Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

noob needs help with FTP on caching 2K4 server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> noob needs help with FTP on caching 2K4 server Page: [1]
Login
Message << Older Topic   Newer Topic >>
noob needs help with FTP on caching 2K4 server - 10.Aug.2004 5:57:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		I have searched high and low on how to setup ISA Server 2004 with a single NIC to allow FTP. Most of the hits talk about ISA 2K and don't seem to apply.

I am trying to replace my old MS Proxy 2 server yet maintain the same functionality. While the server itself does have two NICs, I do not have the option of setting up the network with the two NICs. The network is managed by CorpIT, and I am DivIT. All they will give me is one IP rule through the Corporate firewall.

Users will need FTP access both through IE and commandline FTP. Currently, users needing additional functionality have been getting the MS Proxy Client (or the ISA 2K Firewall Client. I am prepared to roll out the 2K4 Firewall Client.

I am at a loss... please help!
Post #: 1
RE: noob needs help with FTP on caching 2K4 server - 10.Aug.2004 8:26:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi L,

The ISA firewall in unihomed "crippled" mode doesn't support non-Web Proxy tunneled FTP requests. I'd inform whoever is manging the network for you that they need to support a downstream firewall on the back-end perimeter, and if they don't believe in multi-perimenter security, why? I'd also get a risk assessment to confirm that no allowing you the back-end ISA firewall is a *bad* thing for your organization.

HTH,
Tom

(in reply to LLigetfa)
Post #: 2
RE: noob needs help with FTP on caching 2K4 server - 10.Aug.2004 9:16:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		Thanks for the quick response. In testing, I found that if I pointed the Firewall Client to the CorpIT ISA 2K server, FTP worked. So, I said to myself, "self, maybe I can configure firewall chaining".

I chained my (DivIT) ISA 2K4 server to the CorpIT ISA 2K server and now I am getting some minor improvements. I can now logon to an FTP site but if I issue:
ftp> LS

from the CL FTP, I get:
>ftp: bind :Can't assign requested address

Now I am lost and my ignorace is showing [Confused]

(in reply to LLigetfa)
Post #: 3
RE: noob needs help with FTP on caching 2K4 server - 11.Aug.2004 12:22:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi L,

OK, so you have an upstream ISA 2000 firewall? And now we have a back to back ISA firewall config with the upstream ISA firewall being 2000 and the downstream ISA firewall being 2004?

Thanks!
Tom

(in reply to LLigetfa)
Post #: 4
RE: noob needs help with FTP on caching 2K4 server - 11.Aug.2004 2:47:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		I do not have details on how the CorpIT ISA 2K server is configured. I only know that if I point my 2K4 Firewall Client to it, I have full FTP support.

These CorpIT guys live by the motto "security by ignorance" and are not a sharing bunch. They originally designed the MS Proxy 2 array and later replaced the upstream proxy with an ISA server. A couple years ago when I tried to do the same (replace my proxy with ISA to gain the benefit of the new features), I got my knuckles rapped when asking CorpIT for help to get FTP to work. I ended up rolling back to Proxy 2.

I thought I would give ISA 2K4 a go but now am at the same impass. If I go to CorpIT on bended knee, I am sure to get my knuckles rapped again.

With Proxy 2 nearing end-of-life, and needing the features of ISA, I am now at your mercy. If I am to get this to work, must I change my ISA 2K4 server from being 'unihomed' to another mode and if so what mode? As far as IP scopes go, presently I have only one available to me, a 'B' portion 10.x.0.0 of a class 'A' 10.0.0.0 scope.

(in reply to LLigetfa)
Post #: 5
RE: noob needs help with FTP on caching 2K4 server - 12.Aug.2004 3:51:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		Hmmm...
Was it something I said?
... or didn't say?

Please, I really need some help here.

(picture Les on bended knee)

(in reply to LLigetfa)
Post #: 6
RE: noob needs help with FTP on caching 2K4 server - 12.Aug.2004 4:58:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by LLigetfa:
I do not have details on how the CorpIT ISA 2K server is configured. I only know that if I point my 2K4 Firewall Client to it, I have full FTP support.

These CorpIT guys live by the motto "security by ignorance" and are not a sharing bunch. They originally designed the MS Proxy 2 array and later replaced the upstream proxy with an ISA server. A couple years ago when I tried to do the same (replace my proxy with ISA to gain the benefit of the new features), I got my knuckles rapped when asking CorpIT for help to get FTP to work. I ended up rolling back to Proxy 2.

I thought I would give ISA 2K4 a go but now am at the same impass. If I go to CorpIT on bended knee, I am sure to get my knuckles rapped again.

With Proxy 2 nearing end-of-life, and needing the features of ISA, I am now at your mercy. If I am to get this to work, must I change my ISA 2K4 server from being 'unihomed' to another mode and if so what mode? As far as IP scopes go, presently I have only one available to me, a 'B' portion 10.x.0.0 of a class 'A' 10.0.0.0 scope.
Hi Les,

You can do FTP with the unihomed ISA firewall. But, the clients must be configured as Web Proxy clients. They will send their FTP requests in an HTTP 'tunnel' to the ISA firewall's Web listener on TCP port 8080. Then the FTP request is forwarded upstream.

So, if you are forwarding to an upstream ISA firewall array, then you need to configure the Web Chaining Rules on the downstream ISA firewall. You might also want to disable downstream name resolution to help performance. There's some information on how to do this here:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/disablenameresolution.mspx

HTH,
Tom

(in reply to LLigetfa)
Post #: 7
RE: noob needs help with FTP on caching 2K4 server - 12.Aug.2004 6:01:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		I am sorry, you are not telling me anything I haven't already figured out. Web proxy just won't do... I need full winsock proxy support.

Are you saying that the array supports only web proxy and for winsock proxy, I would bypass the upstream ISA... basically, the way Proxy2 now works? I could chain my Proxy2 to the upstream ISA or go direct as I have a rule through the firewall. At one point we were all chaining to ISA when we had content filtering on the upstream ISA but that was abandoned and we were told to break the chain and go direct. CorpIT presently considers the current ISA server as not really needed by the divisions and told me they could turn it off at their discression.

I did manage to draw a tidbit of info from CorpIT. Their ISA 2K server has 2 NICs... each in a different 'B' portion of our 10. class 'A'.

I have heard of other divisions claiming to get ISA 2K to work either by connecting 2 NICs or by tweaking. There is a don't ask/don't tell climate hear so they are keeping it close to their vest.

Is there a way to build an array that would simplify the architecture or should every DivIT ISA server have its own rule through the CorpIT firewall as we have now with Proxy2? Would every division need to setup ISA to connect to separate subnets or are there any tweaks that can 'fake' it?

I understand that ISA server is capable of a whole lot more than Proxy2 but I just want what Proxy2 gave me. Well, that and just a little more. [Big Grin] I want the ability to have separate rules per group instead of the one-rule-for-all of Proxy2.

I think CorpIT is commited to their existing hardware based Firewall/VPN and are not likely to utilize those features of ISA. Most likely whatever ISA servers replace Proxy2 will all stay on the same side of the CorpIT firewall as the clients. I might be able to convince our WAN group to repurpose another IP class (172.x.y.z that was originally setup for SNA which is being decommissioned) if it is necessary for full winsock proxy support. I do also have a second class 'B' subnet of our 10. scope in reserve that could be made available but do not want to squander it on ISA.

I am trying to convince CorpIT to consider a strategy to facilitate the replacement of the aging Proxy2 servers but they really don't like DivIT telling them what to do. Right now I am trying to talk my way onto a steering committee.

Thanks for input thus far. I welcome whatever advise you can toss my way. Sorry for the noob 20 questions. [Confused]

Les

(in reply to LLigetfa)
Post #: 8
RE: noob needs help with FTP on caching 2K4 server - 14.Aug.2004 6:12:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Les,

Hmmm. OK, your setup sounds like a govt one, there the left and right hands don't know what the other is doing [Smile]

Try installing the ISA firewall with two NICs, and configure the default gateway on the external interface of the ISA firewall to your upstream router, whatever that might be. Don't do any Firewall Chaining, since you can't get any support from the other guys managing the upstream firewalls.

HTH,
Tom

(in reply to LLigetfa)
Post #: 9
RE: noob needs help with FTP on caching 2K4 server - 15.Aug.2004 5:21:00 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		OK thanks, will try that come Monday. When I tried that a couple years ago on ISA 2K, it complained about the two NICs being in the same subnet.

I presume then I bind the inbound NIC to the same subnet (10.198.0.0) as the outboundd and register the inbound in DDNS so the clients come in on that NIC. Not sure what to do about the GW on that NIC. Would the outbound NIC then get the IP that has a rule through the firewall? Along with the GW, would it still get a class 'B' mask?

(in reply to LLigetfa)
Post #: 10
RE: noob needs help with FTP on caching 2K4 server - 16.Aug.2004 3:29:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Les,

That's correct, it will still not be happy with two NICs on the same network ID, so you'll have to subnet the network ID you're working with and put the client machines on that subnet. Then the ISA firewall will have an interface on each network ID and pass packets through the routed connections.

HTH,
Tom

(in reply to LLigetfa)
Post #: 11
RE: noob needs help with FTP on caching 2K4 server - 17.Aug.2004 1:45:00 AM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		You are right. ISA 2K4 is not happy with two NICs in the same subnet. Subnetting my class 'B' into smaller subnets is not an option either so I threw myself on the mercy of CorpIT. They have agreed to let me pilot ISA so now I have to work with the WAN group to get another subnet on my router with a rule through the hardware firewall.

I presume then that I would setup ISA with the "Back End" network template. Will this template work with the hardware firewall?

(in reply to LLigetfa)
Post #: 12
RE: noob needs help with FTP on caching 2K4 server - 22.Aug.2004 3:25:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Les,

Sounds like things are getting better!

However, I don't use network templates and recommend that you don't either. Just create network rules based on your requirements and life will be a lot easier.

HTH,
Tom

(in reply to LLigetfa)
Post #: 13
RE: noob needs help with FTP on caching 2K4 server - 11.Mar.2005 1:51:00 AM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		Well... you will not believe it. It took this long to get CorpIT to agree to give me a second subnet on their router. Now, the subnet 10.198.0.0, mask 255.255.0.0, GW 10.198.1.1 is for my clients. I also now have 10.199.255.253, mask 255.255.255.252, GW 10.199.255.254 for the second NIC in the ISA server with a rule through the CorpIT PIX firewall.

I am unsure how of if I have to setup the routes in Windows since the internal network has the favored metric being a gig NIC. From the ISA server before ISA was installed, I could only surf the net if I disable the internal network. Do I have to change the metrics or does ISA take care of the routes?

It's been so long since I played with ISA server. Looks like I have some relearning to do.

Should I be posting under ISA 2004 General now that I am setting up ISA with two NICs?

[ March 11, 2005, 02:29 AM: Message edited by: LLigetfa ]

(in reply to LLigetfa)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> General >> noob needs help with FTP on caching 2K4 server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts