Re: FTP access via ISA(proxy)

From: David Barnes (david_at_nospam-bitsolve.com)
Date: 07/28/04


Date: Wed, 28 Jul 2021 20:23:50 GMT

I agree.. It is odd..
The funny thing is I personally have Proxy 2.0 and can FTP via that.. it
works beautifully (once I'd sorted out the packet filters).
I never have really got my head round ISA, Read the book, done the course,
still don't understand it..

My understanding was that IE was port mode unless you set the PASV setting
in advanced.
This would give you
Client Server
>1023 --------control------> 21
>1023 <-------data--------- 20
Note: I'm only representing the 'initial connect' here, and hence what goes
in the 'filter'

For PASV mode:
Port 20 is not used and the local client has to be able to connect a local
dynamic port to a remote dynamic port.(well the proxy has to do this)
Client Server
>1023 --------control------> 21
>1023 -------data---------> >1023
Note: I'm only representing the 'initial connect' here, and hence what goes
in the 'filter'

"Tony Su" <anonymous@discussions.microsoft.com> wrote in message
news:5d9701c474c8$a85cc5f0$a601280a@phx.gbl...
> David,
>
> First, regarding the fix you discovered...
> When you're configuring access for an application running
> on the ISA box itself, the application will naturally
> attempt to use Network Properties settings and connect
> through the WAN interface. Since Packet Filtering is the
> only barrier blocking on the WAN interface, your solution
> works but bypasses all other ISA functionality.
>
> If your application is Proxy aware, then you can point the
> application to your LAN interface instead where the
> application will be seen by ISA like any other LAN Host
> client and utilize the Web Proxy Service, applying a
> number of filters and better protection.
>
> Note though that the IE browser FTP(and similar
> applications) is PASV FTP, not "Active" (PORT) FTP and the
> mode and ports used can be important. If you want to test
> PORT FTP, you would do this by using FTP from the command
> line.
>
> So, this is a good lead into why your Domain Host clients
> aren't able to FTP.
>
> From your description, the FTP Server works using PORT FTP
> (that's what you configured with your Packet Filters) but
> you're configuring your clients to use PASV FTP when
> configured as Web Proxy clients... Then, when you pointed
> your IE browsers as SNAT clients which ironically disabled
> support for PASV FTP in one sense is consistent with what
> you had done earlier... but is still surprising to me
> because I've read (and not personally confirmed) that IE
> supported only PASV FTP (could not fall back to PORT FTP).
>
> Tony Su
>
>
>
>
>
>
> >-----Original Message-----
> >Hi David,
> >
> >First of all, the gateway on the clients should be set to
> the server-IP when
> >the server has (the.preferred) 2 nics.
> >
> >When Isa is installed, the clients should have the
> Firewall Client
> >installed.
> >
> >You don't want FTP inbound open on your server. Have a
> look in the Win2000
> >newsgroups for a few days and find people who did setup
> their server with
> >FTP-server. It sometimes just takes hours before all
> kinds of funny files
> >are appearing on the server and you are locked out!
> >FTP uses clear text when sending passwords over the
> internet.
> >
> >--
> >Regards,
> >
> >Marina
> >Microsoft SBS-MVP
> >
> >"David Barnes" <david@nospam-bitsolve.com> schreef in
> bericht
> >news:qKENc.9793$R45.98682994@news-text.cableinet.net...
> >> I'm stuck..
> >>
> >> SBS2003 (premium)
> >> 2 NICs
> >> 'out of the tin' default settings
> >> SBS's 'CEICW' run and selected 'directly connected'
> and 'enable firewall'
> >> Servers connection to the internet is via a NAT/PAT
> firewall/router
> >> (FireBrick to be precise)
> >>
> >> From the SBS server itself I couldn't do any FTP access
> to any site at
> >all,
> >> from IE or the 'CMD> FTP' until I enabled the outbound
> port 21 and inbound
> >> port 20 filters that were there but disabled(why?) and
> created an
> >additional
> >> filter 'outbound, tcp, local=dynamic, remote=any'.
> >> Why didn't this 'work out of the tin'?
> >>
> >> At least I can get the server to ftp download the virus
> updates now..
> >>
> >> HOWEVER...
> >>
> >> Client PC's (all 35 of them)
> >> No DG specified (security choice)
> >> NOT got the 'proxy firewall client' installed.
> >> IE has ISA (SBS) as proxy for HTTP, HTTPS & FTP, and
> has 'directory view'
> >> disabled
> >> goto ftp://ftp.hp.com .. fails and I get:
> >> ISA Server: Extended error message:
> >> 200 type set to A.
> >> 500 Invalid PORT Command.
> >>
> >> Has anyone managed to get FTP access working via the
> ISA proxy?
> >> Am I getting this because the firewall is also enabled?
> >> I notice that there is an 'FTP access filter' It seems
> not to make a jot
> >if
> >> this is enabled or disabled.!
> >> Being SBS this 'should' work 'out of the tin', but
> well.. I spose they
> >have
> >> to leave something to challenge us techies..
> >>
> >>
> >> And yes If I give the client PC a DG (a separate
> firewall/router to the
> >ISA
> >> server) and take off the proxy setting for FTP the
> client (IE) can do FTP
> >> fine.
> >>
> >> The rules, filtersets and settings are
> all 'preconfigured' by the SBS
> >CEICW
> >> and get reset whenever this is run.
> >> Ultimately I'm looking for some sort of setting that
> can get the SBS CEICW
> >> to do it's job properly, but then that might be just
> too much to ask!
> >>
> >> I apologise for the cross posting, but this is both an
> SBS and an ISA
> >> issue..
> >>
> >> David
> >>
> >>
> >>
> >>
> >
> >
> >.
> >



Relevant Pages

  • Re: unable to apt-get or wget
    ... rule behind my network, or I was behind a proxy server, I shouldn't be ... Unless there were different rules set for ftp and http. ... that basic web stuff is found on port 80, secure web on port 443, ftp ...
    (alt.os.linux)
  • Re: Protokolldefinition gesperrt
    ... wenn du im Bankingprogramm den Proxy ... Habe bislang immer für diverse Bankingprogramme nur den Port 3000 an der ISA ... Für den FTP Zugriff ist der FTP Zugriffsfilter zuständig, ...
    (microsoft.public.de.german.isaserver)
  • Re: ftp Issue
    ... If your FTP server has only the regular port it will not be able to accept ... Passive is good fro clients bad ...
    (microsoft.public.windowsxp.general)
  • RE: file transfer over outbound port 80?
    ... If port 80 is open, but does not go over a proxy, just have your FTP Server ...
    (Security-Basics)
  • Re: FTP access via ISA(proxy)
    ... Packet Filters are only for what is run from the Proxy box itself and has ... nothing to do with Clients. ... It is the same with ISA. ... > The funny thing is I personally have Proxy 2.0 and can FTP via that.. ...
    (microsoft.public.isa)