Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Hi all, Could anyone perhaps assist with FTP client connectivity issues that I am experiencing? When I install Leetch FTP client on the ISA servers, I am able to successfully connect to external FTP servers. Also I am able to FTP from a CMD prompt to FTP servers. The problem I have is trying to connect from a clients workstation. I have tried setting up the clients as Firewall clients, but still I have fail to connect to any external FTP servers. Socket error appears when using Leetch FTP client. The ISA server has been configured in Intergrated mode with 2x NICS. [EMAIL] Any suggestions? hbarun@sbic.co.za[/EMAIL]
Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Thanks for your reply Stephan, Yes I have tried both FTP CMD and LeetchFTP from a firewall client. I have looked through the FW log files, but these are clear in showing whether the connecting is successful. Futhermore where the problem lies. (Should I attach an example of the FW LOG) FTP via the browser works from the web clients. Based on our complex network and DMZ infrastructure the web proxy & firewall clients are on our backbone infrastructure. The backbone users are permitted through our INNER firewall to the ISA server by port access i.e: FTP, UDP and TCP. ISA has been configured to allow domain authenticated users access to all TCP/FTP requests via a protocol rule which has been defined. The ISA server traffic has been premitted to leave our OUTER firewall onto the Internet. - Whats intresting as mentioned before is that both FTP CMD and 3rd party FTP programs such as Leetch FTP work fine from the ISA servers itself.
Ok, for testing purposes I would place a Firewall client directly on the segment between the Internal FW1 and the ISA server and see if the FTP succeeds. It should, otherwise you have a problem on ISA or the outer firewall.
Now, assuming the above test succeeds, it is time to look at the Internal FW1 configuration. In my opinion, any device doing NAT/PAT in the path between the Firewall client and the ISA server will break the RWSP protocol (Remote WinSock Protocol) used by the Firewall client. For more info, check out my article http://www.isaserver.org/pages/articles.asp?art=323 .
Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
I have managed to sort out the FTP problems. We have simulated the problems using VMWare at Microsoft and with the help of Blackice we simulated our Inner firewall. We discovered, that the FTP issues were related to TCP and UDP ports. Firstly, ports 1745 TCP/UDP needed to be open from our backbone to the DMZ. Secondly, TCP ports 1024 and above needed to be opened for the firewall client to function and allow automatic updates from our backbone users to our DMZ. FTP now works from the clients, and 3rd party FTP tools allow PASV connections only. I issue unresolved is that the clients are not able to use the LS function in the FTP CMD tool. Error message -(unable able to bind...) Has anyone had this problem using FTP CMD?
Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Hi Tom, Agreed, But we are not chaining firewalls. I believe this has to do with the complex network and firewall infrastructure. I do have a question which I was hopeing you would be able to assist with. Attached I have screen dumped the text of a CMD FTP connect which does not a "LS"-list, but when using Leetch FTP in PASV mode all the functions work fine. What causes ftp: bind :Can't assign requested addressH:\>ftp
ftp> open To mysite.mweb.co.za Connected to mysite.mweb.co.za. 220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.11 )) .:.-=(<*>)=- 220-You are user number 2 of 50 allowed 220-Local time is now 03:39 and the load is 0.02. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. User (mysite.mweb.co.za:(none)): pnmenlyn 331 User pnmenlyn OK. Password required Password: 230-User pnmenlyn has group access to: sysadmin 230-OK. Current restricted directory is / 230-12 files used (0%) - authorized: 2000 files 230 1 Kbytes used (0%) - authorized: 20480 Kb ftp> ls > ftp: bind :Can't assign requested address ftp>
if FTP works in passive mode and not in active mode (the command line ftp uses active mode), then I believe you have a NAT/PAT problem. Am I correct to assume that the inner firewall between the Firewall clients and the ISA internal interface is doing address translation?
I've tested out a scenario where the command line FTP client was behind three ISA Servers. Each one had the FTP access application filter enabled and the client was a SecureNAT client. It worked fine. So, I suspect there is an "intelligence" issue with an upstream firewall?
you said the magic words: 3 ISA servers and a SecureNAT client!
I thought HBarun's problem was he wanted to use the Firewall client (client authentication). BUT between the Firewall client and the ISA internal interface sits another firewall (he calls it the inner firewall and it seems not to be an ISA). It's not clear to me if that beast is doing some address translation. If it does, I think it might break the RWSP used by the Firewall client. What do you think?
Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Thanks Chris, Tom, Stefaan hope these comments help you understand our environment. Any comments as to what we need to look at regarding CMD FTP? Thanks Heath
Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
-a option seems to hang after establishing a port connection.
ftp> open To mysite.mweb.co.za Connected to mysite.mweb.co.za. 220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.11 )) .:.-=(<*>)=- 220-You are user number 2 of 50 allowed 220-Local time is now 12:22 and the load is 0.05. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. User (mysite.mweb.co.za:(none)): pnmenlyn 331 User pnmenlyn OK. Password required Password: 230-User pnmenlyn has group access to: sysadmin 230-OK. Current restricted directory is / 230-12 files used (0%) - authorized: 2000 files 230 1 Kbytes used (0%) - authorized: 20480 Kb ftp> ls 200 PORT command successful 150 Connecting to port 61251.
Posts: 51
Joined: 13.Jun.2002
From: South Africa
Status: offline
Yes, the dos client works 100% from the ISA server itself. From the clients side we have ensured that ports 1024 and above have been allowed. Also ports 1745 TCP/UDP for the firewall client.