FTP access that need Authentication (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> Firewall Client



Message


stain -> FTP access that need Authentication (1.Sep.2003 2:43:00 PM)

Hi There,

I have a small problem. ISA 2000 and firewall clients installed on the workstations. I can not access any FTP sites at all.

After adding a few filters I can now get FTP access from the workstations, BUT "[Frown]"

Any ftp site that requires a logon and password does not come up. Times out. All other FTP sites work ok like ftp.compaq.com

Any help would be great. Even perhaps to set the FTP filters up from scratch.

Thanks
Stain




spouseele -> RE: FTP access that need Authentication (1.Sep.2003 9:23:00 PM)

Hi Stain,

what do you mean with "After adding a few filters I can now get FTP access from the workstations"? What have you done so far? What ISA client types are you using: Web Proxy, Firewall or SecureNAT client? What FTP client are you using? ...

Also, check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan




jdurand -> RE: FTP access that need Authentication (2.Sep.2003 4:02:00 AM)

I have always had the same problem. I have read both yours and Toms articles and have never been able to get it working. What perplexes me the most is if I open all the protocols just to test, It works on the ISAserver but not on the workstations. I am using firewall client with autoconfig script. I still can't get direct access with firewall client. I have ordered Tom's book but finally got sick of not knowing so I got a supposed professional to come out(from the yellow pages).He spent a few hours but didn't know any more than I do.
I don't think there aren't many of us using it here in Australia.
Jim Durand




stain -> RE: FTP access that need Authentication (2.Sep.2003 10:46:00 AM)

Hi Guys,

The client machines are running the Firewall Client. Also tried with "Enable folder view for FTP sites" tick etc to no avail.

On the ISA have the following filters in place

TCP
Inbound
Dynamic
Fixed Port (Tried All Ports)
Port Number 20

TCP
Outbound
Dynamic
Fixed Port (Tried All Ports)
Port Number 21

TCP
Outbound
Dynamic
All Ports

Please help me out guys as I need to get this sorted. Thanks in advance

Stain




spouseele -> RE: FTP access that need Authentication (2.Sep.2003 8:07:00 PM)

Hi Stain,

that seems to be IP packet filters! [Frown]

Never, NEVER create IP packet filters for internal clients, it will NOT work! You need to create protocol and site&content rules. Those rules will create *dynamically* the necessary IP packet filters when needed. So, get rid of those ugly IP packet filters asap! [Big Grin]

Make sure that:
1) you have a protocol rule allowing the FTP protocol.
2) you have a site&content rule allowing access to the destination.
3) the FTP application filter is enabled.
4) you test with the Microsoft command line FTP client. Once that is working, you can experiment with IE as an FTP client.

HTH,
Stefaan

[ September 02, 2003, 08:08 PM: Message edited by: spouseele ]




jdurand -> RE: FTP access that need Authentication (2.Sep.2003 11:20:00 PM)

Sorry to jump in on Stefaan but as I am having the same problem maybe we can work together. I have tried everything you said above and I still can't get ftp working on the command line(from isaserver as admin) unless I enable a filter allowing everything.
I have made sure ftp application is enabled.
I got rid of the ftp filters that previous articles suggested creating.
I have s&c rule allowing permission to destination.
I have protocol rule allowing all ftp.
Any other suggestions?
I too would give my kingdom to get this sorted out.
Jim Durand




spouseele -> RE: FTP access that need Authentication (2.Sep.2003 11:37:00 PM)

Hi Jim,

aha... Stain is using the Firewall client. So his problem is with internal clients (or I'm missing something?). You are talking about using FTP from the ISA itself. That's something quite different!

Protocol and site&content rules are for internal hosts. When you want to give an FTP client on ISA itself outbound access then you have to use IP packet filters, a configuration I strongly advice against. Is there any particular reason why you want to FTP from ISA itself?

BTW --- is IIS running on ISA too?

HTH,
Stefaan

[ September 02, 2003, 11:40 PM: Message edited by: spouseele ]




jdurand -> RE: FTP access that need Authentication (3.Sep.2003 5:57:00 AM)

Sorry to mislead. I do not want to ftp from ISA, that is just the only place I could get it working for testing. I am using firewall client as well. Even when I had it working by opening everything up it didn't work on the client. I see now that, that is irrelevant. I went back and tested on the client and I am the most excited I have been for two years, I can actually ftp through command! BRB
Hang on, I can use Ws-ftp now!
I owe you my kingdom, unfortunately it isn't worth much.
Thanks so much, I can't believe it was so easy in the end. I think your article led me to believe I needed those filters.
Oh yeah, I am running IIS as I use SMTP to forward mail to my support server running NAV for Gateways. I also redirect POP3 to my Exchange Server. Is this bad?
Jim




spouseele -> RE: FTP access that need Authentication (3.Sep.2003 8:56:00 PM)

Hi Jim,

glad to hear you got it working! [Smile]

I you carefully reread my article you will see I only discuss the IP packet filters in section '4.1. Trihomed DMZ' scenario. [Cool]

In my opinion ISA server is supposed to be a firewall, not a general purpose server. So, you should never include ISA server in your server consolidation plan. If possible, never run extra services on ISA itself. You can't do it either on a Checkpoint, Cisco PIX, Netscreen, etc... [Big Grin]

HTH,
Stefaan




jdurand -> RE: FTP access that need Authentication (4.Sep.2003 5:08:00 AM)

Hang on. Our ISA is our gateway to our Satellite connection. How do I relay mail through it without using the SMTP virtual server, and make sure no one else relays through it?




spouseele -> RE: FTP access that need Authentication (4.Sep.2003 10:41:00 PM)

Hi Jim,

I'm not a mail guy, just a networking guy! [Big Grin] So, I suggest you start a new topic for this problem.

Thanks,
Stefaan

[ September 04, 2003, 10:42 PM: Message edited by: spouseele ]




jdurand -> RE: FTP access that need Authentication (5.Sep.2003 12:41:00 AM)

Ok, thanks for all your help!
Jim




stain -> RE: FTP access that need Authentication (5.Sep.2003 10:32:00 AM)

Hi Guys,

I have been reading the posts and will try what was suggested later today... Just thought i would drop you a quick line to let you know I have not gone of the face of the earth. will let you know how I get on.

Regards

Stain




spouseele -> RE: FTP access that need Authentication (5.Sep.2003 10:37:00 PM)

Hi Stain,

OK, let us know how it works for you!

Thanks,
Stefaan




jamesorl -> RE: FTP access that need Authentication (10.Sep.2003 6:03:00 PM)

What are you reffering to when you mention application filters. I am having a similair problem that "happened out of the blue" where early one day my ftp ( through client and command line ) was working and then all of the sudden no longer works. HTTP still works and I see in the log that the ftp sites I try to get to are being blocked on UDP ports 137 & 138

quote:
Originally posted by spouseele:
Hi Stain,

that seems to be IP packet filters! [Frown]

Never, NEVER create IP packet filters for internal clients, it will NOT work! You need to create protocol and site&content rules. Those rules will create *dynamically* the necessary IP packet filters when needed. So, get rid of those ugly IP packet filters asap! [Big Grin]

Make sure that:
1) you have a protocol rule allowing the FTP protocol.
2) you have a site&content rule allowing access to the destination.
3) the FTP application filter is enabled.
4) you test with the Microsoft command line FTP client. Once that is working, you can experiment with IE as an FTP client.

HTH,
Stefaan





spouseele -> RE: FTP access that need Authentication (10.Sep.2003 9:47:00 PM)

Hi jamesorl,

you will find the FTP application filter in the MMC, node extension -> Application filters.

The FTP protocol uses TCP port 21 as primary connection. So, the UDP ports 137 & 138 have nothing todo with the FTP protocol. For full details about how ISA handles the FTP protocol, check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan




Page: [1]