Re: Cannot access an external SFTP site from behind SBS 2003 R2/ISA 2004! HELP!!!
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Thu, 05 Apr 2007 03:19:25 GMT
Hello CaSsle,
Thank you for kind update.
Base on my further research, using SFTP in Explicit mode goes over port 21,
so this will be affected by the FTP Filter. We do not support SFTP with our
built in FTP filter as the commands are encrypted.
You can disable the FTP filter and that works for SFTP, but that may cause
normal FTP fails.
I suggest we try the following steps to see if we can go around this issue:
1. Please open the ISA management console, navigate to Firewall Policy,
right click "Firewall Policy" and click New->Access Rule, then create a new
access rule as following:
Rule name: FTP access
Rule Action: Allow
Protocols: FTP
Sources: Internal
Destination: External
User Sets: All Users
Then move this rule just above SBS Internet access rule
2. Please open the ISA management console, navigate to Firewall Policy,
right click "Firewall Policy" and click New->Access Rule, then create a new
access rule as following:
Rule name: SFTP access
Rule Action: Allow
Protocols: 22 (outbound)
Sources: Internal
Destination: External
User Sets: All Users
Then move this rule just above FTP access rule and click Apply to save all
the settings.
3. Install ISA firewall client on workstations:
On each workstation, please access \\SBSServerName\mspclnt\, then run
setup.exe.
If the issue persists, we only have to disable FTP filter to test this
issue:
Please open the ISA management console, navigate to Firewall Policy, select
Toolbox tap in right pane, extend Protocols -> All Protocols -> FTP. Double
click FTP, select Parameters tap, do not tick FTP Access Filter, click OK.
Hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "cassandramiller@xxxxxxxxxx" <cassandramiller@xxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: Cannot access an external SFTP site from behind SBS 2003
R2/ISA 2004! HELP!!!
| Date: 4 Apr 2007 16:29:06 -0700
| Organization: http://groups.google.com
| Lines: 212
| Message-ID: <1175729346.146308.122700@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1175643688.617392.10370@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <1175655670.185223.105470@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <Vth$tCodHHA.6068@xxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 64.105.122.50
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| Content-Transfer-Encoding: quoted-printable
| X-Trace: posting.google.com 1175729348 5598 127.0.0.1 (4 Apr 2007
23:29:08 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Wed, 4 Apr 2007 23:29:08 +0000 (UTC)
| In-Reply-To: <Vth$tCodHHA.6068@xxxxxxxxxxxxxxxxxxxxxx>
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30),gzip(gfe),gzip(gfe)
| X-HTTP-Via: 1.1 SERVER
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: l77g2000hsb.googlegroups.com; posting-host=64.105.122.50;
| posting-account=h4R5vwsAAAD5yYoed5eez7rDoU3sKxL1
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!TK2MSFTFE
EDS01.phx.gbl!news-out.cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.net
!prodigy.net!border1.nntp.dca.giganews.com!nntp.giganews.com!postnews.google
..com!l77g2000hsb.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:27826
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| On Apr 4, 2:15 am, v-ter...@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
| wrote:
| > Hello CaSsIe,
| >
| > Thank you for you kind update. And thanks for Merv's inputs.
| >
| > By default, the ISA 2004 can only allow SSL 443 and 563 port go through
it.
| > As I know, the sFTP usual uses SSL 22 port. Of course, the port number
is
| > depend on your configuration on your FTP sever. If you want ISA to allow
| > other SSL port go through it, please run the following VBscript on ISA
2004
| > server:
| >
| > To add a tunnel port range with Microsoft Internet Security and
| > Acceleration (ISA) Server 2004, this VBScript script will add port 22:
| >
| > Dim root
| > Dim tpRanges
| > Dim newRange
| > Set root = CreateObject("FPC.Root")
| > Set tpRanges =
root.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
| > set newRange = tpRanges.AddRange("SSL 22", 22, 22)
| > tpRanges.Save
| >
| > There is a KB will give you details about add SSL port on ISA by run
| > VBScripts:
| >
| > Blank page or page cannot be displayed when you view SSL sites through
ISA
| > Serverhttp://support.microsoft.com/kb/283284/en-us
| >
| > If you do not like to run VBScripts in above page, there are some
| > third-party software tools will meet your requirement.
| >
| > Please download ISA Trpe from the following link, it is a small GUI
tool.
| > Install then run it on your ISA server. It will make you easily to add a
| > SSL port.
| >
| > http://www.isatools.org/tools/ISAtrpe.zip
| >
| > Note: there is a readme.txt file in the packet, please read it first.
| >
| > ================================
| > Warning: This response contains a reference to a third party World Wide
Web
| > site. Microsoft is providing this information as aconvenience to you.
| > Microsoft does not control these sites and has not tested any software
or
| > information found on these sites; therefore, Microsoft cannot make any
| > representations regarding the quality, safety, or suitability of any
| > software or information found there. There are inherent dangers in the
use
| > of any software found on the Internet, and Microsoft cautions you to
make
| > sure that you completely understand the risk before retrieving any
software
| > from the Internet.
| > ================================
| >
| > Hope info above will give you some help.
| >
| > Thank you and have a nice day.
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! -www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup
here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > checkhttp://support.microsoft.comfor regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | From: "cassandramil...@xxxxxxxxxx" <cassandramil...@xxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Subject: Re: Cannot access an external SFTP site from behind SBS 2003
| > R2/ISA 2004! HELP!!!
| > | Date: 3 Apr 2007 20:01:10 -0700
| > | Organization:http://groups.google.com
| > | Lines: 44
| > | Message-ID: <1175655670.185223.105...@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| > | References: <1175643688.617392.10...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| > | <#fkvYEmdHHA.4...@xxxxxxxxxxxxxxxxxxxx>
| > | NNTP-Posting-Host: 69.86.50.29
| > | Mime-Version: 1.0
| > | Content-Type: text/plain; charset="us-ascii"
| > | X-Trace: posting.google.com 1175655679 13714 127.0.0.1 (4 Apr 2007
| > 03:01:19 GMT)
| > | X-Complaints-To: groups-ab...@xxxxxxxxxx
| > | NNTP-Posting-Date: Wed, 4 Apr 2007 03:01:19 +0000 (UTC)
| > | In-Reply-To: <#fkvYEmdHHA.4...@xxxxxxxxxxxxxxxxxxxx>
| > | User-Agent: G2/1.0
| > | X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
..NET
| > CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727),gzip(gfe),gzip(gfe)
| > | Complaints-To: groups-ab...@xxxxxxxxxx
| > | Injection-Info: o5g2000hsb.googlegroups.com; posting-host=69.86.50.29;
| > | posting-account=h4R5vwsAAAD5yYoed5eez7rDoU3sKxL1
| > | Path:
| >
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!TK2MSFTF
E
| >
EDS01.phx.gbl!news-out.cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.ne
t
| >
!prodigy.net!nx01.iad01.newshosting.com!newshosting.com!216.196.98.140.MISM
A
| >
TCH!border1.nntp.dca.giganews.com!nntp.giganews.com!postnews.google.com!o5g
2
| > 000hsb.googlegroups.com!not-for-mail
| > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:27596
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Hi Merv,
| > |
| > | Thanks for the post. However, I've already unchecked the read only
| > | settings in ISA. The problem is not with accessing FTP sites, but
| > | rather with SFTP sites. ISA seems to block access and I dont know how
| > | to allow access from an internal workstation to an external SFTP
| > | site.
| > |
| > | Any further ideas?
| > |
| > | **H&K**
| > |
| > | ~CaSsIe~
| > |
| > | Merv Porter [SBS-MVP] wrote:
| > | > Any help here?
| > | >
| > | > FTP and ISA 2004
| > | >http://msmvps.com/blogs/kwsupport/archive/2005/06/02/50299.aspx
| > | >
| > | > --
| > | > Merv Porter [SBS-MVP]
| > | > ============================
| > | >| > <cassandramil...@xxxxxxxxxx> wrote in message
| >
| > | >news:1175643688.617392.10370@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| > | > > Hi all,
| > | > >
| > | > > I am having serious trouble getting access to an external SFTP
site
| > | > > from behind SBS 2003 R2 running ISA 2004. I have setup CuteFTP
on the
| > | > > workstation, enter the proper SFTP information for the external
sftp
| > | > > site, but it cannot establish a connection. I suspect it has to
do
| > | > > with ISA 2004, but I have no idea where to troubleshoot. I have
no
| > | > > problem establishing a connection to regular FTP sites from the
| > | > > workstation, its just with SFTP sites. If anyone has any
suggestions
| > | > > it would be greatly appreciated!
| > | > >
| > | > > Help!!!
| > | > >
| > | > > **H&K**
| > | > >
| > | > > ~CaSsIe~
| > | > >
| > |
| > |
| Hi Terence,
| Thank you for the reply! I followed your instructions and it still
| didnt work. Whenever try to use CuteFTP to connect to the external
| SFTP website, I get an error message in ISA 2004 that says the
| following:
| Destination Port: 22
| Protocol: SSH
| Action: Denied Connection
| Rule: SBS Internet Access Rule
| I checked the SBS Internet Access Rule and it appears to allow
| everything pass through. But obviously not SSH through Port 22. Any
| idea how to fix this?
| **H&K**
| ~CaSsIe~
|
.
- References:
- Cannot access an external SFTP site from behind SBS 2003 R2/ISA 2004! HELP!!!
- From: cassandramiller@xxxxxxxxxx
- Re: Cannot access an external SFTP site from behind SBS 2003 R2/ISA 2004! HELP!!!
- From: cassandramiller@xxxxxxxxxx
- Cannot access an external SFTP site from behind SBS 2003 R2/ISA 2004! HELP!!!
- Prev by Date: Re: ISA 2004 + Network scanner
- Next by Date: RE: companyweb page needs internet access / exchange error for one cli
- Previous by thread: Re: Cannot access an external SFTP site from behind SBS 2003 R2/ISA 2004! HELP!!!
- Next by thread: Re: Cannot access an external SFTP site from behind SBS 2003 R2/ISA 2004! HELP!!!
- Index(es):
Relevant Pages
|
