what do you mean with "After adding a few filters I can now get FTP access from the workstations"? What have you done so far? What ISA client types are you using: Web Proxy, Firewall or SecureNAT client? What FTP client are you using? ...
Posts: 20
Joined: 16.Jul.2003
From: Australia
Status: offline
I have always had the same problem. I have read both yours and Toms articles and have never been able to get it working. What perplexes me the most is if I open all the protocols just to test, It works on the ISAserver but not on the workstations. I am using firewall client with autoconfig script. I still can't get direct access with firewall client. I have ordered Tom's book but finally got sick of not knowing so I got a supposed professional to come out(from the yellow pages).He spent a few hours but didn't know any more than I do. I don't think there aren't many of us using it here in Australia. Jim Durand
Never, NEVER create IP packet filters for internal clients, it will NOT work! You need to create protocol and site&content rules. Those rules will create *dynamically* the necessary IP packet filters when needed. So, get rid of those ugly IP packet filters asap!
Make sure that: 1) you have a protocol rule allowing the FTP protocol. 2) you have a site&content rule allowing access to the destination. 3) the FTP application filter is enabled. 4) you test with the Microsoft command line FTP client. Once that is working, you can experiment with IE as an FTP client.
Posts: 20
Joined: 16.Jul.2003
From: Australia
Status: offline
Sorry to jump in on Stefaan but as I am having the same problem maybe we can work together. I have tried everything you said above and I still can't get ftp working on the command line(from isaserver as admin) unless I enable a filter allowing everything. I have made sure ftp application is enabled. I got rid of the ftp filters that previous articles suggested creating. I have s&c rule allowing permission to destination. I have protocol rule allowing all ftp. Any other suggestions? I too would give my kingdom to get this sorted out. Jim Durand
aha... Stain is using the Firewall client. So his problem is with internal clients (or I'm missing something?). You are talking about using FTP from the ISA itself. That's something quite different!
Protocol and site&content rules are for internal hosts. When you want to give an FTP client on ISA itself outbound access then you have to use IP packet filters, a configuration I strongly advice against. Is there any particular reason why you want to FTP from ISA itself?
Posts: 20
Joined: 16.Jul.2003
From: Australia
Status: offline
Sorry to mislead. I do not want to ftp from ISA, that is just the only place I could get it working for testing. I am using firewall client as well. Even when I had it working by opening everything up it didn't work on the client. I see now that, that is irrelevant. I went back and tested on the client and I am the most excited I have been for two years, I can actually ftp through command! BRB Hang on, I can use Ws-ftp now! I owe you my kingdom, unfortunately it isn't worth much. Thanks so much, I can't believe it was so easy in the end. I think your article led me to believe I needed those filters. Oh yeah, I am running IIS as I use SMTP to forward mail to my support server running NAV for Gateways. I also redirect POP3 to my Exchange Server. Is this bad? Jim
I you carefully reread my article you will see I only discuss the IP packet filters in section '4.1. Trihomed DMZ' scenario.
In my opinion ISA server is supposed to be a firewall, not a general purpose server. So, you should never include ISA server in your server consolidation plan. If possible, never run extra services on ISA itself. You can't do it either on a Checkpoint, Cisco PIX, Netscreen, etc...
Posts: 20
Joined: 16.Jul.2003
From: Australia
Status: offline
Hang on. Our ISA is our gateway to our Satellite connection. How do I relay mail through it without using the SMTP virtual server, and make sure no one else relays through it?
Posts: 3
Joined: 1.Sep.2003
From: LONDON
Status: offline
Hi Guys,
I have been reading the posts and will try what was suggested later today... Just thought i would drop you a quick line to let you know I have not gone of the face of the earth. will let you know how I get on.
What are you reffering to when you mention application filters. I am having a similair problem that "happened out of the blue" where early one day my ftp ( through client and command line ) was working and then all of the sudden no longer works. HTTP still works and I see in the log that the ftp sites I try to get to are being blocked on UDP ports 137 & 138
quote:Originally posted by spouseele: Hi Stain,
that seems to be IP packet filters!
Never, NEVER create IP packet filters for internal clients, it will NOT work! You need to create protocol and site&content rules. Those rules will create *dynamically* the necessary IP packet filters when needed. So, get rid of those ugly IP packet filters asap!
Make sure that: 1) you have a protocol rule allowing the FTP protocol. 2) you have a site&content rule allowing access to the destination. 3) the FTP application filter is enabled. 4) you test with the Microsoft command line FTP client. Once that is working, you can experiment with IE as an FTP client.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> FTP access that need Authentication 
FTP access that need Authentication - !["[Frown]"](/image/smiles/frown.gif "\"\"")
RE: FTP access that need Authentication - 
RE: FTP access that need Authentication - ![[Big Grin]](/image/smiles/biggrin.gif)
![[Smile]](/image/smiles/smile.gif)
![[Cool]](/image/smiles/cool.gif)
RE: FTP access that need Authentication - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread