Problem with FTP access (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> Firewall Client



Message

hensome2004 -> Problem with FTP access (6.Jun.2005 11:35:00 PM)

Hello, I am using ISA server 2000 Standard Edition with Windows 2000, all with latest service packs installed.

The problem is that all internal web proxy clients and firewall clients are not able to access external FTP sites.

I have already created protocol rule that allows FTP acess (21 outbound port) to all sites at all times. However, all internal clients are not able to access any of the external FTP sites.

This worked just fine a long time ago. But all of a sudden, without changing any settings, it fails. Anyone could help? Thanks.

B. Regards,
Henry Chang



geoffcox -> RE: Problem with FTP access (8.Jun.2005 5:32:00 AM)

Hello,

I have read Stefan's "FTP protocol challenges Firewall Security" article but am not sure what to do to allow ftp access to remote sites using SBS 2000 / ISA and the firewall client on the workstations ...

Para 4.3 mentions user having access to the predefined FTP protocol definition and making sure that the FTP Application Filter is enabled ...

I can see under Policy Elements for the ISA Server a Protocol definition which under the "defined by" heading has the entry "application filter" and uses port 21 for outbound.

Under Access Policy the only Protocol Rule is for Backoffice Internet Access and there is nothing re FTP under IP Packet Filters ...

In other words I am lost!

Cheers

Geoff



spouseele -> RE: Problem with FTP access (8.Jun.2005 4:27:00 PM)

Hi Geoff,

just make sure you have a protocol rule in place that allows the FTP protocol for the clients and it should work.

BTW --- I strongly suggest you test it first out with the standard Microsoft commandline FTP client. If that works, than the ISA server is correctly configured.

HTH,
Stefaan



hensome2004 -> RE: Problem with FTP access (9.Jun.2005 12:11:00 AM)

Hello,

But in my case, I have already setup an protocol rule that allows FTP outbound access. Additionally, I have also created a rule that enables all IP traffic. The clients all use Internet Explorer to access external FTP sites, but without success. I have also tried both enabling and disabling the "Enable folder view for FTP sites" option in IE.

Anyone could help??? Thanks.



geoffcox -> RE: Problem with FTP access (9.Jun.2005 4:01:00 AM)

Thanks Stefaan,

I have created a new rule under Protocol Rules and will wait to see if that works when colleague is in the office.

In your FTP Protocol Challenges Firewall Security - you have a description and an image for FTP Client control connection + data connection passive settings (page 9)- what situtation does that apply to? Presumably not what I want which is workstations able to use ws_ftp to access remote servers?

Cheers

Geoff



geoffcox -> RE: Problem with FTP access (9.Jun.2005 9:09:00 AM)

Stefaan,

Adding the Protocol Rule hgas done the trick!

Thanks

Geoff



spouseele -> RE: Problem with FTP access (9.Jun.2005 2:22:00 PM)

Hi hensome2004,

please, test it first out with the standard Microsoft commandline FTP client. If that works, than the ISA server is correctly configured.

HTH,
Stefaan



spouseele -> RE: Problem with FTP access (9.Jun.2005 2:26:00 PM)

Hi Geoff,

glad to hear you have it working and thanks for the follow up! [Smile]

BTW --- that figure in my article is for a scenario where you have to support the FTP protocol on a unstandard port number.

Stefaan



hensome2004 -> RE: Problem with FTP access (10.Jun.2005 4:10:00 AM)

Hi Spouseele,

I have tried in the command prompt:

ftp
open ftp.nero.com

After appropriate 20 seconds, it shows
connected to ftp.nero.com

Then after another 20 seconds, it shows
connection closed by remote host.

Any idea on what is happening? And I cannot connect with Internet Explorer. Thanks.



spouseele -> RE: Problem with FTP access (11.Jun.2005 10:47:00 AM)

Hi Henry,

to be able to ckeck out your basic ISA setup, please post the following info *unmodified*:
- ipconfig /all on ISA
- route print on ISA
- content of the LAT on ISA
- ipconfig /all on intenal host

HTH,
Stefaan



hensome2004 -> RE: Problem with FTP access (14.Jun.2005 10:57:00 PM)

Hi Spouseele,

Following please find my ISA server information:

-ipconfig /all

Ethernet adapter LAN:
DHCP enabled: No
IP addresss: 192.168.2.1
Subnet mask: 255.255.255.0
Default Gateway:
DNS server: 192.168.2.2
202.175.3.3

Ethernet adapter WAN:
DHCP enabled: No
IP address: 172.16.122.179
Subnet mask: 255.255.255.0
Default Gateway: 172.16.122.254
DNS server: 202.175.3.3
202.175.3.8



hensome2004 -> RE: Problem with FTP access (14.Jun.2005 11:08:00 PM)

- LAT content of ISA:

From to
10.0.0.0 10.255.255.255
169.254.0.0 169.254.255.255
192.168.0.0 192.168.255.255
192.168.2.0 192.168.2.255



hensome2004 -> RE: Problem with FTP access (14.Jun.2005 11:42:00 PM)

- ipconfig /all on internal host

DHCP enabled: Yes
Autoconfiguration enabled: Yes
IP address: 192.168.2.31
Subnet mask: 255.255.255.0
Default Gateway: 192.168.2.1
DNS server: 192.168.2.2



veluvarthi -> RE: Problem with FTP access (16.Jun.2005 10:23:00 AM)

hai

am also suffering from the same problem that am not able to connect to my ftp server through isa server.

i have loaded the isa server client software in my client system.

through cute ftp am not able to connect my ftp server. i have configured the firewall tab in cute ftp.

any body plz. . help me.

regards
pandu



spouseele -> RE: Problem with FTP access (16.Jun.2005 4:20:00 PM)

Hi Henry,

1. LAT on ISA:
--------------

your internal NetworkID seems to be '192.168.2.0/24'. Therefore *only* 192.168.2.0 192.168.2.255 should be in the LAT.

2. DNS configuration:
---------------------

you seems to have an internal DNS server '192.168.2.2'. Therefore, don't specify an ISP DNS server on any adapter of the ISA server. Just the internal DNS server on the internal interface and make sure the internal adapter is listed first in the adapter order as explained in Jim's excellent article http://www.isaserver.org/tutorials/Configuring_ISA_Server_Interface_Settings.html .

Next, perform the following configuration steps:

1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.

2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ôDo not use recursionö box.

3) create on ISA a client address set containing your internal DNS server.

4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.

5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.

Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.

Another very good option is to install on ISA itself a caching-only DNS server. Check out Tom's article http://www.isaserver.org/articles/snatdns.html for more info.

HTH,
Stefaan



spouseele -> RE: Problem with FTP access (16.Jun.2005 4:23:00 PM)

Hi Pandu,

do *NOT* configure any firewall setting in the FTP client. ISA server supports the FTP protocol complete transparently.

HTH,
Stefaan



Page: [1]