Re: ISA 2004 - FTP allowed, then denied on "unidentified IP traffic"
- From: "A. Klimkin" <nothanks at microsoft.com>
- Date: Thu, 26 Jan 2006 15:12:59 +0300
Please find my inline comments.
"InfoVision" <infovision1@xxxxxxxxx> ???????/???????? ? ???????? ?????????:
news:1138213490.241685.99950@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> My customer has a nicely organized ISA 2004 Firewall Policy.
>
> FTP Access is allowed from Localhost and All Protected Networks to
> External.
>
> FTP is not set to read-only.
>
> FTP Access Filter is enabled, though I have tried it with and without
> this selection.
>
> My troubleshooting has been from the ISA server itself, with IE proxy
> settings tested with fields configured and blank, passive FTP on and
> off, Folder View FTP on and off.
>
> Browser shows a connection to FTP site, can view the FTP SERVER WELCOME
> MESSAGE, but it hangs, eventually timing out. ISA log shows initial
> connection on port 21, then subsequent denial on "unidentified IP
> traffic" - the ports are all over the map, sometimes in the 6000 range,
> sometimes 9000.
This behavior is most likely because of disabled FTP access filter.
>
> ISA help says "The FTP access filter dynamically opens specific ports
> for the secondary connection, but the protocol definition opens a range
> of secondary ports"; I assume that is what these are, and they should
> not require additional rules...anyway, they vary,so I'd be chasing a
> ghost.
>
> Same behavior in TELNET FTP...can connect, not list or PUT or GET.
What is "telnet ftp"? Have you meant ftp.exe command line utility? If so, it
requires FTP access filter up and running just like as IE of any other ftp
client.
> ISA is behind a managed telecom router, could it be affecting the port
> traffic coming back in ?
Yes, it is. I've faced some cases where upstream router blocks PORT mode ftp
connections. Never seen the situation when PASV ftp connections being
blocked.
A couple of thoughts:
- Never perform any connectivity testing from the ISA server itself. Always
check the connectivity from within the same network as the rest of clients
belongs to. There is several reasonts of that. First, access policy for
local host and internal networks could be (or even should be - for security
considerations) much different. Second, you have no way to configure ISA
server as firewall client to itself; it dramatically reduces the ISA server
capability to follow the majority of authenticating access policy.
- Never use IE as an FTP client. It's just a mess. ftp.exe also limited to
PORT mode ftp connections only. Take one of plenty FTP clients either
commercial or freeware available out there. Personally I'm using a FAR
Manager utility FTP plugin.
- Is your FTP access allow rule anonymous? If so, if any access policies
before this (in order of processing) require authentication? Any anonymous
assecc rules should precede all the rules requiring authentication. If your
FTP access rule requires users authentication either, you should install and
configure firewall client software on the client host.
> Thanks
> Jon Epstein, MSCA / MSCE
> InfoVision, Inc.
> Charlotte, NC
>
Regards,
Andrew
.
- References:
- ISA 2004 - FTP allowed, then denied on "unidentified IP traffic"
- From: InfoVision
- ISA 2004 - FTP allowed, then denied on "unidentified IP traffic"
- Prev by Date: Re: Firewall service gracefully shuts down after the Web filter log fa
- Next by Date: Re: ISA and IAS policies
- Previous by thread: ISA 2004 - FTP allowed, then denied on "unidentified IP traffic"
- Next by thread: Re: IP Address wrong in ClientIP SQL log
- Index(es):
Relevant Pages
|
Loading
