Re: FTP access via ISA(proxy)
From: David Barnes (david_at_nospam-bitsolve.com)
Date: 07/28/04
- Next message: SuperGumby [SBS MVP]: "Re: Impact of Size of Share on Performance"
- Previous message: Erik Veenhuijsen: "Re: Impact of Size of Share on Performance"
- In reply to: Phillip Windell: "Re: FTP access via ISA(proxy)"
- Next in thread: Phillip Windell: "Re: FTP access via ISA(proxy)"
- Reply: Phillip Windell: "Re: FTP access via ISA(proxy)"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 28 Jul 2004 23:45:19 GMT
Trying from a browser on a client
with the proxy server specified for http https & ftp
"Phillip Windell" <@.> wrote in message
news:uzSj6YOdEHA.1652@TK2MSFTNGP09.phx.gbl...
> Packet Filters are only for what is run from the Proxy box itself and has
> nothing to do with Clients. It is the same with ISA. So what are you
> really trying to FTP from?...a browser on a client or the browser on the
ISA
> itself,...there is a big difference.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "David Barnes" <david@nospam-bitsolve.com> wrote in message
> news:qXTNc.10369$m76.104318118@news-text.cableinet.net...
> > I agree.. It is odd..
> > The funny thing is I personally have Proxy 2.0 and can FTP via that.. it
> > works beautifully (once I'd sorted out the packet filters).
> > I never have really got my head round ISA, Read the book, done the
course,
> > still don't understand it..
> >
> > My understanding was that IE was port mode unless you set the PASV
setting
> > in advanced.
> > This would give you
> > Client Server
> > >1023 --------control------> 21
> > >1023 <-------data--------- 20
> > Note: I'm only representing the 'initial connect' here, and hence what
> goes
> > in the 'filter'
> >
> >
> > For PASV mode:
> > Port 20 is not used and the local client has to be able to connect a
local
> > dynamic port to a remote dynamic port.(well the proxy has to do this)
> > Client Server
> > >1023 --------control------> 21
> > >1023 -------data---------> >1023
> > Note: I'm only representing the 'initial connect' here, and hence what
> goes
> > in the 'filter'
> >
> >
> >
> > "Tony Su" <anonymous@discussions.microsoft.com> wrote in message
> > news:5d9701c474c8$a85cc5f0$a601280a@phx.gbl...
> > > David,
> > >
> > > First, regarding the fix you discovered...
> > > When you're configuring access for an application running
> > > on the ISA box itself, the application will naturally
> > > attempt to use Network Properties settings and connect
> > > through the WAN interface. Since Packet Filtering is the
> > > only barrier blocking on the WAN interface, your solution
> > > works but bypasses all other ISA functionality.
> > >
> > > If your application is Proxy aware, then you can point the
> > > application to your LAN interface instead where the
> > > application will be seen by ISA like any other LAN Host
> > > client and utilize the Web Proxy Service, applying a
> > > number of filters and better protection.
> > >
> > > Note though that the IE browser FTP(and similar
> > > applications) is PASV FTP, not "Active" (PORT) FTP and the
> > > mode and ports used can be important. If you want to test
> > > PORT FTP, you would do this by using FTP from the command
> > > line.
> > >
> > > So, this is a good lead into why your Domain Host clients
> > > aren't able to FTP.
> > >
> > > From your description, the FTP Server works using PORT FTP
> > > (that's what you configured with your Packet Filters) but
> > > you're configuring your clients to use PASV FTP when
> > > configured as Web Proxy clients... Then, when you pointed
> > > your IE browsers as SNAT clients which ironically disabled
> > > support for PASV FTP in one sense is consistent with what
> > > you had done earlier... but is still surprising to me
> > > because I've read (and not personally confirmed) that IE
> > > supported only PASV FTP (could not fall back to PORT FTP).
> > >
> > > Tony Su
> > >
> > >
> > >
> > >
> > >
> > >
> > > >-----Original Message-----
> > > >Hi David,
> > > >
> > > >First of all, the gateway on the clients should be set to
> > > the server-IP when
> > > >the server has (the.preferred) 2 nics.
> > > >
> > > >When Isa is installed, the clients should have the
> > > Firewall Client
> > > >installed.
> > > >
> > > >You don't want FTP inbound open on your server. Have a
> > > look in the Win2000
> > > >newsgroups for a few days and find people who did setup
> > > their server with
> > > >FTP-server. It sometimes just takes hours before all
> > > kinds of funny files
> > > >are appearing on the server and you are locked out!
> > > >FTP uses clear text when sending passwords over the
> > > internet.
> > > >
> > > >--
> > > >Regards,
> > > >
> > > >Marina
> > > >Microsoft SBS-MVP
> > > >
> > > >"David Barnes" <david@nospam-bitsolve.com> schreef in
> > > bericht
> > > >news:qKENc.9793$R45.98682994@news-text.cableinet.net...
> > > >> I'm stuck..
> > > >>
> > > >> SBS2003 (premium)
> > > >> 2 NICs
> > > >> 'out of the tin' default settings
> > > >> SBS's 'CEICW' run and selected 'directly connected'
> > > and 'enable firewall'
> > > >> Servers connection to the internet is via a NAT/PAT
> > > firewall/router
> > > >> (FireBrick to be precise)
> > > >>
> > > >> From the SBS server itself I couldn't do any FTP access
> > > to any site at
> > > >all,
> > > >> from IE or the 'CMD> FTP' until I enabled the outbound
> > > port 21 and inbound
> > > >> port 20 filters that were there but disabled(why?) and
> > > created an
> > > >additional
> > > >> filter 'outbound, tcp, local=dynamic, remote=any'.
> > > >> Why didn't this 'work out of the tin'?
> > > >>
> > > >> At least I can get the server to ftp download the virus
> > > updates now..
> > > >>
> > > >> HOWEVER...
> > > >>
> > > >> Client PC's (all 35 of them)
> > > >> No DG specified (security choice)
> > > >> NOT got the 'proxy firewall client' installed.
> > > >> IE has ISA (SBS) as proxy for HTTP, HTTPS & FTP, and
> > > has 'directory view'
> > > >> disabled
> > > >> goto ftp://ftp.hp.com .. fails and I get:
> > > >> ISA Server: Extended error message:
> > > >> 200 type set to A.
> > > >> 500 Invalid PORT Command.
> > > >>
> > > >> Has anyone managed to get FTP access working via the
> > > ISA proxy?
> > > >> Am I getting this because the firewall is also enabled?
> > > >> I notice that there is an 'FTP access filter' It seems
> > > not to make a jot
> > > >if
> > > >> this is enabled or disabled.!
> > > >> Being SBS this 'should' work 'out of the tin', but
> > > well.. I spose they
> > > >have
> > > >> to leave something to challenge us techies..
> > > >>
> > > >>
> > > >> And yes If I give the client PC a DG (a separate
> > > firewall/router to the
> > > >ISA
> > > >> server) and take off the proxy setting for FTP the
> > > client (IE) can do FTP
> > > >> fine.
> > > >>
> > > >> The rules, filtersets and settings are
> > > all 'preconfigured' by the SBS
> > > >CEICW
> > > >> and get reset whenever this is run.
> > > >> Ultimately I'm looking for some sort of setting that
> > > can get the SBS CEICW
> > > >> to do it's job properly, but then that might be just
> > > too much to ask!
> > > >>
> > > >> I apologise for the cross posting, but this is both an
> > > SBS and an ISA
> > > >> issue..
> > > >>
> > > >> David
> > > >>
> > > >>
> > > >>
> > > >>
> > > >
> > > >
> > > >.
> > > >
> >
> >
>
>
- Next message: SuperGumby [SBS MVP]: "Re: Impact of Size of Share on Performance"
- Previous message: Erik Veenhuijsen: "Re: Impact of Size of Share on Performance"
- In reply to: Phillip Windell: "Re: FTP access via ISA(proxy)"
- Next in thread: Phillip Windell: "Re: FTP access via ISA(proxy)"
- Reply: Phillip Windell: "Re: FTP access via ISA(proxy)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
