Welcome to ISAserver.org

passive ftp

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> passive ftp

Page: [1]

Message

<< Older Topic Newer Topic >>

passive ftp - 15.Dec.2005 5:00:37 AM

millcadz

Posts: 9
Joined: 15.Dec.2005
Status: offline

I cannot connect to ftp server that uses passive mode, here is the error

message:

ISA Server: extended error message :

200 Switching to Binary mode.

200 PORT command successful. Consider using PASV.

425 Failed to establish connection.

anybody encounter this prob and was able to solve, i need your help.

thank you

best regards

mr. mills

Post #: 1

RE: passive ftp - 15.Dec.2005 6:51:31 AM

tshinder

Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Mill,

What site?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls

(in reply to millcadz)

Post #: 2

RE: passive ftp - 15.Dec.2005 7:38:24 AM

millcadz

Posts: 9
Joined: 15.Dec.2005
Status: offline

hello tom;

the site is http://www.bir.gov.ph/birforms/form_pay.htm#1604CF

hyperlinked to ftp://ftp.bir.gov.ph/webadmin1.....

thank you for your reply tom;

i appreciate it so much.

regards

(in reply to tshinder)

Post #: 3

RE: passive ftp - 17.Dec.2005 5:55:42 PM

tshinder

Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Mill,

OK, got it.

Let me see if I can find out how to fix this.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls

(in reply to millcadz)

Post #: 4

RE: passive ftp - 6.Jan.2006 11:26:32 PM

marting

Posts: 2
Joined: 17.Dec.2003
Status: offline

Hi all,

I got an email about this same issue and thought it would be good to reply to the question in the forum as well as the email.

When I tested access to the FTP site at ftp.bir.gov.ph from a Web Proxy client, Netmon showed that the ISA Server issues a PORT, rather than a PASV, command to initiate the data transfer. The Web browser settings that control whether the browser is using PASV or PORT mode have no effect. Because the FTP server apparently supports only PASV mode for data transfers, the data transfer fails.

There are two workarounds that will enable the ISA Server to issue the PASV command on behalf of the Web client.

1) Configure the client computer as an SNAT client. ISA Server will then proxy the client request by using the PASV command. The Web browser settings that control whether to use the PASV or PORT command are not relevant.

2) Configure the client computer as a Web Proxy client, but in the Advanced settings configure an exception for ftp.bir.gov.ph. Even better, in the properties of the Internal network configure an exception for ftp.bir.gov.ph in the Domains tab and ensure that the Web Proxy clients are configured to use the automatic configuration script. Again, as with the previous solution, the Web browser settings that control whether use the PORT or the PASV commands are irrelevant because ISA will proxy the request by using the PASV command.

This behavior on the part of ISA Server 2004 is a little quirky. Some ISA Server 2004 documentation suggests that, by defautl, ISA Server will use PASV mode. However, this does not appear to be always the case. In some cases, ISA Server 2004 issues a PORT command command to change to the ftp directory and perform data transfer. In others, it uses the PASV command. The issue of when ISA Server will use the PORT or the PASV command should probably be looked into a little bit more than I have here to troubleshoot the problem.

BTW, for ISA Server 2000, you need to perform a registry hack to enable ISA Server 2000 to use PASV mode. To do this, navigate to HKLM\CCS\Services\W3Proxy\Paramaters and change the default DWORD value of NONPassiveFTPTransfer to 0. I am unaware of any comparable registry setting in ISA Server 2004 that allows you to toggle the mode between PASV and PORT. Of course, the Web Proxy service does not exist in ISA Server 2004 as it has been subsumed by the Firewall service.

HTH,

Martin

(in reply to tshinder)

Post #: 5

RE: passive ftp - 7.Jan.2006 3:42:57 PM

tshinder

Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Martin,

Thanks!!!

Tom

_____________________________

Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls

(in reply to marting)

Post #: 6

RE: passive ftp - 12.Apr.2007 6:56:54 AM

nyokie

Posts: 17
Joined: 22.Mar.2005
From: Philippines
Status: offline

Hi Marting,

I saw your response about the passive ftp in isa 2004. i try the procedures that you post but it's not working. I'm from the philippines and we need to access and download bir forms. please help. appreciate if you can send reply to my email ricky_pc2119@yahoo.com.

Thanks,
Ricky

(in reply to tshinder)

Post #: 7

RE: passive ftp - 15.May2008 5:48:14 AM

mmbalmes

Posts: 1
Joined: 15.May2008
Status: offline

Hi to all,

I also from the philippines, i have encountered this error....and found a soulution from Microsoft technet....please refer to this link

http://support.microsoft.com/Default.aspx?kbid=300641

Thank You,
Marlon

(in reply to nyokie)

Post #: 8

RE: passive ftp - 15.May2008 6:32:30 AM

tshinder

Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Marlon,

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls

(in reply to mmbalmes)

Post #: 9