Re: Determining the FTP culprit

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"Jim in Cleveland" <JiminCleveland@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:9D29B4ED-26BC-4BDE-9AFE-FAEA20305A24@xxxxxxxxxxxxxxxx
We have ISA 2004 on a Windows Server 2003 box. A few times this month
(once
every other week) our ISP has told us that they had complaints that a node
on
our network is doing an "unauthorized scan or probe" of port 23 on another
a
distant network.

Why are you asking about FTP? Port 23 is Telnet, not FTP.

This happens in the middle of the night on different days
of the week although most have happened on a Saturday night/Sunday
morning.
The report says it is coming from our Firewall server's IP. But since
everything runs thru our Firewall it can be a node on the internal network
too, is this correct?

Can be any host on the LAN.

Can I create an access rule that would deny FTP outbound traffic except
for
certain nodes?

Yes, but since this isn't about FTP,...you need to deal with Telnet.

Is there a report or alert or logging I can run that would narow down FTP
traffic coming from our network and that would narrow down the guilty
node?
if so, how can I set this up?

1. Don't have "wide open" rules that allow users to do whatever they want
and none of this would even happen.

2. The monitoring is "basic 1-2-3" stuff. Use the monitoring Log to locate
connections (or attempts) made to the destiantion IP# during the particular
time frame.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • Re: ISA 2006 Basic Configuration
    ... Troubleshooting Client Authentication on Access Rules in ISA Server 2004 ... Microsoft Internet Security & Acceleration Server: ... Microsoft ISA Server Partners: Partner Hardware Solutions ... The routing table for the network adapter Internal ...
    (microsoft.public.isa.configuration)
  • Re: Eventid 15108... spoof address ????
    ... clicked this and the 169 address appeared just after an IP on the network. ... > 2) Extract all files to a folder on ISA server ... > 'Microsoft Firewall' service. ... > |> server could receive some spoof attacks from the internet. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA error in event logs
    ... external network object either to check what the ip address range is ... Server computer is different from the ISA Server configuration. ... (Server Local Area Connection) ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA error in event logs
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... | external network object either to check what the ip address range is ... |> in the events from the "Symptoms" section is dropped by ISA Server. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2004 disaster
    ... The ISA2004 upgrade, on the other hand, has left me without a network, either internal or external. ... The Microsoft Firewall fails to start with the below errors. ... the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. ...
    (microsoft.public.windows.server.sbs)