• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Firewall Client FTP problem from different Domain

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Firewall Client FTP problem from different Domain Page: [1]
Login
Message << Older Topic   Newer Topic >>
Firewall Client FTP problem from different Domain - 26.May2005 9:26:00 AM   
hal9500

 

Posts: 5
Joined: 26.May2005
Status: offline
Someone please help. I manage a Win2k network, which uses a router to connect to our National Office. They manage our web from an ISA Server 2000 with websense. We are part of a separate win2k domain but the ISA Administrator at the head office has added us to the domain access list. My problem is that we need to use an application which connects to an FTP service on ftp://194.247.69.24/ Their support reccommends installing firewall client, which I have done from the folder shared out to me from the ISA server. However this does not solve the problem. I can succesfully ftp://ftp.microsoft.com/ so all necessary ports are open, and I have tested the ftp://194.247.69.24/ from a standalone ADSL line, and can connect , so the site is working correctly. I have spoken to the ISA administrator and they use the same application on their domain, and can successfully ftp the above IP address with firewall client installed. We have both come to the conclusion that the problem stems from the fact that we are on separate domains...but can't get any further than this. I occasionaly get the "isa server inaccessable" mesage from the firewall client on taskbar. And we have also tried changing the mspclnt.ini file in firewall client to use IP address of the ISA server rather than DNS.I am not familiar with ISA server at all but I would be grateful of any suggestions to resolve this problem.Thanks.
Post #: 1
RE: Firewall Client FTP problem from different Domain - 26.May2005 3:29:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi hal9500,

check out my article http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html .

HTH,
Stefaan

(in reply to hal9500)
Post #: 2
RE: Firewall Client FTP problem from different Domain - 27.May2005 4:51:00 AM   
hal9500

 

Posts: 5
Joined: 26.May2005
Status: offline
Thanks. Most of this is over my head by I have forwarded the info onto our ISA Administrator. Will let you know if we get anywhere with this problem.

(in reply to hal9500)
Post #: 3
RE: Firewall Client FTP problem from different Domain - 27.May2005 10:53:00 AM   
hal9500

 

Posts: 5
Joined: 26.May2005
Status: offline
Hi spouseele, I don't suppose you could give us any specific suggestions on what to try from the ISA Server to resolve this problem? Why would we not be able to complete the ftp command if ports are open and our domain has been added to the domain access list?

(in reply to hal9500)
Post #: 4
RE: Firewall Client FTP problem from different Domain - 27.May2005 2:34:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi hal9500,

a number of things can go wrong. You said you can FTP to ftp.microsoft.com without any problem. How did you try that? With IE as FTP client or with the standard Microsoft FTP client?

I suggest you test first with the standard Microsoft FTP client (commandline). Try to access ftp.microsoft.com, login and then do a directory list (dir or ls command). If that is working, the ISA server is correctly setted up for the FTP protocol.

Next, try to access the FTP site '194.247.69.24'. Does it work also or is there a certain delay before the connection is accepted and you can login? For the latter, check out if you can resolve '194.247.69.24' with the nslookup command. If it doesn't work at all, please post an excerpt of the ISA firewall log but make sure the log format configured is ISA format and you have enabled the logging of all fields.

HTH,
Stefaan

(in reply to hal9500)
Post #: 5
RE: Firewall Client FTP problem from different Domain - 31.May2005 7:18:00 AM   
hal9500

 

Posts: 5
Joined: 26.May2005
Status: offline
Thanks for getting back to me. Here's the results of some tests I have carried out that may help in identifying problem:

WITHOUT FIREWALL CLIENT INSTALLED

From cmd prompt:
Cannot ftp.microsoft.com (Unknown host ftp.microsoft.com message)
Cannot ftp 194.247.69.24 (FTP:Connect:icmp Network Unreacable message)

From Browser:

Can successfully ftp://ftp.microsoft.com/
Cannot ftp://194.247.69.24/

WITH FIREWALL CLIENT INSTALLED
From Browser:

Can successfully ftp://ftp.microsoft.com/
Cannot ftp://194.247.69.24/

NSLOOKUP command
ftp ftp.microsoft.com
ftp 194.247.69.24

RESULT- DNS request timed out

Needless to say all these tests work fine on a machine that is not on the network, on a BT ADSL line with just software firewall.

Also the Firewall client on my test machine seems to make no difference to the results. Basically we can complete the ftp.microsoft.com from a browser, not from cmd prompt and we cant ftp 194.247.69.24 at all.
I spoke to a separate consultant some time ago and he stated the following:

1. Your office branch do not have any means of resolving DNS from the internet as their DNS servers do not have any forwarders configured. Is there a server they can use within the UK Network to forward DNS queries to.
2. For FTP access this could be achieved by either allowing direct FTP access by changing the Access list on your branchs router or by allowing FTP via the checkpoint firewall directly using either session authentication agent, client authentication or User authentication, if a fixed IP address is not allocated
3. ISA with the firewall client will not resolve the issue unless FTP is enabled for the ISA server

I'm not sure if this is relevant anymore, as I think some of these changes have been made. I dont think i will be able to provide the ISA log.I will need to check with the ISA Administrator first. Let me know if you come up with any ideas.

(in reply to hal9500)
Post #: 6
RE: Firewall Client FTP problem from different Domain - 1.Jun.2005 3:05:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi hal9500,

OK, lets go step-by-step. The first thing to check out is your DNS infrastructure. Do you have an internal DNS server on your network.
If yes, are there forwarders configured to resolve external DNS names?
If no, how do the clients resolve DNS names?

HTH,
Stefaan

(in reply to hal9500)
Post #: 7
RE: Firewall Client FTP problem from different Domain - 3.Jun.2005 8:11:00 AM   
hal9500

 

Posts: 5
Joined: 26.May2005
Status: offline
Thanks. The consultant who came in established that we DO NOT have DNS forwarders configured.And he suggested that some should be in order for us to resolve addresses. However...I am puzzled...why would we be able to ftp.microsoft.com and not the 194.247.69.24...surely if DNS was the problem we would not be able to connect to Microsoft...or is it more complicated than that? I had a look in out Forward lookup zones and it was just our local domain name, populated by client machines, as for Reverse Loookup zones ,this is populated by our subnet. Any ideas?

(in reply to hal9500)
Post #: 8
RE: Firewall Client FTP problem from different Domain - 3.Jun.2005 2:14:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi hal9500,

a perfect DNS infrastructure is extremely critical for the correct working of ISA Server 2000 as wel as ISA Server 2004.

If you have an internal DNS server, don't specify an ISP or external DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .

Next, perform the following configuration steps:

1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.

2) enable forwarders on your internal DNS server and specify there your ISP or external DNS servers. Also, make sure you check the ˘Do not use recursion÷ box.

3) create on ISA a client address set containing your internal DNS server.

4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.

5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP or external DNS servers, and apply it to the above created client address set.

Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.

Another very good option is to install on ISA itself a caching-only DNS server. Check out Tom's article http://www.isaserver.org/articles/snatdns.html for more info.

HTH,
Stefaan

(in reply to hal9500)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Firewall Client FTP problem from different Domain Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts