When I try to ftp to an external site using Windows Explorer on a computer behind the ISA firewall, I cannot establish a connection. I get the error: "HTTP 502 Proxy Error - The login request was denied"
However, if I try to do the same on the ISA firewall machine itself (which is the SBS2000 server machine - and it IS set to use proxy sever in the internet connection tab), I can connect without a problem (the site will show up with a user ID and password box which, upon my entering the correct information, will let me access files).
Why is that the case? What do I need to do with the Firewall configuration so that I can access external ftp sites from computers behind the firewall?
You have to create a protocol rule allowing ftp access to your internal hosts.
If you are using user level authentication, you also need to configure your http redirector to send requests directly to the requested server instead of forwarding 'em to the webproxy. I hope this helps.
Thanks for your help. I read the article and I have all the protocol rules set up, but in the mean time, I've discovered something else:
My ISA server is connected to other computers in two ways: (1) traditional Cat5 cables with a hub, and (2) a wireless sharepoint.
As it turns out, all the computers that are connected to the ISA server via Cat5 cable CAN ftp with no problems (so I know that the protocol rules are set up correctly). However, all the computers that connects to the ISA server via wireless sharepoint receive the HTTP 502 Proxy error while trying to ftp out!
Now this is very strange, and I have no idea where to even begin to resolve this problem. Can you please point me to the right direction?
I strongly suggest you debug your FTP issues first with the standard Microsoft commandline FTP client instead of IE. Once that is working you can experiment with IE.
The reason for it is that in my opinion IE is not designed as a full blown FTP client. Moreover, there are so many settings determining how IE behaves as an FTP client that it is sometimes hard to determine where the problem lies.
The commandline ftp client actually worked! So does that mean that the problem is with IE and not with ISA firewall settings? I've tried also using other Widows-based product such as ws-ftp and that, too, does NOT work. So it's really more like an issue with windows vs. dos?
NO! If it works with the commandline ftp client it should equally works well for any real FTP client such as WS-FTP and SmartFTP. Just remember you should *not* configure those FTP clients for any firewall type.
For IE, I suggest you read again my article, particular section '4.4. Web Proxy client'.
Good to know we're getting somewhere. Stefaan's advice worked well for you.
HTTP 502 is an authentication erorr. Seeing this error message means that accessing the requested resource violates a security permission/policy. Why an authentication policy would stop only the wireless clients is weird... but interesting.
At your network, you can happily access ftp servers from the wired nodes and can't only from the wireless nodes. This clearly means something is happening where the data is being bridged to the wired network. Logically it shouldnt but... we all know computer technologies.. nothing to say! What stumps me is why it doesn't hurt the MS ftp client and prevents all others like Ws-ftp or so to connect to ftp servers. W.E.I.R.D!
Are you using user level authentication? I suggest you try and disable user level authentication and give open access to any request or a set of IPs for testing purposes. See if that solves the problem. I'll tell you later what i'm thinking. Just try it for a while and see if that solves the problem.
I searched on the net and found some related information about this issue. You might want to check this forum thread at Gaia technologies' site.
In the first post, the writer is clearly saying that he doesn't have any problem if he uses the regular modem connection instead of the wireless connection by GAIA. This confirms my hunch that it is an issue with the wireless thingie especially in the wireless to wired bridging.
You can try plugging a wi-fi card into the ISA box so that the wireless nodes can talk to it directly without involving wireless-to-wired bridging. That may solve the problem and that may not. But at least you'll get a better picture of what's really happening on your network. And that might help.
And you can also try changing the authentication policy as I described earlier. I hope it helps. Keep us posted on your situation. We are interested in the problem.. err.. the solution to the problem .. and will be happy to find a solution together. Good luck.
Stefaan is correct - I had the ws-ftp set to use proxy that that's what caused the problem. I removed that, and ws-ftp works as well. So now, it seems that IE ftp is the only culprit. . . and only under a wireless connection!
I'll read the articles posted by Redbull and try the method suggested.
now that any real FTP client is working, it is time to take a closer look at the IE settings. As stated in my article, you will find two important settings that influence how IE handles the FTP protocol: - Enable folder view for FTP sites. - Use Passive FTP (for firewall and DSL modem compatibility).
If you want to use IE as an FTP client, then you should make sure that the setting 'Enable folder view for FTP sites' is checked. Only then the FTP request is sent by IE to the Firewall service on ISA. In other words as a real FTP session. Which FTP mode active or passive IE will use is determined by the setting Use Passive FTP (for firewall and DSL modem compatibility).