Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DOS FTP via ISA Server 2000 with 2 NIC's

Posted on 2006-05-12
31
Medium Priority
?
669 Views
Last Modified: 2008-01-09
Hi there,

This may be a little hard to explain so please bare with me.

I have an Windows 2003 Server wich I need to connect to an external FTP server through DOS due to scripts. First thing I did was install the FWC... now;

a) If the 2003 Server is logged in as Local Admin;
        - I can connect with IE but cannot see any files or folders. (the ftp server has been added to trusted sites)
        - I can connect with DOS but receive an error when performing a LS or DIR command
Error: ftp: bind :Can't assign requested address

b) If the 2003 Server is logged in as a domain user or even Domain Admin;
        - I can connect with IE. I can see all files and folders and I can download, but I cannot upload!
Error: An error occured copying a file to the FTP Server. Make sure you have permission to put files on the server. Details: The connection to the server was reset.
        - I can connect with DOS but receive the same error when using DIR or LS.
Error: ftp: bind :Can't assign requested address

c) If I log on from an XP Pro machine with a Domain Account (FWC installed);
        - I can connect with IE and I have have FULL access. Download and upload. I am using the same ftp account for all attempts listed above also.
        - HOWEVER, there is no change to DOS. I receive the same results as above.

As far as I can think, the fact that IE on the XP Pro machine can perform all requests means that my FTP Protocol Rules and IP Packet Filters or A-OK. (Yes, Active FTP is enabled also)

Now, I have tried setting the Internal IP of the ISA Server as the default GW for the W2003 Server. This blocked everything and denied me access unless I enabled the FWC. I would then receive the same results as a) & b).

To configure the W2k3 Server as a SecureNAT Client, Is that all I need to do? Change the Default GW?... Because it seems that doing so would solve my issue (after doing some research), although it only makes it worse.

Please help! I need this to work... OR ... can I somehow bypass the the ISA server for FTP requests?

This is very urgent now. Your prompt assitance will be greatly appreciated.
0
Comment
Question by:Fernando
  • 18
  • 13
31 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16668197
From your list above.

Scenario 1. Local admin is not a member of authenticated users so traffic will flow but stop as soon as authentication occurs.
Scenario 2. Have you edited the ftp rule to enable the upload option? By default it is download only.

Yes, secureNAT means that the default gateway of a client machine points to the internal NIC on the ISA. Thats it.

I'll make the assumption that you have installed ALL of the Microsoft updates, ISA service packs and ISA updates.

When you make these various connections, what are you seeing in the ISA log?
http://www.microsoft.com/technet/prodtechnol/isa/2000/maintain/isaftpci.mspx

This is the ftp client walkthrough for ISA 2000.

Keith
ISA MCT
0
 

Author Comment

by:Fernando
ID: 16669366
Thank you for your reply,

How do I check what version I am running... stupid question but all i know is that it's running SP1 because it's in Add/Remove Programs...

Is SP2 the latest version of ISA 2000?

1. How do I make Local Admin a member of authenticated users?

2. If am able to upload from the XP client, wouldn't that mean that my FTP Upload rule is OK?

Last thing I did was this: http://support.microsoft.com/default.aspx?scid=kb;[LN];294679

Thank you for your help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16669504
1. Simplest way - In the Gui, click help along the top - select about MS ISA server - Will show the version number.
2. Yes, SP2 is the latest version but for both isa2000 & isa2004 there were updates after the service packs.
3. You do not make local admin a member of authenticated users. Authenticated users are users that have authenticated on a domain. The local admin is not authenticated ergo that account is not included in authenticated users.
4. Yes, that would suggest so.

XP handles its authentication approach a little differently to previous operating systems. You need to look in the ISA logs as this is what will tell you the failing element. With the info so far, it sounds like authentication issues. I need to confirm the flavour os ISA before continuing.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16669610
PS. The link you gave me was for external clients coming in to your FTP server. Is this what you want as this is the opposite of your question? My link is for insternal clients going out to an external ftp server.
0
 

Author Comment

by:Fernando
ID: 16669904
No, you are right! Should I add the filters or replace them?

Help along the top takes me to Help for MMC. If I right click on ISA at the top of the tree and click help it takes me to ISA Help with Contents, Index and Search. A pretty ISA 2000 logo is all I can see there...

>I need to confirm the flavour os ISA before continuing. (???)

Do you mean what OS is it running on? W2k SP4
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16670189
If its ISA 2000, then I would follow the link I gave you. Personally I would take out the filters then use the link line by line.

PS That last line was a typing error sorry. It should have read 'of' not 'os'....
0
 

Author Comment

by:Fernando
ID: 16670355
I have e-mailed a log file to your EE email account.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16670363
OK. :) Its just arrived.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16670408
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16670455
Looks like you are only logging the successful connections. In configuration, (general I think), you an enable dropped packet logging as well.

Have you now followed the link I sent you? the firewall log you sent me looks fairly clean. Interesting it switches to get host by name (GHBN) but not unique.
0
 

Author Comment

by:Fernando
ID: 16672131
Not yet... I will have to leave this for a while as I have had a small issue installing SP2. I need to duck back into the office and insert the W2k Server CD in to resolve this. I will post back tomorrow. (Sunday)

I am in Sydney Australia.

Cheers
0
 

Author Comment

by:Fernando
ID: 16678002
Ok...

I have updated th ISA with SP2 and other updates.
I have also created the FTP filters as per the link you gave me and disbaled the ones I created re; the link I posted above.

I can now Download and Upload when logged on as a Domain User...

However. I still receive the same error when using the DOS FTP client...

I have set the Default GW as the internal IP for the W2k3 Server. So it should now be a SecureNAT. If I disable the FWC I am not able to do anything. Even if I use straight IP addresses. (Not a DNS issue)

I can't even access websites...

Where to from here? Thank you for your help thus far.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16678029
OK. So we are making progress.....

Have you created an outgoing rule for port 21?
If so, who have you allowed to use the rule? Check your logs; are you seeing authentication issues now when you try the ftp client (shows as anonymous maybe?)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16678035
PS What are you doing up at this time? One of my EE colleagues is in Sydney and he went to bed hours ago !!
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1500 total points
ID: 16678062
0
 

Author Comment

by:Fernando
ID: 16678074
From what I gather, I need to confirm what mode ISA was setup in. The fact that nothing happens with my SecureNAT client (W2k3 Server) indicates that it may be setup in cache mode.

Are there any known issues with changing the mode?

Are there any disadvantages with using Intergrated mode?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16678083
Integrated mode needs 2 NIC's. Integrated means it will act as a firewall as well as a proxy. If you change mode, you will need to change most of your rules.
0
 

Author Comment

by:Fernando
ID: 16678101
I currently have to NIC's. I don't have many rules setup to be honest. I'm blocking everything bar standard protocols...

PS I really need to get this working. I wanted to send some info out to you before I went to bed... I'm a hard, yet slighty crazy worker!

PPS You forgot to paste the link mentioned above...

0
 

Author Comment

by:Fernando
ID: 16678121
Ok.. I'm off to bed now. I have an early start... (in 4 hrs to be exact!) I will reply tomorrow.

Cheers
Fernando
0
 

Author Comment

by:Fernando
ID: 16679396
OK...

The ISA Server has been re-configured in Intergrated mode. But I can still not access anything with the SecureNAT Client. What else do I need to do?

The Routing and Remote access service is not running. Should it be?
When I enabled it, it stopped all Web Proxy Clients from working...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16680093
<<<
PPS

A good link for the dos client.
http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html
>>>>

<<< Have you created an outgoing rule for port 21?
If so, who have you allowed to use the rule? Check your logs; are you seeing authentication issues now when you try the ftp client (shows as anonymous maybe?) >>>>
0
 

Author Comment

by:Fernando
ID: 16680208
Yes, the outgoing rule is created. The rule is for all requests...

The question now, i guess, is why doesn't the W2k3 Server work as a SecureNAT client?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16680217
Sorry BurkerT, for me its still 'what are you seeing in the log files?'

0
 

Author Comment

by:Fernando
ID: 16680259
I can't see anywhere in the Log file settings to add failed packets.

Under 'Monitoring Configuration' I have Alerts, Logs and Report Jobs. Niether of these have this setting...

Cheers
Fernando
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16680477
Lets take this a different way.
Are you setting your ftp client into PASv mode? Whch ftp client are you using?
0
 

Author Comment

by:Fernando
ID: 16680500
I am using DOS.

Ie; command prompt.

ftp <ftpsite.com>
ls

etc...

I beleive it uses Active FTP
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16680603
This may be your problem. Can we switch your ftp client into Passive mode?

In your IE browser, you said that FTP now works OK? IE sends a port command but the dos ftp client does not (in active mode).
In PASV mode, no port command is required as the ftp client initiates all of the traffic.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16680615
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16723733
Any update?
0
 

Author Comment

by:Fernando
ID: 16892810
I have by-passed the ISA Server. The Server is now directly connected to the Internet Gateway (SonicWall). I have blocked all ports bar the bare minimum and FTP. All is fine... therefor the problem has not really been solved, only avoided... but I appreciate your time. My apologies for not getting back to you sooner.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16896151
Thanks :)
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

575 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question