ISA 2004 won't allow FTP

I'm running ISA server 2004 on a Windows 2003 server. I don't have much experience with ISA 2004. I setup an ISA firewall rule as follows:

Name: Internet Access
Allow: FTP, HTTP, HTTPS
From: Internal
To: External
Condition: Allow Internet Access (AD group), System and Network Service

I'm not running the firewall client and have unchecked the Enable folder view for FTP sites.

I need to limit FTP, HTTP, and HTTPS access to only the permitted users in the AD group.

Internet is working correctly using this rule but FTP is not. I'm receiving an error on the client... Error code: 502 Proxy Error. When I look at the ISA monitoring the request is being blocked by the rule mentioned in this post, Internet Access.

Does anyone have a suggestion other than installing the firewall client or permitting all user access?


JimRothAsked:
Who is Participating?
 
Azhrei1Commented:
Yes, when I configured my ISA server I used this article:

http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html

Also because I had an ftp server running on my network which had to be accessible by both local and external clients.

I wish it wasn't so long ago, or I'd have written down a quick guide for you, I just don't know the exact steps and problems I had back then anymore :(

Good luck man :) Fiddle with the settings, and make sure you let the server load the new rules each time. Also make sure the ftp server you try to visit is actually online (that was something I did wrong first time hehe....typical mistake).

0
 
Azhrei1Commented:
After this rule there should be a rule which disallows everyone else I think. I had this problem, and messed around some with the rules until it worked, I did NOT use the client. I did however use the ISA server as proxy (in internet explorer settings). However, from what i've noticed it's not 100% reliable, sometimes people will still get out, sometimes they get stopped without reason. Which is probably why they made the client, but I didn't really agree with that and deleted ISA.

I can understand you really need this in your case though, so, make sure going through the settings of the ftp protocol in ISA as well. Configure proxy use on clients, and create a rule below this one that blocks unauthorized users.

you could also look for a tutorial on www.isaserver.org
0
 
JimRothAuthor Commented:
I already have the client setup to use the isa server as the proxy, local host on port 8080 for all protocals, and the rule after is the default deny all. According to the isa monitoring, the allow rule in the original post is the one blocking the FTP access not the deny rule after it. Do you have the url to the specific tutorial... I couldn't find one for this situation.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Azhrei1Commented:
Oh, another question, can you connect to ftp sites with a specific ftp client? (like www.smartftp.com)

Don't forget ftp is port 21 instead of 8080 btw.
0
 
Azhrei1Commented:
I also reread your question (and it's morning this time, clear mind :)), since the rule is blocking your request, and the rule checks if clients are authorized, I fear it may also be possible your clients aren't authorized.

But let me know what you've done so far and if it worked :)
0
 
t_itaniumCommented:
try to create arule for ftp that allows all then...other rules that deny some....
0
 
Leon FesterSenior Solutions ArchitectCommented:
Can you confirm if your AD user group is accessing the HTTP traffic via the Rule mentioned above? It may be that your rule is not working correctly with the AD user groups.

Also, if I'm not mistaken, your problem could be that the ISA server is not picking up the AD username but instead is using the username/password provided in the FTP request.

Try running FTP from the command line and then see what it does. Make sure that you've identified the correct rule.

Another thing to consider, when do you get the error? When connecting to the FTP site? or when you try to upload/download? By default, ISA will only allow read-only FTP requests. No uploads are possible until you've changed the settings in the FTP protocol. Simply right-click your rule, then click on 'Configure FTP protocol' and clear the checkbox next to  "Read Only"
0
 
JimRothAuthor Commented:
Thanks for the comments. Azhrei1's link to isaserver.org was the most helpful. The issue is with logon to some ftp sites... some require the Enable folder View to get to the logon screen. All other ftp sites are working fine without the firewall client. It just happened to be the case that the 3 ftp sites we use most required this setting. The only way I found around this was to use the firewall client on the clients that actually use the sites. Thankfully this was only a handful.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.