FTP client connectivity issues (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> Firewall Client



Message


hbarun@sbic.co.za -> FTP client connectivity issues (13.Jun.2002 9:27:00 PM)

Hi all,
Could anyone perhaps assist with FTP client connectivity issues that I am experiencing?
When I install Leetch FTP client on the ISA servers, I am able to successfully connect to external FTP servers. Also I am able to FTP from a CMD prompt to FTP servers. The problem I have is trying to connect from a clients workstation.
I have tried setting up the clients as Firewall clients, but still I have fail to connect to any external FTP servers. Socket error appears when using Leetch FTP client.
The ISA server has been configured in Intergrated mode with 2x NICS. [EMAIL]
Any suggestions?
hbarun@sbic.co.za[/EMAIL]




spouseele -> RE: FTP client connectivity issues (15.Jun.2002 4:27:00 PM)

Hi hbarun,

have you already tried the command FTP client on a Firewall client? What are the ISA logs telling you?

HTH,
Stefaan




hbarun@sbic.co.za -> RE: FTP client connectivity issues (18.Jun.2002 9:13:00 PM)

Thanks for your reply Stephan, Yes I have tried both FTP CMD and LeetchFTP from a firewall client. I have looked through the FW log files, but these are clear in showing whether the connecting is successful. Futhermore where the problem lies.
(Should I attach an example of the FW LOG)
FTP via the browser works from the web clients.
Based on our complex network and DMZ infrastructure the web proxy & firewall clients are on our backbone infrastructure. The backbone users are permitted through our INNER firewall to the ISA server by port access i.e: FTP, UDP and TCP. ISA has been configured to allow domain authenticated users access to all TCP/FTP requests via a protocol rule which has been defined. The ISA server traffic has been premitted to leave our OUTER firewall onto the Internet. - Whats intresting as mentioned before is that both FTP CMD and 3rd party FTP programs such as Leetch FTP work fine from the ISA servers itself.

[ June 18, 2002, 09:57 PM: Message edited by: hbarun@sbic.co.za ]




spouseele -> RE: FTP client connectivity issues (18.Jun.2002 10:03:00 PM)

Hi hbarun,

wow, 3 firewalls! [Big Grin]

Ok, for testing purposes I would place a Firewall client directly on the segment between the Internal FW1 and the ISA server and see if the FTP succeeds. It should, otherwise you have a problem on ISA or the outer firewall.

Now, assuming the above test succeeds, it is time to look at the Internal FW1 configuration. In my opinion, any device doing NAT/PAT in the path between the Firewall client and the ISA server will break the RWSP protocol (Remote WinSock Protocol) used by the Firewall client.
For more info, check out my article http://www.isaserver.org/pages/articles.asp?art=323 .

HTH,
Stefaan




hbarun@sbic.co.za -> RE: FTP client connectivity issues (9.Jul.2002 2:12:00 PM)

I have managed to sort out the FTP problems.
We have simulated the problems using VMWare at Microsoft and with the help of Blackice we simulated our Inner firewall. We discovered, that the FTP issues were related to TCP and UDP ports.
Firstly, ports 1745 TCP/UDP needed to be open from our backbone to the DMZ. Secondly, TCP ports 1024 and above needed to be opened for the firewall client to function and allow automatic updates from our backbone users to our DMZ.
FTP now works from the clients, and 3rd party FTP tools allow PASV connections only. I issue unresolved is that the clients are not able to use the LS function in the FTP CMD tool. Error message -(unable able to bind...)
Has anyone had this problem using FTP CMD?




tshinder -> RE: FTP client connectivity issues (12.Jul.2002 6:41:00 PM)

Hi hbarun,

Are you running a firewall chaining configuration? That would explain why you need to open TCP and UDP 1745 on the upsteaming Firewall.

Thanks for bring this up!

Tom




hbarun@sbic.co.za -> RE: FTP client connectivity issues (15.Jul.2002 8:07:00 AM)

Hi Tom,
Agreed, But we are not chaining firewalls. I believe this has to do with the complex network and firewall infrastructure. I do have a question which I was hopeing you would be able to assist with. Attached I have screen dumped the text of a CMD FTP connect which does not a "LS"-list, but when using Leetch FTP in PASV mode all the functions work fine. What causes ftp: bind :Can't assign requested addressH:\>ftp

ftp> open
To mysite.mweb.co.za
Connected to mysite.mweb.co.za.
220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.11 )) .:.-=(<*>)=-
220-You are user number 2 of 50 allowed
220-Local time is now 03:39 and the load is 0.02. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
User (mysite.mweb.co.za:(none)): pnmenlyn
331 User pnmenlyn OK. Password required
Password:
230-User pnmenlyn has group access to: sysadmin
230-OK. Current restricted directory is /
230-12 files used (0%) - authorized: 2000 files
230 1 Kbytes used (0%) - authorized: 20480 Kb
ftp> ls
> ftp: bind :Can't assign requested address
ftp>




spouseele -> RE: FTP client connectivity issues (15.Jul.2002 10:28:00 PM)

Hi hbarun,

if FTP works in passive mode and not in active mode (the command line ftp uses active mode), then I believe you have a NAT/PAT problem. Am I correct to assume that the inner firewall between the Firewall clients and the ISA internal interface is doing address translation?

If that is the case, then you must definitely read my article http://www.isaserver.org/pages/articles.asp?art=323 to understand why it is not working.

HTH,
Stefaan




tshinder -> RE: FTP client connectivity issues (15.Jul.2002 10:53:00 PM)

Hey guys,

I've tested out a scenario where the command line FTP client was behind three ISA Servers. Each one had the FTP access application filter enabled and the client was a SecureNAT client. It worked fine. So, I suspect there is an "intelligence" issue with an upstream firewall?

Thanks!

Tom




spouseele -> RE: FTP client connectivity issues (15.Jul.2002 11:44:00 PM)

Hi Tom,

you said the magic words: 3 ISA servers and a SecureNAT client! [Big Grin]

I thought HBarun's problem was he wanted to use the Firewall client (client authentication). BUT between the Firewall client and the ISA internal interface sits another firewall (he calls it the inner firewall and it seems not to be an ISA). It's not clear to me if that beast is doing some address translation. If it does, I think it might break the RWSP used by the Firewall client. What do you think?

Thanks,
Stefaan

[ July 15, 2002, 11:47 PM: Message edited by: spouseele ]




Guest -> RE: FTP client connectivity issues (16.Jul.2002 9:10:00 AM)

Maybe some more information for you guys.

All backbone clients are using the class A network of 10.x.x.x.

Inner Firewall = Checkpoint FW1
Multiple NIC's with the address range within Web the DMZ being 192.168.1.x

2 Win2K NLBS ISA servers with 2 NIC's in each.
Internal interface = 192.168.1.x for each
External Interface = 196.8.x.x for each

From there, the default gateway points to the Outer firewall also being Checkpoint FW1 with address of 196.8.x.x

As far as I am aware, no NAT'ing is taking place, due to their being multiple NIC's with private and public IP's in each case.

The default gateway does not point to the ISA servers so making them SecureNAT clients isn't really a feasability as I can see.

Lemme know if you need more




hbarun@sbic.co.za -> RE: FTP client connectivity issues (16.Jul.2002 10:43:00 AM)

Thanks Chris, Tom, Stefaan hope these comments help you understand our environment.
Any comments as to what we need to look at regarding CMD FTP?
Thanks
Heath




lemonwater925 -> RE: FTP client connectivity issues (16.Jul.2002 2:50:00 PM)

Did not see you trying ftp -a option yet. Give that a try and see if it helps. States it to bind to the local interface.




hbarun@sbic.co.za -> RE: FTP client connectivity issues (16.Jul.2002 4:48:00 PM)

-a option seems to hang after establishing a port connection.

ftp> open
To mysite.mweb.co.za
Connected to mysite.mweb.co.za.
220-=(<*>)=-.:. (( Welcome to PureFTPd 1.0.11 )) .:.-=(<*>)=-
220-You are user number 2 of 50 allowed
220-Local time is now 12:22 and the load is 0.05. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
User (mysite.mweb.co.za:(none)): pnmenlyn
331 User pnmenlyn OK. Password required
Password:
230-User pnmenlyn has group access to: sysadmin
230-OK. Current restricted directory is /
230-12 files used (0%) - authorized: 2000 files
230 1 Kbytes used (0%) - authorized: 20480 Kb
ftp> ls
200 PORT command successful
150 Connecting to port 61251.




lemonwater925 -> RE: FTP client connectivity issues (16.Jul.2002 7:21:00 PM)

That worked for us. The DOS command is the simples of them all.

Can you run the dos client directly of the ISA server ?




hbarun@sbic.co.za -> RE: FTP client connectivity issues (17.Jul.2002 7:21:00 AM)

Yes, the dos client works 100% from the ISA server itself. From the clients side we have ensured that ports 1024 and above have been allowed. Also ports 1745 TCP/UDP for the firewall client.




Page: [1]