Re: SBS 2003 ISA proxy for FTP fails
From: Steve Foster [SBS MVP] (steve.foster_at_picamar.co.uk)
Date: 08/16/04
- Next message: Bruno GUERPILLON: "Re: Web Proxy does not start"
- Previous message: Antonin Koudelka: "Re: Web Proxy does not start"
- In reply to: David Barnes: "Re: SBS 2003 ISA proxy for FTP fails"
- Next in thread: David Barnes: "Re: SBS 2003 ISA proxy for FTP fails"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 16 Aug 2004 05:58:52 -0700
David Barnes wrote:
> Steve,
> Many thanks for looking into this..
> Bearing in mind that this is SBS 2003 and things come 'pre
> configured' and you need to use wizards to enable anything. Is there
> some wizard or setup bit that I've missed?
> Will re-running the CEICW wizard undo any settings I set?
Rerunning the CEICW will disable any Access Policy elements you
manually create (ie S&C Rules, Protocol Rules, Packet Filters). It
won't do anything to any of the components within Policy Elements
(Protocol Defn's, Client Sets, etc.).
>
> not being an ISA wiz I do need some pointers on what you suggest.
> 3. I assume this is done in IE.. what setting needs to be tweaked?
> can I set this as a domain policy, rather than visit 35 workstations.
Yes, you can set this in IE. It's under Tools > Internet Options >
Advanced "Use Passive FTP (for firewall and DSL modem compatibility)".
You _should_ be able to set this via GPO, but I don't have any
specifics. Manipulating IE through GPO always seems to work out harder
than it ought to.
> 4. I never have really got my head round ISA, Read the book, done the
> course,
> still don't understand it..
>
> My understanding was that IE was port mode unless you set the PASV
> setting in advanced.
> This would give you
> Client Server
> >1023 --------control------> 21
> > 1023 <-------data--------- 20
> Note: I'm only representing the 'initial connect' here, and hence
> what goes in the 'filter'
>
> For PASV mode:
> Port 20 is not used and the local client has to be able to connect a
> local dynamic port to a remote dynamic port.(well the proxy has to do
> this) Client Server
> >1023 --------control------> 21
> >1023 -------data---------> >1023
> Note: I'm only representing the 'initial connect' here, and hence
> what goes in the 'filter'
>
> I thought I had enabled the filters for active mode and setup one to
> cover the PASV secondary connection.
> SBS comes with some ftp filters pre-defined but disabled. Are these
> the correct ones to use?
> Have I set these up correctly? what should the filters be set like?
> Is there a 'pre configured' rule set that I need to turn on? where do
> I set these and what should be in them?
> What else do I need to do?
The default FTP protocol definitions don't deal with the active element
on port 20. So you need to create your own, that has the primary
connection on TCP/21 (like the predefined protocols), and a Secondary
Connection of TCP/20/Inbound. Then add a Protocol Rule to Allow your
new Protocol for Any Request.
The packet filters that are defined are for the server itself, and also
apply to clients where the firewall client is installed.
> I suppose a better question would be.
>
> What do I need to do to 'out of the tin' SBS 2003 Premium to enable
> FTP(Read) proxy access for non windows clients (EG Apple MAC, Unix)
> and windows clients without the firewall client installed?
See above.
-- Steve Foster [SBS MVP] --------------------------------------- MVPs do not work for Microsoft. Please reply only to the newsgroups.
- Next message: Bruno GUERPILLON: "Re: Web Proxy does not start"
- Previous message: Antonin Koudelka: "Re: Web Proxy does not start"
- In reply to: David Barnes: "Re: SBS 2003 ISA proxy for FTP fails"
- Next in thread: David Barnes: "Re: SBS 2003 ISA proxy for FTP fails"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
