Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: How the FTP protocol Challenges Firewall Security article
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: How the FTP protocol Challenges Firewall Security a... - 19.Dec.2003 5:08:00 PM
|
|
|
bountyx
Posts: 8
Joined: 20.Feb.2002
From: Jamaica
Status: offline
|
Hi,
I'm having trouble getting GFI Download Security to get antivirus updates. I have it installed on my ISA Server. I try using PASV FTP and have made the IP Packet Filters to allow this. The download test works but actually downloading files just gives error. Download using HTTP doesn't work either - it just returns an error. How do I all access for programs like that to download updates?
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 19.Dec.2003 9:48:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi bountyx,
please post the details of the IP packet filters created for the passive FTP.
Also, is the GFI download manager proxy aware? If not you should create an outbound HTTP (TCP port 80) IP packet filter for the HTTP downloads.
HTH,
Stefaan
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 10.May2004 7:34:00 PM
|
|
|
allenlu
Posts: 6
Joined: 15.May2003
From: Vandalia, OH
Status: offline
|
Stefaan,
I was curios if you could check out the following post?
Link
I have been having some trouble for a while now, and cannot quite put my finger on the problem and what I am missing.
Thanks in advance,
Lucas Allen
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 3.Nov.2004 8:10:00 PM
|
|
|
grhizor
Posts: 1
Joined: 3.Nov.2004
From: Pennsylvania
Status: offline
|
Hello - I have enjoyed your articles. I now have no problems with internal FTP clients running WinXP/2000, using MS FTP.EXE in Active Mode and connecting to FTP servers. Both as anonymous and as a specific user-id. The clients can download like mad; both ASCII and Binary.
The problem is if they try to PUT a file. The client immediately gets a reply back of "Access Denied." As far as I can see, the results are the same no matter what combination of Web Proxy, Firewall Client, and SecureNAT I try.
I am running ISA Server 2004, STD on Windows 2003 Server.
If I disconnect the client from the LAN and plug the ComCast cable modem directly into the client, everything works just great!
Thanks for any help you can give. Best Regards!
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 12.Oct.2005 5:21:00 AM
|
|
|
Guest
|
Thanks for a great article- was really useful to me!
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 2.Nov.2005 6:55:00 PM
|
|
|
psaint
Posts: 3
Joined: 26.Oct.2005
Status: offline
|
If I disable the ftp access filter I can access an FTPS site and upload files upload files, but I'm unable to use standard FTP to down load or upload files. Is there a way I access both.
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 3.Nov.2005 2:02:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Phillip,
if you need to disable the FTP application filter to enable FTPS then that means that Explicit Security mode is used. In that case SecureNAT clients can't do anymore plain FTP. Firewall clients should still work.
HTH,
Stefaan
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 17.Nov.2005 7:02:14 PM
|
|
|
edgehead
Posts: 2
Joined: 4.Nov.2005
Status: offline
|
We are trying to use Safetp (safetp.cs.berkeley.edu) and tried using the configuration described in article. With the firewall client enabled it gives an error when negotiating.
Response: 421-SafeTP caught socket exception:
Response: 421-bind: WSAEACCES: Broadcast address requested proper flags not set (10013) on socket 1660
Is there some way I can configure the client to solve this issue?
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 27.Jul.2006 5:28:51 PM
|
|
|
ThijsD
Posts: 21
Joined: 31.Aug.2005
Status: offline
|
Hi Stefaan,
I've read your excellent article regarding FTP protocol vs firewall security.
Thank you for providing us such useful information!
I'm still having an FTP problem and after looking/troubleshooting for quite some time, I still haven't found a solution to my problem:
I'm using ISA 2004 std SP2 on a Windows 2003 SP1.
I have a rule that allows FTP connections from the internal network to external.
The rule works fine for users that use the ISA firewall client software, but users connecting through IE (web proxy) can't access any FTP sites.
In the ISA monitor I see "Failed Connection Attempt".
I've already played around with the IE advanced options (enable folder view for ftp sites/use passive FTP) but without success.
Any ideas to solve this problem?
2nd question:
I have 2 type of users:
Type 1: should be able to connect to all ftp sites using the firewall client
Type 2: should only be able to connect through IE to ftp sites. (those are the users that are browsing the internet and after clicking on a link are redirected to an FTP sites to read a pdf)
Is this possible with ISA?
I kindly appreciate your help!!
Best regards,
ThijsD
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 28.Jul.2006 3:17:01 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Thijs,
quote:
The rule works fine for users that use the ISA firewall client software, but users connecting through IE (web proxy) can't access any FTP sites.
What do you mean *exactly* with "...but users connecting through IE..."? Check out my blog http://blogs.isaserver.org/pouseele/2006/05/15/about-the-ftp-protocol-support-in-isa-server/ too. The point is that if the IE setting Enable folder view for FTP sites is checked and you have a rule allowing the FTP protocol, then the client *must* also be configured as a Firewall or a SecureNAT client, depending if you require authentication on the FTP rule or not.
So, we need more info on the *exact* configuration of the rule and the clients.
Regarding your 2nd question, if the type 2 users don't have the Firewall client *and* you require user authentication on the rule than any FTP client that can act as a full blown Web Proxy client, including the authentication process, will be able to to perform FTP download. One such FTP client is IE with the setting Enable folder view for FTP sites *not* checked.
HTH,
Stefaan
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 31.Jul.2006 12:40:33 PM
|
|
|
ThijsD
Posts: 21
Joined: 31.Aug.2005
Status: offline
|
Hi Stefaan,
Thank you for your message.
The users connecting through IE are configured as webproxy clients, so not configured as SecureNAT or ISA firewall client software installed.
Those are just ordinary users that browse websites and often click on a link that redirects them to a pdf located on an FTP site.
Even when the IE setting Enable folder view for FTP sites is not checked, those users are still unable to connect to FTP sites??
I have the ISA firewall client software installed on my computer and I have no problems to connect to those FTP sites.
My rule:
FTP-All Users ALLOW FTP Internal->External Permission:All Users
Let me know if you need more info...
Big thanks in advance!
Best regards,
ThijsD
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 31.Jul.2006 9:53:59 PM
|
|
|
jhood
Posts: 17
Joined: 6.Jun.2006
Status: offline
|
I am having trouble getting the FTP publishing to work behind another firewall. HTTP and OWA access work fine, it is just FTP giving us problems. IF i remove the firewall and put ISA directly on the internet, it does work though.
When behind the firewall is there, I see the traffic coming in ISA monitoring, and it is all denied by the default rule.
My setup is like this
Internet ---> (Public IP) Cisco ASA 5510 (10.9.11.1) --->(10.9.11.2) ISA 2004 (10.10.1.1) ---> internal
FTP access to the server works fine internally and fine when there is no firewall, any ideas? From what I can tell, it isnt the ASA, the traffic is being NATed to the ISA so it appears to be coming from the public IP on the ISA monitor. IF i allow FTP traffic inside, then the monitoring says denied connection instead of denied by the default rule. However for OWA and HTTP traffic, I didnt need a rule to allow HTTP inside.
Ive tried checking for it to listen on Local Host, External, all networks and different combinations of each to no avail. So it is like the server is just refusing authentication from the public IP. When the ISA was directly on the internet, the FTP traffic came in as "FTP server" traffic, now it just comes in as FTP traffic.
Perhaps also it is our network configuration, do I need to define a 10.9.11.x network ?
This is all in a test environment atm so I can make whatever changes for testing
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 11.Aug.2006 9:39:37 AM
|
|
|
ThijsD
Posts: 21
Joined: 31.Aug.2005
Status: offline
|
Hi Stefaan,
Can you look at my last post please?
Thank you!
Best regards,
ThijsD
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 11.Aug.2006 9:36:30 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi jhood,
can you create a new topic because it sounds more like a network configuration problem instead of an FTP issue.
Thanks,
Stefaan
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 11.Aug.2006 9:39:58 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Thijs,
it should definitely work for anonymous FTP downloads. I suggest you take a NetMon trace on the ISA internal and external interface of such a failing FTP session through IE.
HTH,
Stefaan
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 28.Dec.2006 2:00:31 AM
|
|
|
JasonHammett
Posts: 3
Joined: 6.Dec.2004
Status: offline
|
Thanks for the great article. Unfortunately I am still stuck.
I am using ISA 2004 in my environment. I have a standard FTP server published on port 21 which works fine using PASV. I have another FTP server at port 30 only because I needed to publish a different server as an FTP server. I am not using port 30 for security by obscurity, I simply needed a separate box to host the ftp. Both FTP servers work fine using PASV mode. Neither will work in Active mode when accessed from an external host.
My problem is allowing external users to traverse my ISA 2004 firewall to my published FTP on port 30 and to be able to use Active mode. I have tried a number of custom filters in attempt to follow the model you perscribed in the article w/ no luck. Again, PASV ftp from external clients always works. (I have not attempted to install the firewall client on my "second / Port 30 FTP server." I would prefer not to install the Firewall client there.)
As an aside, there seems to be much written on the topic of ISA and Active mode FTP. However, most seems to be geared toward clients behind ISA firewalls trying to reach FTP servers external to the organization. For clarity sake, my problem is the opposite, I want my FTP server published via ISA 2004 for the outside world to be able to perform Active FTP session. (Ideally an external user could initiate either a PASV or Active FTP session.)
I appreciate any help you can provide. Also, is this "issue" easier to perform with ISA 2006? Why don't the built in FTP Access Filters handle this natively?
Should I be following section 4.2 SecureNAT based on what I'm trying to accomplish?
The FTP server is not hosted on the ISA server itself. It is a separate server.
I do not have a 3 legged ISA server.
I do not understand if I need a FTP Client rule since all internal traffic is allowed to traverse the Internet. Do I need one?
Also, your screen caps are for ISA 2000 I think and I'm having trouble "porting" it to ISA 2004. Does each screen cap represent a unique Rule in ISA 2004?
In your screen caps it shows dynamic for port traffic. In the custom configuration in ISA 2004 there does not seem to be an option for dynamic. Is that 0?
Again your help is greatly appreciated.
Regards,
Jason
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 28.Dec.2006 9:53:41 AM
|
|
|
JasonHammett
Posts: 3
Joined: 6.Dec.2004
Status: offline
|
Here is an update to my previous post. The remote client is behind a firewall too. It appears as if my FTP server when trying to go into "data" mode is sending SYN_SENT information to the non routable IP of the client. So it detects the incoming connection with the public host info - publichost.publicdomain.com. But then it trys to continue the conversation with private ip like 192.168.1.x. This of course, my FTP server will not be able to route back to the client.
I'm using Serv-U ftp. Is this a limitation of Active FTP? Is there a way for the client or server to only use the remote users' public IP?
Regards,
Jason
|
|
|
|
|
RE: How the FTP protocol Challenges Firewall Security a... - 28.Dec.2006 1:36:39 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Jason,
are you running ISA 2004 SP2? You should!
Any later hotfix installed?
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
