ISA 2004 and uploading to FTP
We run ISA 2004 and behind that, out teachers use a web-based application named RenWEB for classroom mgt, etc. One of our users is trying to upload a picture to the parent's part of the RenWEB site and it's not working. NO PC from behind ISA can do this. When I monitor her IP, the trafic comes in as SecureNAT and then dies.
There is a tool on RenWEB's web site that you can run to check if all required ports are open and both of the FTP tests fail, so I'm assuming I don't have ISA configured correctly for this specific outbound FTP. I say this specific outbound FTP because outbound FTP from Explorer works and other users FTP videos, etc to our web host.
Any thoughts on where to start in resolving this issue?
Thanks
Cliff
There is a tool on RenWEB's web site that you can run to check if all required ports are open and both of the FTP tests fail, so I'm assuming I don't have ISA configured correctly for this specific outbound FTP. I say this specific outbound FTP because outbound FTP from Explorer works and other users FTP videos, etc to our web host.
Any thoughts on where to start in resolving this issue?
Thanks
Cliff
Secondly,
The renweb tool checks if you allow access from the Internet into your internal network; it does not (read as can not) check if you have the ports open to allow ftp traffic to leave your network to the Internt.
Open the ISA gui,
select monitoring - logging - click on start query.
Do you see any deny messages in the log when you try to ftp out?
You do not mention whether you are using isa as a proxy server or as a firewall server?
The renweb tool checks if you allow access from the Internet into your internal network; it does not (read as can not) check if you have the ports open to allow ftp traffic to leave your network to the Internt.
Open the ISA gui,
select monitoring - logging - click on start query.
Do you see any deny messages in the log when you try to ftp out?
You do not mention whether you are using isa as a proxy server or as a firewall server?
ASKER
Check mark is already removed. Read Only is not enabled.
I have tried to monitor the PC (we've tried it onn several with the same result) and it pretty much dies with no more traffic after the error pops up on the screen that the connection has failed. Thing is, this USE to work. I cannot determine what we've changed or if RenWEB has changed something on their side.
I have tried to monitor the PC (we've tried it onn several with the same result) and it pretty much dies with no more traffic after the error pops up on the screen that the connection has failed. Thing is, this USE to work. I cannot determine what we've changed or if RenWEB has changed something on their side.
ASKER
our ISA server is our proxy server and our firewall server.
I need the full details of the error message please that you see in the log.
ASKER
12/6/1006 12:06:40 PM SecureNAT 10.0.1.6 Internal client username is blank 10.0.1.6
ASKER
i tlooks like the FTP is not authenticating. There is no Client Username
Would have expected more in the error message, that looks only a partial output.
Open the gui, select configuration - networks - double click internal.
How have you set the firewall client entry?
Open the gui, select configuration - networks - double click internal.
How have you set the firewall client entry?
ASKER
Enable Firewall client is checked. server.domain.local is entered and auto detect is checked and use web proxy is checked.
OK. So how have you set the ftp rule in the policy?
ASKER
all users
Please.
I need the details of the rule. There is no such capability in any ISA version to simply enter all users.
I need the details of the rule. There is no such capability in any ISA version to simply enter all users.
Oh, and by the way, if you have set 'All Users' within the rule itself, this switches off the authentication process. As far as ISA anfd the ISA client are concverned you have said that all users are allowed to use the rule so whats the point of asking/checking authentication/authorisati
Any update?
ASKER
I'll be back on-site at this location in about three hours. more then and thank you for the followup.
ASKER
sent you an e-mail.
ASKER
Keith, this worked prior to our last support call to Surf Control. They logged in and installed ISA SP2 and it has not worked since then.
Penny drops. Have you installed the ISA rollup patches that were added post sp2?
http://support.microsoft.com/kb/916106/en-us?spid=2108&sid=global
http://support.microsoft.com/kb/916106/en-us?spid=2108&sid=global
ASKER
Keith, we have all of the rollup patches, etc. We're now thinking of doing a direct connect cos we can't figure this out.
Can you try this from the msdos ftp command rather than from the browser? Any difference in the log or in the results?
PS. Haven't received your email by the way.
ASKER
send me your e-mail address again.
we did try to FTP to the site directly from explorer. we get a username/password prompt so we're assuming we can get there. i have not logged that. I will try it in the AM. also, your thoughts on the direct connect?
we did try to FTP to the site directly from explorer. we get a username/password prompt so we're assuming we can get there. i have not logged that. I will try it in the AM. also, your thoughts on the direct connect?
ASKER
I will resend screen caps today so you can see the log. I agree, this approach should work. I'll be back on this in a couple of hours and let you know what I find. It seems the software vendor has an ISA guru on staf but he has not called us back yet.
ASKER
Keith, Keith, Keith...
Talked to RenWEB today. The last update they sent out had the wrong FTP site in the code. We pulled down the lastest update (that contained the fix) and we're back in business. Turns out it was nothing on our end at all.
Talked to RenWEB today. The last update they sent out had the wrong FTP site in the code. We pulled down the lastest update (that contained the fix) and we're back in business. Turns out it was nothing on our end at all.
Ah, yes. I could see that would be a problem :)
Happy with a PAQ Darth. The actions I suggested are the correct ones although I am unsure that I would have ever got round to asking' Hey, do you happen to have had a recent, unmentioned update from an external supplier that has the wrong IP address in it'?
Regards
Keith :)
Regards
Keith :)
PS Regarding your comment, thats fine also.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Uncheck the tick box so it is not read-only.
By default ISA sets ftp to download only, not upload.
PS, this setting is set for that rule only. If you have more than one ftp rule, each can be set independently.