I am unable to access my ftp site (ftp.xyz.co.uk) which is held on my ISP's servers. I have clients setup as Web Proxy, Firewall and SecureNAT. Through ISA I can access any other FTP site (ftp.nai.com). Not going through ISA I can gain access to our site. Our domain name is the same internal as external, however I do have my own DNS servers for internal clients. Please advise as to how I can access ftp://ftp.xyz.co.uk through ISA.
Can you access the FTP site by IP-address instead of by FQDN? What ISA client type and FTP client are you using for the FTP session? Also, what's the ISA firewall log telling you? Do you see the FTP request in the ISA firewall log?
I have read your article and think I understand all of it. I am unable to access the ftp site via IP address either. Having tried all client types I am currently setup as SecureNAT, accessing an FTP site runs a firewall session. Yes I see the request in the firewall log, it shows c-ip, c-agent date, time, s-computername, r-ip, r-port, time taken, all the stats look fine. It just keeps coming up with 'FTP folder error' Thanks
I am trying to use my web browser, however from a command prompt I am unable to access the site either. What highlighted me to this was when I tried to use Macromedia Contribute to amend our web site and the connection method is FTP.
the excerpt is from the firewall log. The first entry tells me that the request was from a SecureNAT client to the destination ftp.nai.com (18.104.22.168) and logs the tear down of the FTP control connection (TCP port 21) in a normal way (sc-status=20000). There was some data transfered during the session (cs-bytes and sc-bytes).
The second entry logs an unsuccesful (sc-status=10061) FTP control connection request from a SecureNAT client to the destination '22.214.171.124' (dimsum-11.totalweb.net.uk). The WinSock error code is 10061 and means 'Connection refused'. In other words, no connection could be made because the target computer actively refused it. Either there is no FTP server running on that host or the access to that destination is blocked by a firewall at the remote site.
Thanks for your reply - I have tried accessing '126.96.36.199' (dimsum-11.totalweb.net.uk our ftp site)from just a normal dialup connection using my same laptop which is usually sat behind ISA as a SecureNAT and am able to log on. Would this prove that there is no sort of Firewall at the remote site and that an ftp server is running there also. I have 'allowed everything' through ISA in my test area and that works, however I am unable to open certain ports to allow just what is needed to access ftp.premisesnet.co.uk. It is also odd that I am able to get to ftp.nai.com. Is it possible that DNS is an issue and that I need something adding or removing from my zone? Regards
I've just tried it from two different ISP's and each time I get a Winsock Error Code 10061! So, I bet there is something outside of ISA refusing the connection. You can easily prove it by taking a Network Monitor trace on the ISA external interface.
Thanks again for your response, I have installed Network Monitor on ISA this morning and chosen to monitor the external NIC. Excuse my ignorance but I'm not too sure what I'm looking for. The only differences are that when browsing for ftp.nai.com I get DNS as the protocol followed by 'Std Qry Resp' etc telling me what exactly is going on, seems OK. However when browsing for ftp.premisesnet.co.uk I get TCP as the protocol followed by 'Control Bits': Is there anyway I can email you my captures? Thanks in advance Neil
Cheers for looking at those logs. I have spoken to the administrator of the company which hosts our FTP site, it seems that they have no trace in their log files of me even trying to connect to their server. Is there anything in ISA such as LDT or LAT which could be stopping this request going out? It seems to me now that the request is looking for something other than the server outside of my domain. FYI - I also have my client set to PASV. Cheers
Its fixed! After inheriting the network a while ago our DNS entry was using an IP address which was wrong, either that our our ISP have changed their server. Anyway I changed our DNS entry and released my IP and then renewed - hey presto it worked. Feel a bit of a plank wasting your time, although in all fairness its made me realise that things are not always as complicated as they seem.
Thanks very much for your support - really appreciate your time. Neil