Re: FTP through ISA 2004

Jim

I did that and here are the two log entries that i get

1:
Denied Connection VEC-DCX 2/18/2009 10:30:31 AM
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request.
Access to the Web Proxy service is denied.
Rule:
Source: ( 192.168.2.181:0)
Destination: ( 192.168.2.233:21)
Request: GET ftp://ftp.hsilaser.com/
Filter information: Req ID: 07e4d47e
Protocol: ftp
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Object source: Processing time: 1
Cache info: 0x0 MIME type:

2:
Failed Connection Attempt VEC-DCX 2/18/2009 10:30:32 AM
Log type: Web Proxy (Forward)
Status:
Rule: SBS Internet Access Rule
Source: Internal ( 192.168.2.181:0)
Destination: External ( 209.44.48.153:21)
Request: GET ftp://ftp.hsilaser.com/
Filter information: Req ID: 07e4d47f
Protocol: ftp
User: VICEC\janiep
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Object source: Internet Processing time: 297
Cache info: 0x4 MIME type:

It seems to be failing while trying to connect at first to the localhost
with anonymous.

"Jim Behning SBS MVP" wrote:

Disable any rules you made. Now do the right click SBS Internet Aceess
Rule to remove read only checkbox. Apply and test. I like to use real
FTP clients. I have Whiz FTP on my box and it works well for the price
of free. It has some logging stuff so you can see if or why things are
failing. You can also use Wireshark to look at the workstation network
conversation. Workstation has to have the firewall client installed.

I start with using www.opendns.com to restrict the sites that
everyone can go to. At practically every site I work with there are
catagories of web sites people do not need to go to do their jobs.

In ISA you can use two rules to get your network under control. One
rule that applies to some staff (make a group) that denies them
internet access except to certain web sites. Note that rules get
applied from lowest number to highest. If you put one of your own
rules down low it may trash your network so I put my Ban MP3 and M4a
rule just above the SBS Internet Access Rule. Same for the other rules
I may use.

I have had CAD programs that needed some silly anonymous access to
work. It would go out and look for updates before it fully started. I
had to make a rule to let the workstations go to that specific site.

Start with the basics and a real ftp client. Post back results.

On Wed, 18 Feb 2009 04:33:01 -0800, chris landman
<chrislandman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

That is really not an option because we also want to limit certain people to
certain sites. I also tried what you said and it did not allow them out.

Do you have any idea of what would be stopping them from FTP'ing out?

"Jim Behning SBS MVP" wrote:

If you want to restrict internet access just yank people out of the
group.

On Tue, 17 Feb 2009 15:45:00 -0800, chris landman
<chrislandman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

we have that rule disabled. we are trying to limit internet access. This
ftp site pops up a login screen, could it be something with that? I think it
might either be sending anonomus or the user credentials. I see some issues
that talk about this online, but have not found anything that fixes it. the
site is ftp://ftp.hsilaser.com



"Jim Behning SBS MVP" wrote:

All I ever do is right click the next to last rule which is something
like SBS internet rule or something like that. Configure FTP. Uncheck
the read only box and apply.

On Tue, 17 Feb 2009 12:57:02 -0800, chris landman
<chrislandman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:


Yes. The machine has the firewall client intalled on it and it is trying to
FTP out to a site that is not located inside the network. So it is passing
through the ISA (inside to outside).


"Ain'tSoBad" wrote:

OK let me see if I understand this. you are trying to FTP out from a client
site that has SBS 2003 and ISA 2004 running on their network? Clear the air
please.


"chris landman" <chrislandman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:41574F44-4A04-461E-A030-87FB3C0A6520@xxxxxxxxxxxxxxxx
I am trying to FTP out from a firewall client inside a SBS2003 with ISA2004
network. Normally the use would type the ftp address in IE and it would
then
prompt for a user and password. It will not work now that ISA has been
put
into place. I get the following error on the client:

Error Code: 502 Proxy Error. The login request was denied. The logon
account
might have been disabled or logon information might have changed. Log on
again to verify that the information was typed correctly. If the problem
continues, report the problem to the administrator of the Internet server
you
are requesting. (12015)

I have a rule set up to allow FTP to that site and I have unchecked the
read
only in configure FTP when I right click the rule. I have even added FTP
Server protocol and tried the ftp://user:password@fqdm.

Please help.



See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx

See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx

See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx

.

Relevant Pages