• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

allowing Passive FTP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> allowing Passive FTP Page: [1]
Login
Message << Older Topic   Newer Topic >>
allowing Passive FTP - 1.Feb.2004 5:34:00 PM   
LB

 

Posts: 25
Joined: 23.Sep.2002
Status: offline
I am trying to enable passive FTP per Microsoft Knowledge Base Article - 300641 but cannot get it to work. Do I have to create any additional rules?

Thanks,
LB
Post #: 1
RE: allowing Passive FTP - 1.Feb.2004 5:47:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi LB,

KB300641 is all about enabling Passive FTP through the ISA Web Proxy services! Also, keep in mind this is a global setting. For more info, check out http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan

(in reply to LB)
Post #: 2
RE: allowing Passive FTP - 2.Feb.2004 5:32:00 PM   
LB

 

Posts: 25
Joined: 23.Sep.2002
Status: offline
Thanks for the link. I have a client app that uses passive FTP with TLS extensions, needing high outbound ports open. If I understand it correctly I can create a custon FTP protocol definition with 0 inbound and 1025 -65534 outbound, and guve the user or PC access to it?
We are intigrated mode using the firewall client.

Thanks,
LB

(in reply to LB)
Post #: 3
RE: allowing Passive FTP - 2.Feb.2004 10:04:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi LB,

OK, to access an external FTPS server you should be aware of some pitfalls! [Big Grin]

It should work without problems if you use the Firewall client AND Implicit Security (FTP control connection on TCP port 990). It will NOT work with the Firewall client AND Explicit Security (FTP control connection on TCP port 21) unless you disable the FTP application filter. However, the latter breaks the normal FTP access for SecureNAT clients.

HTH,
Stefaan

(in reply to LB)
Post #: 4
RE: allowing Passive FTP - 2.Feb.2004 10:58:00 PM   
LB

 

Posts: 25
Joined: 23.Sep.2002
Status: offline
Thanks for the quick response, I need to further explain the client app I have resides on an inside PC and needs to access to an institution that runs the FTP server on the outside. So are packet filters in order on the ISA, or just give that PC access to the high ports? The App vendor says outbound high ports need to be open. Does passive FTP need both outbound and inbound on high ports?

Thanks,
LB

(in reply to LB)
Post #: 5
RE: allowing Passive FTP - 2.Feb.2004 11:24:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi LB,

IP packet filters won't help you to allow outbound access from an internal client.

You should first determine if Implicit Security or Explicit Security will be used. The admin of the FTP server should be able to tell you that.

BTW --- as explained in my article, passive FTP uses only outbound connections.

HTH,
Stefaan

(in reply to LB)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> allowing Passive FTP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts