ISA 2004 won't allow FTP

I'm running ISA server 2004 on a Windows 2003 server. I don't have much experience with ISA 2004. I setup an ISA firewall rule as follows:

Name: Internet Access
Allow: FTP, HTTP, HTTPS
From: Internal
To: External
Condition: Allow Internet Access (AD group), System and Network Service

I'm not running the firewall client and have unchecked the Enable folder view for FTP sites.

I need to limit FTP, HTTP, and HTTPS access to only the permitted users in the AD group.

Internet is working correctly using this rule but FTP is not. I'm receiving an error on the client... Error code: 502 Proxy Error. When I look at the ISA monitoring the request is being blocked by the rule mentioned in this post, Internet Access.

Does anyone have a suggestion other than installing the firewall client or permitting all user access?


JimRothAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Azhrei1Commented:
After this rule there should be a rule which disallows everyone else I think. I had this problem, and messed around some with the rules until it worked, I did NOT use the client. I did however use the ISA server as proxy (in internet explorer settings). However, from what i've noticed it's not 100% reliable, sometimes people will still get out, sometimes they get stopped without reason. Which is probably why they made the client, but I didn't really agree with that and deleted ISA.

I can understand you really need this in your case though, so, make sure going through the settings of the ftp protocol in ISA as well. Configure proxy use on clients, and create a rule below this one that blocks unauthorized users.

you could also look for a tutorial on www.isaserver.org
JimRothAuthor Commented:
I already have the client setup to use the isa server as the proxy, local host on port 8080 for all protocals, and the rule after is the default deny all. According to the isa monitoring, the allow rule in the original post is the one blocking the FTP access not the deny rule after it. Do you have the url to the specific tutorial... I couldn't find one for this situation.
Azhrei1Commented:
Yes, when I configured my ISA server I used this article:

http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html

Also because I had an ftp server running on my network which had to be accessible by both local and external clients.

I wish it wasn't so long ago, or I'd have written down a quick guide for you, I just don't know the exact steps and problems I had back then anymore :(

Good luck man :) Fiddle with the settings, and make sure you let the server load the new rules each time. Also make sure the ftp server you try to visit is actually online (that was something I did wrong first time hehe....typical mistake).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Azhrei1Commented:
Oh, another question, can you connect to ftp sites with a specific ftp client? (like www.smartftp.com)

Don't forget ftp is port 21 instead of 8080 btw.
Azhrei1Commented:
I also reread your question (and it's morning this time, clear mind :)), since the rule is blocking your request, and the rule checks if clients are authorized, I fear it may also be possible your clients aren't authorized.

But let me know what you've done so far and if it worked :)
t_itaniumCommented:
try to create arule for ftp that allows all then...other rules that deny some....
Leon FesterSenior Solutions ArchitectCommented:
Can you confirm if your AD user group is accessing the HTTP traffic via the Rule mentioned above? It may be that your rule is not working correctly with the AD user groups.

Also, if I'm not mistaken, your problem could be that the ISA server is not picking up the AD username but instead is using the username/password provided in the FTP request.

Try running FTP from the command line and then see what it does. Make sure that you've identified the correct rule.

Another thing to consider, when do you get the error? When connecting to the FTP site? or when you try to upload/download? By default, ISA will only allow read-only FTP requests. No uploads are possible until you've changed the settings in the FTP protocol. Simply right-click your rule, then click on 'Configure FTP protocol' and clear the checkbox next to  "Read Only"
JimRothAuthor Commented:
Thanks for the comments. Azhrei1's link to isaserver.org was the most helpful. The issue is with logon to some ftp sites... some require the Enable folder View to get to the logon screen. All other ftp sites are working fine without the firewall client. It just happened to be the case that the 3 ftp sites we use most required this setting. The only way I found around this was to use the firewall client on the clients that actually use the sites. Thankfully this was only a handful.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.