Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
pop3 and firewall client
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
pop3 and firewall client - 12.Apr.2006 5:55:43 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
I have install the firewall client to enable ftp access upload and download to/from external sites. What should the access policy look like to allow ftp? Also my pop3 wont work anymore with the firewall client running. I have created access rules to allow in and out pop3 but that dosent seem to help.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 3:31:43 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
Thank you.
I guess I am doing something wrong since the only way we can use ftp with the securenat client is to route the ftp traffic around the ISA server. I have tried creating access rules for ftp traffic however they do not seem to affect the ftp access.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 3:55:20 PM
|
|
|
elmajdal
Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
lets work on this step by step.
did u finish from the pop3 issue ??
and whats wrong with the ftp ? can u access the site , or u r not able to access it at all ?
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 4:22:27 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
Ok. If I can use ftp without the FWC then pop3 is fine. So lets address the ftp issue.
When attempting to access ftp sites using a securenat client I receive the following error:
FTP Folder error.
Windows cannot access this folder. Make sure you typed the file name correctly and have persmissions to access this folder.
Details:
The operation timed out.
When I route the connection around the ISA server it connects fine.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 5:39:17 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
quote:
When I route the connection around the ISA server it connects fine.
Sounds like ISA is not truly a firewall if you can route around it. How then can you be certain the return packets would traverse the firewall and not go around it?
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 5:56:52 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
I am sure that when I route ftp traffic around the isa server the inbound is routed around the isa server as well.
I have all the users default route to a 3com core builder and the default route for the corebuilder is the isa server which them routes out a 3com netbuilder on port 2. Port 1 on the 3com netbuilder is accessable as well and I can rout etraffic via the pc routing table to that port and thus get ftp traffic around the isa server.
< Message edited by plna -- 19.Apr.2006 5:59:56 PM >
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 6:32:57 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Ahem... but... you missed my point entirely. I am not talking about deliberately routing around the ISA but rather the inverse, to get ISA S-NAT clients inbound traffic to NOT route around it. Take a network sniff to see what truly is happening.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 7:23:11 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
I have done that in the past and traffic that routes out the isa server comes back through the isa server. It has to because of the packet information.
when we were using isa 2000 we had no problem with ftp. Now that we are using isa 2004 we are. I am trying to figure that out.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 7:58:48 PM
|
|
|
elmajdal
Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
hi again,
is there a specific website ?? can u give us an example ?
or its an issue with all ftp sites?
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 8:11:18 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
it is with all sites. I have been able to get connected using ftp://username:password@ftpsite.name however i have to disable folder view in internet options under the advanced tab. This is ok for you and I but the end user may get confussed seeing this. But with this set up I can download files but I cannot upload files. So I am getting closer but not quite there yet.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 8:17:09 PM
|
|
|
elmajdal
Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
ORIGINAL: plna
But with this set up I can download files but I cannot upload files. So I am getting closer but not quite there yet.
right click your rule , configure FTP , and then remove the tick inside Read Only. in this way u will be able to upload.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 8:21:28 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
I have done that. That is what is so confusing. I think I have everything in place but still no joy. I have a rule to allow ftp from internal to external and unchecked the read only very confusing.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 8:30:49 PM
|
|
|
elmajdal
Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
u better check spouseele article:
How the FTP protocol Challenges Firewall Security
also iam quoting these from him :
quote:
there are two ISA related configuration settings that might enforce the FTP read only mode, that is not having the ability to upload files:
1. on the rule, check the FTP configuration setting 'read only' in the rule properties. By clearing this flag you will be able to upload files.
2. if the FTP client is acting as a Web Proxy client, that means that FTP through HTTP is used instead of plain FTP, then the Web Proxy component is handling the FTP request and by design, a CERN compatible Web Proxy does only support FTP download. So, to overcome that limitation you should make sure that the FTP client is *not* acting as a Web Proxy client.
quote:
Assuming that IE is configured as a Web Proxy client *and* that the Firewall client is installed too:
1. If the IE setting Enable folder view for FTP sites is not checked, then the FTP request is sent by IE as a Web Proxy client request, in other words as FTP over HTTP.
2. If the IE setting Enable folder view for FTP sites is checked, then the FTP request is sent by IE as a Firewall client request.
HTH
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 8:49:19 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
i have read his artilcle and will read it again shortly. When attempting to access ftp sites i am using internet explorer is this what you mean by web proxy? when i attemp via command line that dosent work either and i am also trying to use FTP Explorer but it dosent work.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 9:14:27 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
I have been trying several things. I was under the impression that you needed the fwc to ftp so I was attempting that. When I have the fwc running I cant receive pop3. However I have since been made aware that the fwc client is not needed for ftp so the pop3 issue is gone. However i cannot get the ftp inbound and outbound working smoothly.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 10:12:26 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Beacause your ISA is not setup as a *real* firewall (can route around it) and your other thread reports FWX_E_TCP_NOT_SYN_PACKET_DROPPED, I suspect that return traffic is circumnavigating the ISA.
quote:
when we were using isa 2000 we had no problem with ftp
My guess is that in 2K4, you have a route rule while 2000 only did NAT.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: pop3 and firewall client - 19.Apr.2006 10:54:50 PM
|
|
|
plna
Posts: 28
Joined: 12.Mar.2006
Status: offline
|
The isa 2000 was set up the same way and it worked. All we did was a rebuild of the server and and installed isa 2004. No different rules. Still just doing natting. I will keep pugging away at it.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
