Link to home
Start Free TrialLog in
Avatar of Fernando
FernandoFlag for Australia

asked on

DOS FTP via ISA Server 2000 with 2 NIC's

Hi there,

This may be a little hard to explain so please bare with me.

I have an Windows 2003 Server wich I need to connect to an external FTP server through DOS due to scripts. First thing I did was install the FWC... now;

a) If the 2003 Server is logged in as Local Admin;
        - I can connect with IE but cannot see any files or folders. (the ftp server has been added to trusted sites)
        - I can connect with DOS but receive an error when performing a LS or DIR command
Error: ftp: bind :Can't assign requested address

b) If the 2003 Server is logged in as a domain user or even Domain Admin;
        - I can connect with IE. I can see all files and folders and I can download, but I cannot upload!
Error: An error occured copying a file to the FTP Server. Make sure you have permission to put files on the server. Details: The connection to the server was reset.
        - I can connect with DOS but receive the same error when using DIR or LS.
Error: ftp: bind :Can't assign requested address

c) If I log on from an XP Pro machine with a Domain Account (FWC installed);
        - I can connect with IE and I have have FULL access. Download and upload. I am using the same ftp account for all attempts listed above also.
        - HOWEVER, there is no change to DOS. I receive the same results as above.

As far as I can think, the fact that IE on the XP Pro machine can perform all requests means that my FTP Protocol Rules and IP Packet Filters or A-OK. (Yes, Active FTP is enabled also)

Now, I have tried setting the Internal IP of the ISA Server as the default GW for the W2003 Server. This blocked everything and denied me access unless I enabled the FWC. I would then receive the same results as a) & b).

To configure the W2k3 Server as a SecureNAT Client, Is that all I need to do? Change the Default GW?... Because it seems that doing so would solve my issue (after doing some research), although it only makes it worse.

Please help! I need this to work... OR ... can I somehow bypass the the ISA server for FTP requests?

This is very urgent now. Your prompt assitance will be greatly appreciated.
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

From your list above.

Scenario 1. Local admin is not a member of authenticated users so traffic will flow but stop as soon as authentication occurs.
Scenario 2. Have you edited the ftp rule to enable the upload option? By default it is download only.

Yes, secureNAT means that the default gateway of a client machine points to the internal NIC on the ISA. Thats it.

I'll make the assumption that you have installed ALL of the Microsoft updates, ISA service packs and ISA updates.

When you make these various connections, what are you seeing in the ISA log?
http://www.microsoft.com/technet/prodtechnol/isa/2000/maintain/isaftpci.mspx

This is the ftp client walkthrough for ISA 2000.

Keith
ISA MCT
Avatar of Fernando

ASKER

Thank you for your reply,

How do I check what version I am running... stupid question but all i know is that it's running SP1 because it's in Add/Remove Programs...

Is SP2 the latest version of ISA 2000?

1. How do I make Local Admin a member of authenticated users?

2. If am able to upload from the XP client, wouldn't that mean that my FTP Upload rule is OK?

Last thing I did was this: http://support.microsoft.com/default.aspx?scid=kb;[LN];294679

Thank you for your help.
1. Simplest way - In the Gui, click help along the top - select about MS ISA server - Will show the version number.
2. Yes, SP2 is the latest version but for both isa2000 & isa2004 there were updates after the service packs.
3. You do not make local admin a member of authenticated users. Authenticated users are users that have authenticated on a domain. The local admin is not authenticated ergo that account is not included in authenticated users.
4. Yes, that would suggest so.

XP handles its authentication approach a little differently to previous operating systems. You need to look in the ISA logs as this is what will tell you the failing element. With the info so far, it sounds like authentication issues. I need to confirm the flavour os ISA before continuing.
PS. The link you gave me was for external clients coming in to your FTP server. Is this what you want as this is the opposite of your question? My link is for insternal clients going out to an external ftp server.
No, you are right! Should I add the filters or replace them?

Help along the top takes me to Help for MMC. If I right click on ISA at the top of the tree and click help it takes me to ISA Help with Contents, Index and Search. A pretty ISA 2000 logo is all I can see there...

>I need to confirm the flavour os ISA before continuing. (???)

Do you mean what OS is it running on? W2k SP4
If its ISA 2000, then I would follow the link I gave you. Personally I would take out the filters then use the link line by line.

PS That last line was a typing error sorry. It should have read 'of' not 'os'....
I have e-mailed a log file to your EE email account.
OK. :) Its just arrived.
Looks like you are only logging the successful connections. In configuration, (general I think), you an enable dropped packet logging as well.

Have you now followed the link I sent you? the firewall log you sent me looks fairly clean. Interesting it switches to get host by name (GHBN) but not unique.
Not yet... I will have to leave this for a while as I have had a small issue installing SP2. I need to duck back into the office and insert the W2k Server CD in to resolve this. I will post back tomorrow. (Sunday)

I am in Sydney Australia.

Cheers
Ok...

I have updated th ISA with SP2 and other updates.
I have also created the FTP filters as per the link you gave me and disbaled the ones I created re; the link I posted above.

I can now Download and Upload when logged on as a Domain User...

However. I still receive the same error when using the DOS FTP client...

I have set the Default GW as the internal IP for the W2k3 Server. So it should now be a SecureNAT. If I disable the FWC I am not able to do anything. Even if I use straight IP addresses. (Not a DNS issue)

I can't even access websites...

Where to from here? Thank you for your help thus far.
OK. So we are making progress.....

Have you created an outgoing rule for port 21?
If so, who have you allowed to use the rule? Check your logs; are you seeing authentication issues now when you try the ftp client (shows as anonymous maybe?)
PS What are you doing up at this time? One of my EE colleagues is in Sydney and he went to bed hours ago !!
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
From what I gather, I need to confirm what mode ISA was setup in. The fact that nothing happens with my SecureNAT client (W2k3 Server) indicates that it may be setup in cache mode.

Are there any known issues with changing the mode?

Are there any disadvantages with using Intergrated mode?
Integrated mode needs 2 NIC's. Integrated means it will act as a firewall as well as a proxy. If you change mode, you will need to change most of your rules.
I currently have to NIC's. I don't have many rules setup to be honest. I'm blocking everything bar standard protocols...

PS I really need to get this working. I wanted to send some info out to you before I went to bed... I'm a hard, yet slighty crazy worker!

PPS You forgot to paste the link mentioned above...

Ok.. I'm off to bed now. I have an early start... (in 4 hrs to be exact!) I will reply tomorrow.

Cheers
Fernando
OK...

The ISA Server has been re-configured in Intergrated mode. But I can still not access anything with the SecureNAT Client. What else do I need to do?

The Routing and Remote access service is not running. Should it be?
When I enabled it, it stopped all Web Proxy Clients from working...
<<<
PPS

A good link for the dos client.
http://www.isaserver.org/articles/How_the_FTP_protocol_Challenges_Firewall_Security.html
>>>>

<<< Have you created an outgoing rule for port 21?
If so, who have you allowed to use the rule? Check your logs; are you seeing authentication issues now when you try the ftp client (shows as anonymous maybe?) >>>>
Yes, the outgoing rule is created. The rule is for all requests...

The question now, i guess, is why doesn't the W2k3 Server work as a SecureNAT client?
Sorry BurkerT, for me its still 'what are you seeing in the log files?'

I can't see anywhere in the Log file settings to add failed packets.

Under 'Monitoring Configuration' I have Alerts, Logs and Report Jobs. Niether of these have this setting...

Cheers
Fernando
Lets take this a different way.
Are you setting your ftp client into PASv mode? Whch ftp client are you using?
I am using DOS.

Ie; command prompt.

ftp <ftpsite.com>
ls

etc...

I beleive it uses Active FTP
This may be your problem. Can we switch your ftp client into Passive mode?

In your IE browser, you said that FTP now works OK? IE sends a port command but the dos ftp client does not (in active mode).
In PASV mode, no port command is required as the ftp client initiates all of the traffic.

Any update?
I have by-passed the ISA Server. The Server is now directly connected to the Internet Gateway (SonicWall). I have blocked all ports bar the bare minimum and FTP. All is fine... therefor the problem has not really been solved, only avoided... but I appreciate your time. My apologies for not getting back to you sooner.
Thanks :)