out http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/faq-clients.mspx , particular "Why canĘt my Firewall clients connect to a Proxy 2.0 server? ".

HTH,
Stefaan

(in reply to LLigetfa)
Post #: 8
RE: FTP problems with Firewall Client ISA2K4SP1 - 8.Apr.2005 12:56:00 AM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Stefaan,
Thanks for the link. While it does make mention of backward compatibility, it does not enlighten me as to the issue I am having with 2K4.

(in reply to LLigetfa)
Post #: 9
RE: FTP problems with Firewall Client ISA2K4SP1 - 8.Apr.2005 9:21:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi LLigetfa,

but if you look at your Ethereal trace there are some packets belonging to a connection on TCP port 1745. That's the firewall client control channel for ISA 2004. However, for ISA 2000 the firewall client control channel should be UDP port 1745. Did you apply the registry change?

HTH,
Stefaan

(in reply to LLigetfa)
Post #: 10
RE: FTP problems with Firewall Client ISA2K4SP1 - 8.Apr.2005 6:26:00 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Stefaan,
OK, I added the reg value, and the FWC2K4SP1 now works with ISA2K. Thanks for that.

Now the really embarrasing part... I know I said that I tested the FWC2K Client against the ISA2K4 server and said that it works... DARN! Somewhere between flipping between computers and client versions, the web proxy got turned on in the browser AND the "Folder View" thingy was off as well on one of my test boxes... DAMN! So unprofessional. That's what happens when you put in the hours in front of four computers on a KVM. Will you ever believe me again?

Sorry guys, for wasting your time [Frown]

K, I am still beating my head against this ISA2K4SP1 server but I guess I should start a new thread.

Thanks

(in reply to LLigetfa)
Post #: 11
RE: FTP problems with Firewall Client ISA2K4SP1 - 8.Apr.2005 8:26:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi LLigetfa,

glad to hear I could help and thanks for the follow up! [Smile]

BTW --- I've two ISA2K4SP1 running on W2K3SP1 in my Virtual PC lab environment and don't have encountered any problems so far.

Thanks,
Stefaan

(in reply to LLigetfa)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> FTP problems with Firewall Client ISA2K4SP1 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts