?
Solved

ISA 2004 won't allow FTP

Posted on 2006-03-20
10
Medium Priority
?
3,874 Views
Last Modified: 2013-11-16
I'm running ISA server 2004 on a Windows 2003 server. I don't have much experience with ISA 2004. I setup an ISA firewall rule as follows:

Name: Internet Access
Allow: FTP, HTTP, HTTPS
From: Internal
To: External
Condition: Allow Internet Access (AD group), System and Network Service

I'm not running the firewall client and have unchecked the Enable folder view for FTP sites.

I need to limit FTP, HTTP, and HTTPS access to only the permitted users in the AD group.

Internet is working correctly using this rule but FTP is not. I'm receiving an error on the client... Error code: 502 Proxy Error. When I look at the ISA monitoring the request is being blocked by the rule mentioned in this post, Internet Access.

Does anyone have a suggestion other than installing the firewall client or permitting all user access?


0
Comment
Question by:JimRoth
8 Comments
 
LVL 6

Expert Comment

by:Azhrei1
ID: 16237462
After this rule there should be a rule which disallows everyone else I think. I had this problem, and messed around some with the rules until it worked, I did NOT use the client. I did however use the ISA server as proxy (in internet explorer settings). However, from what i've noticed it's not 100% reliable, sometimes people will still get out, sometimes they get stopped without reason. Which is probably why they made the client, but I didn't really agree with that and deleted ISA.

I can understand you really need this in your case though, so, make sure going through the settings of the ftp protocol in ISA as well. Configure proxy use on clients, and create a rule below this one that blocks unauthorized users.

you could also look for a tutorial on www.isaserver.org
0
 

Author Comment

by:JimRoth
ID: 16239914
I already have the client setup to use the isa server as the proxy, local host on port 8080 for all protocals, and the rule after is the default deny all. According to the isa monitoring, the allow rule in the original post is the one blocking the FTP access not the deny rule after it. Do you have the url to the specific tutorial... I couldn't find one for this situation.
0
 
LVL 6

Accepted Solution

by:
Azhrei1 earned 1000 total points
ID: 16242258
Yes, when I configured my ISA server I used this article:

http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html

Also because I had an ftp server running on my network which had to be accessible by both local and external clients.

I wish it wasn't so long ago, or I'd have written down a quick guide for you, I just don't know the exact steps and problems I had back then anymore :(

Good luck man :) Fiddle with the settings, and make sure you let the server load the new rules each time. Also make sure the ftp server you try to visit is actually online (that was something I did wrong first time hehe....typical mistake).

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Expert Comment

by:Azhrei1
ID: 16242284
Oh, another question, can you connect to ftp sites with a specific ftp client? (like www.smartftp.com)

Don't forget ftp is port 21 instead of 8080 btw.
0
 
LVL 6

Expert Comment

by:Azhrei1
ID: 16245918
I also reread your question (and it's morning this time, clear mind :)), since the rule is blocking your request, and the rule checks if clients are authorized, I fear it may also be possible your clients aren't authorized.

But let me know what you've done so far and if it worked :)
0
 
LVL 5

Expert Comment

by:t_itanium
ID: 16246217
try to create arule for ftp that allows all then...other rules that deny some....
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 1000 total points
ID: 16256401
Can you confirm if your AD user group is accessing the HTTP traffic via the Rule mentioned above? It may be that your rule is not working correctly with the AD user groups.

Also, if I'm not mistaken, your problem could be that the ISA server is not picking up the AD username but instead is using the username/password provided in the FTP request.

Try running FTP from the command line and then see what it does. Make sure that you've identified the correct rule.

Another thing to consider, when do you get the error? When connecting to the FTP site? or when you try to upload/download? By default, ISA will only allow read-only FTP requests. No uploads are possible until you've changed the settings in the FTP protocol. Simply right-click your rule, then click on 'Configure FTP protocol' and clear the checkbox next to  "Read Only"
0
 

Author Comment

by:JimRoth
ID: 16630327
Thanks for the comments. Azhrei1's link to isaserver.org was the most helpful. The issue is with logon to some ftp sites... some require the Enable folder View to get to the logon screen. All other ftp sites are working fine without the firewall client. It just happened to be the case that the 3 ftp sites we use most required this setting. The only way I found around this was to use the firewall client on the clients that actually use the sites. Thankfully this was only a handful.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question