Re: Configure ISA to allow ISA Server to make external FTP Connect
From: Stuart Mackie [MCP, MSP] (newsgroups_at_--REMOVE_THIS-NO_SPAM--stu.uk.com)
Date: 09/21/04
- Next message: Az SH: "ISA2004 - Site to site IPSec VPN"
- Previous message: Werner De Kuyffer: "TCP/IP printing"
- In reply to: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
- Next in thread: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
- Reply: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 21 Sep 2004 12:30:03 +0100
Hi Catherine. I've answered in-line below:
> How is ISA installed - Firewall mode, Cache Mode or Integrated ?
You can check this by opening the ISA Management console, right click on
your Server name and select properties, Installation mode is listed at the
bottom. I would have thought they will have installed ISA in Integrated
mode.
> Erm, pass I dont know! I paid a company to set it up! Rang them they said
> ask you guys!
Not very impressed with that :( That's not exactly helpful considering they
installed it.
Do you know whether they installed the ISA Client on your workstations ? In
an ISA environment your workstations can be of three different types of
client, as well as being all three at the same time. The three client types
are SecureNAT client, firewall client and web proxy client. Each client
type provides its own features and can be of all three or of any
combination. The link below has a explanation of each client types and the
differences, but we'll get your problem resolved first so don't worry about
this for the time being. if you can check whether your workstations have
the ISA client installed we need to know that.
http://www.microsoft.com/technet/Security/prodtech/isa/isafp1/isasct.mspx
I suspect this company has configured your workstations as SecureNAT and web
proxy clients, and has not installed the firewall client to your
workstations. This means that the workstation has the proxy server details
configured in Internet Explorer, and the workstation uses the Proxy server
as the gateway for its network connection. If you load your ISA Management
console, expand Access Policy, select
Protocol Rules, there should be rules configured on the right hand side. I
need to know what rules they have configured, and what they have configured
them to do to be able to help you adjust the settings.
As a temporary solution to alleviate your problems you could create a rule
specifically to allow FTP access until you can understand how this company
has configured your network. To do this while your still in the Protocol
Rules folder, right click on 'Protocol Rules' and select New then select
Rule. Enter the name 'FTP Access', press next twice, from the drop down box
select Selected Protocols. In the protocols list go down and select FTP,
then click next three times, then click finish. Once you create the rule,
try and access an FTP site from a workstation (not the proxy server).
The above rule will allow FTP traffic from SecureNAT clients, i.e. any
computer on your network passing through ISA Server as a gateway will be
able to make FTP connections. One of the advantages of having the ISA
Client Firewall installed on your workstations is that you can apply this
rule to certain users or user groups in Active Directory i.e. its unlikely
you want your pupils to be accessing FTP servers. If the ISA client
firewall is installed the users would be authenticated and you could allow
access to yourself and teachers but not pupils. This is something that your
installation company should have discussed with you to work out what your
network requirements would be. In the long term you probably do not want to
allow everyone access to FTP on your network.
> Have you made any changes to the default configuration of ISA ?
>
> Don't think so, I haven't touched it, I only found out FTP didn't work
> when a
> teacher approached me. I have added the FTP out and FTP in protocols like
> mentions some where on the internet but to no avail. Also tried disabling
> the
> FTP filter then re enabling it, also to no avail!
I think you've probably enabled the FTP Packet Filters. IP Packet Filters
control packets allowed to enter and leave your server but do not affect
internal clients i.e if you have an application running on your server
which requires internet access (e.g. Anti-Virus download via FTP), or
hosting a service (e.g .SMTP mail), you would configure IP Packet Filters to
allow this data to pass through. Internet access for internal clients is
controlled via Protocol Rules and Publishing Rules.
> Its just the clients I can use FTP on the proxy its weird!
You can access FTP on the proxy because you have enabled the FTP Packet
Filters above. If you don't require FTP access on the proxy I would suggest
you disable the FTP Packet Filters again for security.
To do this open the ISA Management console, expand Access Policy, select IP
Packet Filters. Scroll down the right side view until you get to FTP 20 and
21 entries. If these are settings you enabled earlier disable them.
> I hate computers! did the wrong degree I think!
Hehe don't say that :) Did you finish your degree recently ? I've written
this quickly, so no marking me down for any punctuation errors :)
-- Hth, Stuart Mackie [MCP, MSP] www.stu.uk.com
- Next message: Az SH: "ISA2004 - Site to site IPSec VPN"
- Previous message: Werner De Kuyffer: "TCP/IP printing"
- In reply to: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
- Next in thread: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
- Reply: Miss Boyd: "Re: Configure ISA to allow ISA Server to make external FTP Connect"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
