Re: Configure ISA to allow ISA Server to make external FTP Connection

From: Stuart Mackie [MCP, MSP] (newsgroups_at_--REMOVE_THIS-NO_SPAM--stu.uk.com)
Date: 09/20/04

Next message: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
Previous message: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
In reply to: Jim Harrison [MSFT]: "Re: Configure ISA to allow ISA Server to make external FTP Connection"
Next in thread: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
Reply: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 20 Sep 2004 10:37:54 +0100

Hi Jim. I thought that would be the case, just wanted to check in case
there was another way :) Thanks for your help.

-- 
Stuart.
"Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message 
news:OUl6jKrnEHA.1296@TK2MSFTNGP09.phx.gbl...
> Packet filters are ignorant of such niceties as "domains".
> They know IP, protocol, direction and port.
> You can limit the "remote" to a single IP address, though.
>
> -- 
> Jim Harrison [ISASE]
> Read the help, books and articles!
>
> This posting is provided "AS IS" with no warranties, and confers no 
> rights.
>
>
> "Stuart Mackie [MCP, MSP]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com> 
> wrote in message
> news:OpXM3ipnEHA.2616@tk2msftngp13.phx.gbl...
> Hi Jim, thanks for the reply.  Is there any way we can Configure ISA to
> allow the FTP connection but only to a particular domain ?  From 
> configuring
> the PF as per below this works perfectly, but it allows FTP connections to
> all external addresses.  In terms of security I would really like to limit
> this to one particular domain e.g. *.windowsupdate.microsoft.com etc  Is
> this possible ?
>
> -- 
> Thanks,
> Stuart
>
>
> "Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message
> news:ObuMxDnnEHA.3072@TK2MSFTNGP09.phx.gbl...
>> Actually, the FTP server should be making the data connections to your 
>> ISA
>> from port 20, not to it.
>> FTP protocol allows the client/server pair to specify the ports they use.
>> Generally, you should configure the PF as:
>>
>> "FTP Control Out"
>> Protocol = TCP
>> Direction = Outbound
>> Local port =any
>> Remote port = 21
>>
>> "FTP Data In"
>> Protocol = TCP
>> Direction = Inbound
>> Local port =any
>> Remote port = 20
>>
>> -- 
>> Jim Harrison [ISASE]
>> Read the help, books and articles!
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "Stuart Mackie [MCP, MSP]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com>
>> wrote in message
>> news:uWecWQdnEHA.3900@TK2MSFTNGP10.phx.gbl...
>> Hi.  I am trying to configure ISA to allow the ISA Server itself to make
>> an
>> outgoing FTP connection to an external server and pull down an update
>> file.
>> We are using a .cmd script to do this and therefore cannot do any proxy
>> authentication.  So far I have created a Packet filter to allow the
>> outgoing
>> FTP connection to Port 21, but since the server is behind a NAT router,
>> the
>> FTP server is responding back to our server's external nic on Port 20 and
>> is
>> therefore blocked.
>>
>> Is it possible to configure ISA to allow the outgoing connection from the
>> ISA server to the external server on port 21, and in combination with 
>> this
>> accept the incoming connection on Port 20 ?
>>
>> Also, currently I've configured the Packet Filter to allow the FTP
>> connection to go to any host.  I would prefer to restrict which host but
>> have to do it by domain name rather than IP.  Is this possible in
>> combination with the above Packet FIlter ?
>>
>> -- 
>> Thanks for any help,
>> Stuart.
>>
>>
>>
>
>
>

Next message: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
Previous message: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
In reply to: Jim Harrison [MSFT]: "Re: Configure ISA to allow ISA Server to make external FTP Connection"
Next in thread: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
Reply: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Microsoft FTP Server problem on W2K?
... I have technical responsibility for this FTP implementation, ... Since PASV voids PORT, the client side ... connect to the server from" isn't implied by the text of the RFC. ...
(microsoft.public.inetserver.iis.security)
Re: Some questions
... > using my ftp software behind my router. ... > issued to server by the client. ... When PORT is used: ... > Can you give me a command line used in a browser to explain me what is the ...
(comp.security.firewalls)
Re: Firewall and ftp service
... I'll say it again, FTP is eeeevul. ... > which redirects the traffic to my public ftp server. ... > should force the server to stay on port 21 for tha data connection, ... the client tells the server what port it will be ...
(FreeBSD-Security)
Re: Firewall and ftp service
... FTP is eeeevul. ... >> which redirects the traffic to my public ftp server. ... > client connects to the server on port 21. ... the client tells the server what port it will be ...
(FreeBSD-Security)
Re: ftp problem
... The remote end will have to have port 20 and 21 ... Check it with another ftp site to make sure. ... The remote FTP server is on a remote ... >> a client to be able to ftp out. ...
(microsoft.public.windows.server.sbs)