Someone please help. I manage a Win2k network, which uses a router to connect to our National Office. They manage our web from an ISA Server 2000 with websense. We are part of a separate win2k domain but the ISA Administrator at the head office has added us to the domain access list. My problem is that we need to use an application which connects to an FTP service on ftp://18.104.22.168/ Their support reccommends installing firewall client, which I have done from the folder shared out to me from the ISA server. However this does not solve the problem. I can succesfully ftp://ftp.microsoft.com/ so all necessary ports are open, and I have tested the ftp://22.214.171.124/ from a standalone ADSL line, and can connect , so the site is working correctly. I have spoken to the ISA administrator and they use the same application on their domain, and can successfully ftp the above IP address with firewall client installed. We have both come to the conclusion that the problem stems from the fact that we are on separate domains...but can't get any further than this. I occasionaly get the "isa server inaccessable" mesage from the firewall client on taskbar. And we have also tried changing the mspclnt.ini file in firewall client to use IP address of the ISA server rather than DNS.I am not familiar with ISA server at all but I would be grateful of any suggestions to resolve this problem.Thanks.
Hi spouseele, I don't suppose you could give us any specific suggestions on what to try from the ISA Server to resolve this problem? Why would we not be able to complete the ftp command if ports are open and our domain has been added to the domain access list?
a number of things can go wrong. You said you can FTP to ftp.microsoft.com without any problem. How did you try that? With IE as FTP client or with the standard Microsoft FTP client?
I suggest you test first with the standard Microsoft FTP client (commandline). Try to access ftp.microsoft.com, login and then do a directory list (dir or ls command). If that is working, the ISA server is correctly setted up for the FTP protocol.
Next, try to access the FTP site '126.96.36.199'. Does it work also or is there a certain delay before the connection is accepted and you can login? For the latter, check out if you can resolve '188.8.131.52' with the nslookup command. If it doesn't work at all, please post an excerpt of the ISA firewall log but make sure the log format configured is ISA format and you have enabled the logging of all fields.
Needless to say all these tests work fine on a machine that is not on the network, on a BT ADSL line with just software firewall.
Also the Firewall client on my test machine seems to make no difference to the results. Basically we can complete the ftp.microsoft.com from a browser, not from cmd prompt and we cant ftp 184.108.40.206 at all. I spoke to a separate consultant some time ago and he stated the following:
1. Your office branch do not have any means of resolving DNS from the internet as their DNS servers do not have any forwarders configured. Is there a server they can use within the UK Network to forward DNS queries to. 2. For FTP access this could be achieved by either allowing direct FTP access by changing the Access list on your branchs router or by allowing FTP via the checkpoint firewall directly using either session authentication agent, client authentication or User authentication, if a fixed IP address is not allocated 3. ISA with the firewall client will not resolve the issue unless FTP is enabled for the ISA server
I'm not sure if this is relevant anymore, as I think some of these changes have been made. I dont think i will be able to provide the ISA log.I will need to check with the ISA Administrator first. Let me know if you come up with any ideas.
OK, lets go step-by-step. The first thing to check out is your DNS infrastructure. Do you have an internal DNS server on your network. If yes, are there forwarders configured to resolve external DNS names? If no, how do the clients resolve DNS names?
Thanks. The consultant who came in established that we DO NOT have DNS forwarders configured.And he suggested that some should be in order for us to resolve addresses. However...I am puzzled...why would we be able to ftp.microsoft.com and not the 220.127.116.11...surely if DNS was the problem we would not be able to connect to Microsoft...or is it more complicated than that? I had a look in out Forward lookup zones and it was just our local domain name, populated by client machines, as for Reverse Loookup zones ,this is populated by our subnet. Any ideas?
1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.
2) enable forwarders on your internal DNS server and specify there your ISP or external DNS servers. Also, make sure you check the ˘Do not use recursion÷ box.
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP or external DNS servers, and apply it to the above created client address set.
Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.