Connecting to www.schoolconnectsweb.com , 01 Dec 2005 14:43:20 < 220-FileZilla Server version 0.9.8 beta < 220 Support FTP Site for Synrevoice Hosted Service > USER hoosick < 331 Password required for xxxxx > PASS (hidden) < 230 Logged on > SYST < 215 UNIX emulated by FileZilla > PWD < 257 "/" is current directory. > TYPE A < 200 Type set to A > PASV < 227 Entering Passive Mode (209,29,12,241,254,84) > LIST < 425 Can't open data connection.
ISA setup I have inbound and outbound protocol rules for primary port of 1841 and secondary connections port range of 1-65000 inbound and outbound. If I relax it so I allow all IP traffic it will work fine, so I know ISA is my issue. I'm running server 2003 which I believe is ISA 2000 correct me if I'm wrong. Any insight would be appreciated.
The Ftp server is on the internet and the client is an ISA client on my network. The strange thing is this was working, I've changed nothing and according to the company running the server they've changed nothing. And it works if I throw in an "allow all" for these clients, so I know it's ISA stopping me. We're trying to connect to a passive FTP server on port 1841. I'm an ISA rookie so forgive me if I've left out any other pertinent details.
I have an "allow" protocol rule for "any request" with the following protocols an inbound port 1841 with secondary ports of 1-65000 in and 1-65000 out an outbound port 1841 with secondary ports of 1-65000 in and 1-65000 out
As you can see by the ftp client log in my original post, we're making it out and logging on to the server it fails when it tries to establish a data channel. Any insight would be great. Thanks
< Message edited by dwisewon -- 2.Dec.2005 1:57:58 PM >
1. you should have a protocol definition in place with the following parameters:
primary connection: TCP port 1841 Outbound
secondary connections: TCP port 1025 - 65534 Outbound
2. the clients should be configured as Firewall clients. SecureNAT clients won't work because no application filter is available to support those secondary connections.
You said "And it works if I throw in an "allow all" for these clients, so I know it's ISA stopping me". In that case, you can easely verify in the ISA Firewall log that the protocol used is indeed what you think it is. Also, because you know what the logging should look like, you should be able to determine why it is not working any longer.
BTW --- If you enable the logging of all fields and set the log format to ISA format, you might post an excerpt of the Firewall log. We can then take a look at it.