• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FTP client connectivity issues

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> FTP client connectivity issues Page: [1]
Login
Message << Older Topic   Newer Topic >>
FTP client connectivity issues - 13.Jun.2002 9:27:00 PM   
hbarun@sbic.co.za

 

Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Hi all,
Could anyone perhaps assist with FTP client connectivity issues that I am experiencing?
When I install Leetch FTP client on the ISA servers, I am able to successfully connect to external FTP servers. Also I am able to FTP from a CMD prompt to FTP servers. The problem I have is trying to connect from a clients workstation.
I have tried setting up the clients as Firewall clients, but still I have fail to connect to any external FTP servers. Socket error appears when using Leetch FTP client.
The ISA server has been configured in Intergrated mode with 2x NICS. [EMAIL]
Any suggestions?
hbarun@sbic.co.za[/EMAIL]
Post #: 1
RE: FTP client connectivity issues - 15.Jun.2002 4:27:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi hbarun,

have you already tried the command FTP client on a Firewall client? What are the ISA logs telling you?

HTH,
Stefaan

(in reply to hbarun@sbic.co.za)
Post #: 2
RE: FTP client connectivity issues - 18.Jun.2002 9:13:00 PM   
hbarun@sbic.co.za

 

Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Thanks for your reply Stephan, Yes I have tried both FTP CMD and LeetchFTP from a firewall client. I have looked through the FW log files, but these are clear in showing whether the connecting is successful. Futhermore where the problem lies.
(Should I attach an example of the FW LOG)
FTP via the browser works from the web clients.
Based on our complex network and DMZ infrastructure the web proxy & firewall clients are on our backbone infrastructure. The backbone users are permitted through our INNER firewall to the ISA server by port access i.e: FTP, UDP and TCP. ISA has been configured to allow domain authenticated users access to all TCP/FTP requests via a protocol rule which has been defined. The ISA server traffic has been premitted to leave our OUTER firewall onto the Internet. - Whats intresting as mentioned before is that both FTP CMD and 3rd party FTP programs such as Leetch FTP work fine from the ISA servers itself.

[ June 18, 2002, 09:57 PM: Message edited by: hbarun@sbic.co.za ]

(in reply to hbarun@sbic.co.za)
Post #: 3
RE: FTP client connectivity issues - 18.Jun.2002 10:03:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi hbarun,

wow, 3 firewalls! [Big Grin]

Ok, for testing purposes I would place a Firewall client directly on the segment between the Internal FW1 and the ISA server and see if the FTP succeeds. It should, otherwise you have a problem on ISA or the outer firewall.

Now, assuming the above test succeeds, it is time to look at the Internal FW1 configuration. In my opinion, any device doing NAT/PAT in the path between the Firewall client and the ISA server will break the RWSP protocol (Remote WinSock Protocol) used by the Firewall client.
For more info, check out my article http://www.isaserver.org/pages/articles.asp?art=323 .

HTH,
Stefaan

(in reply to hbarun@sbic.co.za)
Post #: 4
RE: FTP client connectivity issues - 9.Jul.2002 2:12:00 PM   
hbarun@sbic.co.za

 

Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
I have managed to sort out the FTP problems.
We have simulated the problems using VMWare at Microsoft and with the help of Blackice we simulated our Inner firewall. We discovered, that the FTP issues were related to TCP and UDP ports.
Firstly, ports 1745 TCP/UDP needed to be open from our backbone to the DMZ. Secondly, TCP ports 1024 and above needed to be opened for the firewall client to function and allow automatic updates from our backbone users to our DMZ.
FTP now works from the clients, and 3rd party FTP tools allow PASV connections only. I issue unresolved is that the clients are not able to use the LS function in the FTP CMD tool. Error message -(unable able to bind...)
Has anyone had this problem using FTP CMD?

(in reply to hbarun@sbic.co.za)
Post #: 5
RE: FTP client connectivity issues - 12.Jul.2002 6:41:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi hbarun,

Are you running a firewall chaining configuration? That would explain why you need to open TCP and UDP 1745 on the upsteaming Firewall.

Thanks for bring this up!

Tom

(in reply to hbarun@sbic.co.za)
Post #: 6
RE: FTP client connectivity issues - 15.Jul.2002 8:07:00 AM   
hbarun@sbic.co.za

 

Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Hi Tom,
Agreed, But we are not chaining firewalls. I believe this has to do with the complex network and firewall infrastructure. I do have a question which I was hopeing you would be able to assist with. Attached I have screen dumped the text of a CMD FTP connect which does not a "LS"-list, but when using Leetch FTP in PASV mode all the functions work fine. What causes ftp: bind :Can't assign requested addressH:\>ftp

ftp> open
To mysite.mweb.co.za
Connected to mysite.mweb.co.za.
220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.11 )) .:.-=(<*>)=-
220-You are user number 2 of 50 allowed
220-Local time is now 03:39 and the load is 0.02. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
User (mysite.mweb.co.za:(none)): pnmenlyn
331 User pnmenlyn OK. Password required
Password:
230-User pnmenlyn has group access to: sysadmin
230-OK. Current restricted directory is /
230-12 files used (0%) - authorized: 2000 files
230 1 Kbytes used (0%) - authorized: 20480 Kb
ftp> ls
> ftp: bind :Can't assign requested address
ftp>

(in reply to hbarun@sbic.co.za)
Post #: 7
RE: FTP client connectivity issues - 15.Jul.2002 10:28:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi hbarun,

if FTP works in passive mode and not in active mode (the command line ftp uses active mode), then I believe you have a NAT/PAT problem. Am I correct to assume that the inner firewall between the Firewall clients and the ISA internal interface is doing address translation?

If that is the case, then you must definitely read my article http://www.isaserver.org/pages/articles.asp?art=323 to understand why it is not working.

HTH,
Stefaan

(in reply to hbarun@sbic.co.za)
Post #: 8
RE: FTP client connectivity issues - 15.Jul.2002 10:53:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

I've tested out a scenario where the command line FTP client was behind three ISA Servers. Each one had the FTP access application filter enabled and the client was a SecureNAT client. It worked fine. So, I suspect there is an "intelligence" issue with an upstream firewall?

Thanks!

Tom

(in reply to hbarun@sbic.co.za)
Post #: 9
RE: FTP client connectivity issues - 15.Jul.2002 11:44:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

you said the magic words: 3 ISA servers and a SecureNAT client! [Big Grin]

I thought HBarun's problem was he wanted to use the Firewall client (client authentication). BUT between the Firewall client and the ISA internal interface sits another firewall (he calls it the inner firewall and it seems not to be an ISA). It's not clear to me if that beast is doing some address translation. If it does, I think it might break the RWSP used by the Firewall client. What do you think?

Thanks,
Stefaan

[ July 15, 2002, 11:47 PM: Message edited by: spouseele ]

(in reply to hbarun@sbic.co.za)
Post #: 10
RE: FTP client connectivity issues - 16.Jul.2002 9:10:00 AM   
Guest
Maybe some more information for you guys.

All backbone clients are using the class A network of 10.x.x.x.

Inner Firewall = Checkpoint FW1
Multiple NIC's with the address range within Web the DMZ being 192.168.1.x

2 Win2K NLBS ISA servers with 2 NIC's in each.
Internal interface = 192.168.1.x for each
External Interface = 196.8.x.x for each

From there, the default gateway points to the Outer firewall also being Checkpoint FW1 with address of 196.8.x.x

As far as I am aware, no NAT'ing is taking place, due to their being multiple NIC's with private and public IP's in each case.

The default gateway does not point to the ISA servers so making them SecureNAT clients isn't really a feasability as I can see.

Lemme know if you need more

(in reply to hbarun@sbic.co.za)
  Post #: 11
RE: FTP client connectivity issues - 16.Jul.2002 10:43:00 AM   
hbarun@sbic.co.za

 

Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Thanks Chris, Tom, Stefaan hope these comments help you understand our environment.
Any comments as to what we need to look at regarding CMD FTP?
Thanks
Heath

(in reply to hbarun@sbic.co.za)
Post #: 12
RE: FTP client connectivity issues - 16.Jul.2002 2:50:00 PM   
lemonwater925

 

Posts: 417
Joined: 22.Mar.2001
From: North of the 49th
Status: offline
Did not see you trying ftp -a option yet. Give that a try and see if it helps. States it to bind to the local interface.

(in reply to hbarun@sbic.co.za)
Post #: 13
RE: FTP client connectivity issues - 16.Jul.2002 4:48:00 PM   
hbarun@sbic.co.za

 

Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
-a option seems to hang after establishing a port connection.

ftp> open
To mysite.mweb.co.za
Connected to mysite.mweb.co.za.
220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.11 )) .:.-=(<*>)=-
220-You are user number 2 of 50 allowed
220-Local time is now 12:22 and the load is 0.05. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
User (mysite.mweb.co.za:(none)): pnmenlyn
331 User pnmenlyn OK. Password required
Password:
230-User pnmenlyn has group access to: sysadmin
230-OK. Current restricted directory is /
230-12 files used (0%) - authorized: 2000 files
230 1 Kbytes used (0%) - authorized: 20480 Kb
ftp> ls
200 PORT command successful
150 Connecting to port 61251.

(in reply to hbarun@sbic.co.za)
Post #: 14
RE: FTP client connectivity issues - 16.Jul.2002 7:21:00 PM   
lemonwater925

 

Posts: 417
Joined: 22.Mar.2001
From: North of the 49th
Status: offline
That worked for us. The DOS command is the simples of them all.

Can you run the dos client directly of the ISA server ?

(in reply to hbarun@sbic.co.za)
Post #: 15
RE: FTP client connectivity issues - 17.Jul.2002 7:21:00 AM   
hbarun@sbic.co.za

 

Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Yes, the dos client works 100% from the ISA server itself. From the clients side we have ensured that ports 1024 and above have been allowed. Also ports 1745 TCP/UDP for the firewall client.

(in reply to hbarun@sbic.co.za)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> FTP client connectivity issues Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts