Hello, I am using ISA server 2000 Standard Edition with Windows 2000, all with latest service packs installed.
The problem is that all internal web proxy clients and firewall clients are not able to access external FTP sites.
I have already created protocol rule that allows FTP acess (21 outbound port) to all sites at all times. However, all internal clients are not able to access any of the external FTP sites.
This worked just fine a long time ago. But all of a sudden, without changing any settings, it fails. Anyone could help? Thanks.
Posts: 7
Joined: 21.Mar.2003
From: London
Status: offline
Hello,
I have read Stefan's "FTP protocol challenges Firewall Security" article but am not sure what to do to allow ftp access to remote sites using SBS 2000 / ISA and the firewall client on the workstations ...
Para 4.3 mentions user having access to the predefined FTP protocol definition and making sure that the FTP Application Filter is enabled ...
I can see under Policy Elements for the ISA Server a Protocol definition which under the "defined by" heading has the entry "application filter" and uses port 21 for outbound.
Under Access Policy the only Protocol Rule is for Backoffice Internet Access and there is nothing re FTP under IP Packet Filters ...
just make sure you have a protocol rule in place that allows the FTP protocol for the clients and it should work.
BTW --- I strongly suggest you test it first out with the standard Microsoft commandline FTP client. If that works, than the ISA server is correctly configured.
But in my case, I have already setup an protocol rule that allows FTP outbound access. Additionally, I have also created a rule that enables all IP traffic. The clients all use Internet Explorer to access external FTP sites, but without success. I have also tried both enabling and disabling the "Enable folder view for FTP sites" option in IE.
Posts: 7
Joined: 21.Mar.2003
From: London
Status: offline
Thanks Stefaan,
I have created a new rule under Protocol Rules and will wait to see if that works when colleague is in the office.
In your FTP Protocol Challenges Firewall Security - you have a description and an image for FTP Client control connection + data connection passive settings (page 9)- what situtation does that apply to? Presumably not what I want which is workstations able to use ws_ftp to access remote servers?
to be able to ckeck out your basic ISA setup, please post the following info *unmodified*: - ipconfig /all on ISA - route print on ISA - content of the LAT on ISA - ipconfig /all on intenal host
your internal NetworkID seems to be '192.168.2.0/24'. Therefore *only* 192.168.2.0 192.168.2.255 should be in the LAT.
2. DNS configuration: ---------------------
you seems to have an internal DNS server '192.168.2.2'. Therefore, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .
Next, perform the following configuration steps:
1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.
2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ôDo not use recursionö box.
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.
Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Problem with FTP access 
Problem with FTP access - 
RE: Problem with FTP access - ![[Smile]](/image/smiles/smile.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread