I run EZ Antivirus on all of my machines with signature file updates scheduled to run automatically. The updates use a combination of HTTP and FTP protocols. The updates work fine on my firewall clients but I'm having trouble getting the update to work on the ISA Server itself. I have tried creating a packet filter for FTP access but just opening port 21 for outbound access isn't sufficient (http://www.isaserver.org/tutorials/How_to_Allow_Internet_Access_on_ISA_Server_Machine.html). It would appear that I need to set up a packet filter to allow inbound access but this seems rather risky from a security point of view. How is it that the firewall clients can do this securely but it isn't possible on the ISA server? And why shouldn't I install the firewall client on the ISA server?
You are right! Allowing FTP from ISA itself is not a good idea from a point of view of security. My strategy to download updates is to download the updates from an internal host and then distribute them from there. In that case you don't need to allow FTP from/to ISA itself. Moreover, you have only to download them once!
The only exception I would allow is if you can configure the update program to use FTP through the web proxy service on ISA. You can then use localhost:8080 or ISA_internalIP:8080 as proxy server.
What a fantastic article on FTP with ISA Server 2000. Thank you for putting forth the effort to write this very helpful piece. I definately have a stronger understanding of this protocol and it's place in a network using ISA server .
I am having difficulty getting the FTPS (explicit) traffic to pass thru for my cuteFTP client. I have read Stefaan's article, however, the connection hangs at Exchanging the encryption key. Is the exact procedure to 1. disable the FTP IP packet filter 2. create a protocol definition for FTP using TCP, 21, outbound 3. install the firewall client?
Firstly let me say that this site is wonderfull keep up the good work and i have never had to write in because all the answer to my question have already been answered.
Problem: I have been trying for a almost 2 weeks now to get a Web/FTP server behind the isa firewall to work. Step 1 So far i have been able to web publish urls for people to view the web sites on the server so everything works fine there. Step 2 This is the problem bit. I have tried to allow the developers in the company ftp access to the web server behind the firewall. I keep getting the dreaded "Windows cannot access this folder. Make sure you type the file name correctly and that you have permission to access the folder" Details the FTP session was terminated"
Everytime i do not get any other errors at all. Now i have given user rights to these folderS in the domain but i am still not having any luck.
I have used the server published rules and this message still comes up. I have read all the relevant atricles on the subject of setting up FTP access on this web site and there are a few. I read Hadyn-wangs Install and configure FTP server behind ISA with unstandard port. Your article. Thomas Use web pub to pub co-located Web and FTP servers also.
Could you please help me out with some advice. If you need to know anymore info to help you clarify or pin point the problem please ask.
a couple of questions: - Is the FTP server running on the standard FTP port? - Did you web or server publish the FTP server? Keep in mind that no uploads are possible when you web publish the FTP server. - Have you configured the FTP server as a SecureNAT client? - Is the FTP application filter enabled on ISA server? - Did you test the FTP access from an external host? Which FTP client are you using: IE or the standard commandline client? - ...
Q. Is the FTP server running on the standard FTP port? A.Yes port 21 Q.Did you web or server publish the FTP server? Keep in mind that no uploads are possible when you web publish the FTP server. A.No i have a couple of Web published websites and i understand the limits of publishing FTP site using the web publishing rule and how the ftp access in done through redirecting Http request as FTP requests. I also tried this and i got the previous error i mentioned Q.Have you configured the FTP server as a SecureNAT client? A. I am not too sure do you mean have i got firewall client running on the FTP server ? Q.Is the FTP application filter enabled on ISA server? A. I have checked the Policy Elements/Protocol Definitions and all 3 FTP application filters are enabled. I have also created custom IP packet filters "FTP Server Control" inbound, local port 21, remote port All ports. Also FTP server control data connection Outbound, fixed local port 20 remote port All ports. Q.Did you test the FTP access from an external host? A. I have just done this now we have a external dedicated server so i TS into it and guess what IT WORKED ! BUT how come i cannot send a request from internal pc through the internet to get into the FTP server ? Q.Which FTP client are you using: IE or the standard commandline client? A. I have been using IE6 but we also use SmartFTP and from the internal source it does not work. Conclusion so far i am happy that i can get in from an external source the bad thing now is i don't know i whay i can't just ftp into the ftp server like i can http into the websites. Could you advice me further please. Thanks
if you run the FTP server on the standard port number, than you should *not* install the firewall client on the FTP server and just configure the FTP server as a SecureNAT client. That means that his default gateway should point to the ISA server internal interface.
Also, there is only one FTP application filter and it is under the node Extension -> Application Filters. Moreover, as a general rule you should *never* create packet filters yourself except in some very specific situations. The protocol, site&content and publishing rules will create the needed packet filters dynamically for you.
Thanks for replying so quickly it is much appreciated.
Ok I think i know what you mean by secureNAT now. If you mean does my server point to the gateway (proxy/firewall isa server) internal address the answer is yes. The test ftp sever is actually my own client machine that i am practicting with before i connected it to the real websever.
Taking your advice on the second point i will now disable the custom packet filters that i created in the first place.
I see what you are saying about the internal to extranal loopback situtation also.
But i still can't get previously web published website to appear using the ftp notation. i.e. www.website.com works fine points to the right internal server which looks for a host file name when the request is redirected to it. So i created another destination set ftp.website.com and pointed it to the same internal webserver and placed the host file name on the webserver to pick any ftp request but this does not work. What is it i have to do to resolve this issue. I thought it would be straight forward because the web publishing was pretty straight forward after i played about with it for a while.
Hi Stefaan I have already look at this article and i have already tried to get in from an external source without much luck. I will give it a go again one more time but i have was not having much luck thats why i thought i would get some expert advice in the first place. Thanks for your help anyway.
in one of your previous posts you say that when you tested from an external host it was working. Maybe I've missed something, but what was working: the FTP server publishing rule or the FTP web publishing rule?
Keep in mind that if you want to access the FTP server through the web publishing rule you can *not* use the FTP protocol on the client side. You must access the web published FTP server through the HTTP protocol (http://ftp.domain.com).
From: Perth, Western Australia
quote: What do you want to achieve? You are talking about securely transferring files to *public* terminals such as an internet cafe/airport/hotel. That doesn't make much sense to me!
True, true - there is the fact that the individual file would become possibly available to nasty people at the 'public terminal', but sometimes you gotta do what you gotta do to get data to people, but we are willing to risk that, what we don't want to risk (or minimise as much as possible whilst still allowing access) is access to all the other data which still resides on the (hopefully) "secure file server".
We need to be able to receive and publish files for specific users.