Re: ISA 2004 and FTP problems - Problem Fixed after much trial and error

Thanks for the feedback Tony, sharing is always appreciated.

But I have a question for you, though: are you sure that only enabling the
FTP application filter, without adding port 20 (outbound) to the protocol
definition, does not work? Altering the protocol definition that way doesn't
make much sense to me... In active FTP mode the 'data' channel actually
originates from port 20 on server, and goes to a high-port on the client...
so this would be an inbound channel in the protocol definition, not
outbound.

Virgil




"Tony Phillips" <tphillips@xxxxxxxxxxxxxxxxx> wrote in message
news:v0tfd1ptf7381dcnldpevqisv1j863im9r@xxxxxxxxxx
>I am finding out that ISA 2004 is very particular on how
> Access Rules with ports are defined. Below is what I tried
> and what actually worked.
>
> The first rule that I defined that allowed Passive FTP Transfers
> contained FTP and an FTP Server Protocols which were
> already predefined by ISA. The FTP protocol comes predfined
> with only TCP port 21 Outbound defined. I had to add TCP
> port 20 outbound to the FTP protocol definition to get it to work
> in Passive mode.
>
> Taking out the TCP port 20 outbound and defining it as a secondary
> connection did not work at all either. I received a Error 550 Access
> Denied after re-configuring the FTP port ranges.
>
> After much more trial an error, I deleted out my FTP Access Rule,
> Went into the predefined FTP protocol definintion and changed
> the protocol range from TCP port 21 through 21 outbound to
> TCP port range 20-21 outbound. This access rule is from Internal
> Network to External Network. The FTP Filter must also be enabled
> for the protocol definition or you will still get a 550 Access Denied
> Message when attempting to transfer files.
>
> Apparently ISA 2004 is very picky when it comes to how ports and
> ranges are defined.
>
> Hope this information helps save others some of the aggravation
> that I have expereinced over the last few days.
>
> Tony Phillips
>
>
>
>
> On Fri, 15 Jul 2005 11:37:10 -0400, "ZVR" <nospamever@xxxxxx> wrote:
>
>>I'm not sure if this will fix your problem but it's worth trying... It
>>might
>>be related to the FTP application filter being enabled or disabled... Try
>>this:
>>-open your FTP access rule
>>-in the Protocols tab, select the FTP protocol then click Edit
>>-under Parameters/Application Filters, make sure the FTP Access Filter is
>>checked (or, I guess, if it is already checked try unckecking it)
>>-save the rule
>>-if you enabled the FTP filter, after you save the rule right click on it,
>>and choose "Configure FTP", then uncheck the "read-only" option so that
>>you
>>can upload files
>>-apply the new config and give it a try.
>>
>>Note that if you want to use the FTP filter it also has to be enabled
>>under
>>Configuration/Add-ins; a default installation of ISA 2004 enables that
>>filter.
>>
>>Good luck, and let us know if it worked and if yes, what setting did work.
>>
>>
>>
>>"Tony Phillips" <tphillips@xxxxxxxxxxxxxxxxx> wrote in message
>>news:97dfd1hcabkm4cvbccbvlr8nb6un8ceog1@xxxxxxxxxx
>>> After defining the FTP Protocol in ISA 2004
>>> we can only connect to FTP Servers on
>>> the internet in PASSIVE MODE. Is there a way
>>> to configure ISA 2004 so we can connect to
>>> these FTP Sites direct (non passive mode).
>>>
>>>
>>> The problem were having is that we have some
>>> automated processes on a Unix Server that
>>> FTP's to an internet site and then uploads
>>> some files. After installing ISA 2004 these
>>> processes no longer work and it will require
>>> some custom programming to fix. I would like
>>> to avoid this at all costs.
>>>
>>> any help in confifuring FTP on ISA 2004
>>> would be greatly appreciated.
>>>
>>> Thanks,
>>>
>>> Tony Phillips
>>
>


.

Relevant Pages

  • Re: FTP Access ISA Server
    ... To allow the ISA server to download some stuff via FTP protocol, ... Local port: Dynamic ... My virus definitions come in via a FTP download. ...
    (microsoft.public.isa)
  • Re: Ive thought better of Linux
    ... OTOH the ftp spec is a royal PITA. ... >> The FTP protocol specification does seem overly complex in today's ... Yes, that is a royal pain, but in context, the firewall and security ...
    (comp.lang.lisp)
  • Re: What does this indicate? (LONG)
    ... FTP File Transfer Protocol A client-server ... protocol which allows a user on one computer to transfer files to and from ... > The firewall has blocked Internet access to your computer (TCP Port ...
    (comp.security.firewalls)
  • RE: Winnt/Win2k Vuln ?
    ... specifying the underlying protocol, ... expect file system requests to be carried over the web. ... And you should need a separate client for FTP. ... A web BROWSER, also by definition, BROWSES the web. ...
    (Vuln-Dev)
  • Re: Does OpenSSH use RCP?
    ... It's not "if I want to", it's rtfrfc: show me separate protocol ... I didn't say FTP was ugly, I said lack of another layer between ... >> One connection - one application model doesn't work, ... Same as FTP: multiple connections per session. ...
    (comp.security.unix)
Loading