ISA 2004 + FTP - need to know how to allow and allow folder view ****Users Standing By****
Hey everyone,
I just started this new job about a month ago and I'm learning all of the crazy stuff that the manager has done while there wasn't enough help around.
ISA 2004 is the Proxy for the entire network...and I've got people in other states that need to be allowed FTP access.
On the ISA box, I've created a rule that states:
| Action | Protocols | From / Listener | To | Condition |
--------------------------
| Allow | FTP, FTP Server | All Networks | All Networks | All Users |
It's at the top of the list in the Firewall Policy and I've "Unchecked" the "Allow Read Only" check box so people can drag and drop files on remote FTP servers.
Problem is that I still need to access the FTP servers via:
ftp://username:password@FQDN
and it won't allow me to switch to folder view from IE.
What might I be missing...I appreciate everyone's help in advance because everyone here is so great!!!
Thanks,
inverted
I just started this new job about a month ago and I'm learning all of the crazy stuff that the manager has done while there wasn't enough help around.
ISA 2004 is the Proxy for the entire network...and I've got people in other states that need to be allowed FTP access.
On the ISA box, I've created a rule that states:
| Action | Protocols | From / Listener | To | Condition |
--------------------------
| Allow | FTP, FTP Server | All Networks | All Networks | All Users |
It's at the top of the list in the Firewall Policy and I've "Unchecked" the "Allow Read Only" check box so people can drag and drop files on remote FTP servers.
Problem is that I still need to access the FTP servers via:
ftp://username:password@FQDN
and it won't allow me to switch to folder view from IE.
What might I be missing...I appreciate everyone's help in advance because everyone here is so great!!!
Thanks,
inverted
ASKER
It's not just the view...I need to access FTP folder across the Public Internet:
check this out...if I go to a known public FTP server in my city across the public internet via:
ftp://69.xx.xxx.xxx
I Get:
Technical Information (for support personnel)
Error Code: 502 Proxy Error. The login request was denied. The logon account might have been disabled or logon information might have changed. Log on again to verify that the information was typed correctly. If the problem continues, report the problem to the administrator of the Internet server you are requesting. (12015)
IP Address: 69.xx.xxx.xx
Date: 11/20/2007 8:32:12 PM
Server: mydomain.com
Source: proxy
So the above states that anonymous access isn't allowed:
so I try:
ftp://username:password@69.xx.xxx.xx
with a known account on that server and it accesses the FTP list in list view.
If I try to switch to folder view it states that it isn't allowed.
Where else is ISA blocking folder viewing and anonymous access to FTP sites?
check this out...if I go to a known public FTP server in my city across the public internet via:
ftp://69.xx.xxx.xxx
I Get:
Technical Information (for support personnel)
Error Code: 502 Proxy Error. The login request was denied. The logon account might have been disabled or logon information might have changed. Log on again to verify that the information was typed correctly. If the problem continues, report the problem to the administrator of the Internet server you are requesting. (12015)
IP Address: 69.xx.xxx.xx
Date: 11/20/2007 8:32:12 PM
Server: mydomain.com
Source: proxy
So the above states that anonymous access isn't allowed:
so I try:
ftp://username:password@69.xx.xxx.xx
with a known account on that server and it accesses the FTP list in list view.
If I try to switch to folder view it states that it isn't allowed.
Where else is ISA blocking folder viewing and anonymous access to FTP sites?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I really don't won't to have to pass the creds with a URL command...all I really want...as do my users...is to see the folder view so we can drag and drop folders in remote FTP locations.
do I need the ISA client? I don't know if that was rolled out or not. How might I see if it is?
Thanks a bunch (o;
do I need the ISA client? I don't know if that was rolled out or not. How might I see if it is?
Thanks a bunch (o;
ASKER
Oh sorry...I guess ISA is a firewall too...the firewall service is running on the ISA box...I was under the impression that it was just a proxy, but I have confirmed that it is also a firewall.
ASKER
I loaded Filezilla Client on my laptop too.
That doesn't even come close to connecting to the outside FTP source. I guess once a client such as that connects, I'll know that everything is okay.
How might I go about this?
That doesn't even come close to connecting to the outside FTP source. I guess once a client such as that connects, I'll know that everything is okay.
How might I go about this?
ASKER
Under the Application Filters...I disable the FTP Access Filter...will that resolve it after I restart the services?
ASKER
I do what they say here...and it doesn't work:
http://www.microsoft.com/technet/isa/2000/maintain/isaftpci.mspx
I can folder view and write to public FTP folders from the ISA server itself...because the rules don't apply to itself...but none of the clients can use FileZilla or folder view FTP sites.
Please someone layout the configuration for this FTP rule in ISA for me.
Thanks people,
inverted
http://www.microsoft.com/technet/isa/2000/maintain/isaftpci.mspx
I can folder view and write to public FTP folders from the ISA server itself...because the rules don't apply to itself...but none of the clients can use FileZilla or folder view FTP sites.
Please someone layout the configuration for this FTP rule in ISA for me.
Thanks people,
inverted
If it is deployed, you will see the icon in the bottom right corner of the client.
ASKER
I don't see it...the XP and Vista firewalls are OFF via GPO's.
Do I push the package from ISA or can I install it from the install disc / download?
Thanks
Do I push the package from ISA or can I install it from the install disc / download?
Thanks
ASKER
I got the client...gosh everytime I come back to ISA I hate it a little more. Other then SBS2003...where it's a nice thing to have included...what kind of manager do I have that uses it as a corporate proxy.
Let me see what theis "client" does for me.
Thanks
Let me see what theis "client" does for me.
Thanks
ASKER
I can now ping the isa server and view it's shared folders.
How do I get the client to connect. It fails to automatically find the server and when I direct it to the server name it also fails.
Almost there !!!
(o:
How do I get the client to connect. It fails to automatically find the server and when I direct it to the server name it also fails.
Almost there !!!
(o:
ISA Server is likely the best layer 3 firewall/layer 7 application gateway on the market. No offence but it is a specialist product - it is not an out-of-the-box-solution. When it is configured correctly 6there is nothing to compare.
Open the ISA GUI, select configuration - networks - internal properties - Check the firewall client tab - have you configured this?
Open the ISA GUI, select configuration - networks - internal properties - Check the firewall client tab - have you configured this?
ASKER
No offense taken keith...I know it's a highly customizable, but it's still a MS product and a lot of code to make it look fancy and expensive...I'm a Cisco or Linux guy for any routing/firewalling stuff, though I have a lot more ISA experience then I might had let to believe. I've never needed the firewall client before, and it turns out I don't in this case either. I personally don't like it because of its nature and I've never believed MS should control this stuff, though I loved it in SBS2003 which made me more money by reducing the rollout cost to my clients. I am however excited for some reason to be a part of the IAG 2007 rollout that we're going to give a shot at. I think I'll be a lot happier with the controls.
I do however have MS on the phone with my premire support agreement...and 6 hours later and he's just now seeing some corruption!!! ISA isn't even picking up traffic on port 21...netmon is blank...ISA monitoring on 21 is empty...though it is producing logs on every other port???!!!??? So you can stick up for old ISA all you want, but I've got 500 users that lost most of the work day because of it. I could have uninstalled it myself and done this in 2 hours if management would have let me without a 2nd opinion. MS support said he's been with the ISA team and hasn't seen this since 2000, so EE would have been a long shot for me solving this one.
I'm just glad it's him rocking the ship today and not me...I'm ready to eat some turkey (o:
Thanks for trying anyway and have a great weekend!
inverted
I do however have MS on the phone with my premire support agreement...and 6 hours later and he's just now seeing some corruption!!! ISA isn't even picking up traffic on port 21...netmon is blank...ISA monitoring on 21 is empty...though it is producing logs on every other port???!!!??? So you can stick up for old ISA all you want, but I've got 500 users that lost most of the work day because of it. I could have uninstalled it myself and done this in 2 hours if management would have let me without a 2nd opinion. MS support said he's been with the ISA team and hasn't seen this since 2000, so EE would have been a long shot for me solving this one.
I'm just glad it's him rocking the ship today and not me...I'm ready to eat some turkey (o:
Thanks for trying anyway and have a great weekend!
inverted
lol - I am a Cisco ccnp & ccdp as well as a Microsoft MVP for ISA server so I like both products equally. I'm also on the IAG2007 Advisory Team so maybe you will meet me when I present on the Live meetings for mthe product.
When all is said and done though, if the ISA team have found corruption after 6 hours and are talking to you over the phone then yes, I'd agree, our corresponding would have taken quite a time....
Glad it is approaching resolution for you either way.
Cheers
Keith Alabaster
When all is said and done though, if the ISA team have found corruption after 6 hours and are talking to you over the phone then yes, I'd agree, our corresponding would have taken quite a time....
Glad it is approaching resolution for you either way.
Cheers
Keith Alabaster
ASKER
Ty sir...
I'm sure I'm cya around, and thanks again.
inverted
I'm sure I'm cya around, and thanks again.
inverted
ASKER
A reinstallation was what had to be done to complete the task. It wasn't that the help at EE couldn't have found the issue, it was just too time consuming for anyone to work with.
ASKER
Oh yeah...and 1 last thing for anyone that might come across this article in the future.
Microsoft ISA engineers have confired that folder view and being able to write to external FTP sites is not supported in a "single" NIC configuration of the software.
Thanks everyone,
inverted
Microsoft ISA engineers have confired that folder view and being able to write to external FTP sites is not supported in a "single" NIC configuration of the software.
Thanks everyone,
inverted
What do you think ISA is blocking?
The folder view is normally set within the advanced options inside the browser.