Solved

ISA 2004 + FTP - need to know how to allow and allow folder view  ****Users Standing By****

Posted on 2007-11-20
18
1,042 Views
Last Modified: 2013-12-02
Hey everyone,

I just started this new job about a month ago and I'm learning all of the crazy stuff that the manager has done while there wasn't enough help around.

ISA 2004 is the Proxy for the entire network...and I've got people in other states that need to be allowed FTP access.

On the ISA box, I've created a rule that states:

|       Action        |  Protocols             |   From / Listener          |       To                  |     Condition      |
---------------------------------------------------------------------------------------------------------------------------
|       Allow          | FTP, FTP Server    |  All Networks               |   All Networks      |      All Users       |

It's at the top of the list in the Firewall Policy and I've "Unchecked" the "Allow Read Only" check box so people can drag and drop files on remote FTP servers.

Problem is that I still need to access the FTP servers via:
ftp://username:password@FQDN

and it won't allow me to switch to folder view from IE.

What might I be missing...I appreciate everyone's help in advance because everyone here is so great!!!

Thanks,
inverted
0
Comment
Question by:inverted_2000
  • 13
  • 5
18 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20322820
ISA does not control the view - it just controls the data flows.
What do you think ISA is blocking?

The folder view is normally set within the advanced options inside the browser.
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20322963
It's not just the view...I need to access FTP folder across the Public Internet:

check this out...if I go to a known public FTP server in my city across the public internet via:
ftp://69.xx.xxx.xxx

I Get:
Technical Information (for support personnel)
Error Code: 502 Proxy Error. The login request was denied. The logon account might have been disabled or logon information might have changed. Log on again to verify that the information was typed correctly. If the problem continues, report the problem to the administrator of the Internet server you are requesting. (12015)
IP Address: 69.xx.xxx.xx
Date: 11/20/2007 8:32:12 PM
Server: mydomain.com
Source: proxy


So the above states that anonymous access isn't allowed:

so I try:
ftp://username:password@69.xx.xxx.xx

with a known account on that server and it accesses the FTP list in list view.

If I try to switch to folder view it states that it isn't allowed.

Where else is ISA blocking folder viewing and anonymous access to FTP sites?

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 20323035
Ah - So you are trying to pass the credentials with the command? Are you using ISA as a firewall also?

If yes, and you are getting that error, it suggests that you have not deployed the ISA firewall client. This is the utility that passes the credentials to ISA server.

If no, then add that specific url to the exceptions tab in the browser

0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323062
I really don't won't to have to pass the creds with a URL command...all I really want...as do my users...is to see the folder view so we can drag and drop folders in remote FTP locations.

do I need the ISA client?  I don't know if that was rolled out or not.  How might I see if it is?

Thanks a bunch (o;
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323130
Oh sorry...I guess ISA is a firewall too...the firewall service is running on the ISA box...I was under the impression that it was just a proxy, but I have confirmed that it is also a firewall.
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323243
I loaded Filezilla Client on my laptop too.

That doesn't even come close to connecting to the outside FTP source.  I guess once a client such as that connects, I'll know that everything is okay.

How might I go about this?
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323424
Under the Application Filters...I disable the FTP Access Filter...will that resolve it after I restart the services?

0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323587
I do what they say here...and it doesn't work:
http://www.microsoft.com/technet/isa/2000/maintain/isaftpci.mspx

I can folder view and write to public FTP folders from the ISA server itself...because the rules don't apply to itself...but none of the clients can use FileZilla or folder view FTP sites.

Please someone layout the configuration for this FTP rule in ISA for me.

Thanks people,
inverted
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20324819
If it is deployed, you will see the icon in the bottom right corner of the client.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:inverted_2000
ID: 20327317
I don't see it...the XP and Vista firewalls are OFF via GPO's.

Do I push the package from ISA or can I install it from the install disc / download?

Thanks
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20327411
I got the client...gosh everytime I come back to ISA I hate it a little more.  Other then SBS2003...where it's a nice thing to have included...what kind of manager do I have that uses it as a corporate proxy.

Let me see what theis "client" does for me.

Thanks
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20327553
I can now ping the isa server and view it's shared folders.

How do I get the client to connect.  It fails to automatically find the server and when I direct it to the server name it also fails.

Almost there !!!  

(o:
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330404
ISA Server is likely the best layer 3 firewall/layer 7 application gateway on the market. No offence but it is a specialist product - it is not an out-of-the-box-solution. When it is configured correctly 6there is nothing to compare.

Open the ISA GUI, select configuration - networks - internal properties - Check the firewall client tab - have you configured this?
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20330984
No offense taken keith...I know it's a highly customizable, but it's still a MS product and a lot of code to make it look fancy and expensive...I'm a Cisco or Linux guy for any routing/firewalling stuff, though I have a lot more ISA experience then I might had let to believe.  I've never needed the firewall client before, and it turns out I don't in this case either.  I personally don't like it because of its nature and I've never believed MS should control this stuff, though I loved it in SBS2003 which made me more money by reducing the rollout cost to my clients.  I am however excited for some reason to be a part of the IAG 2007 rollout that we're going to give a shot at.  I think I'll be a lot happier with the controls.

I do however have MS on the phone with my premire support agreement...and 6 hours later and he's just now seeing some corruption!!!  ISA isn't even picking up traffic on port 21...netmon is blank...ISA monitoring on 21 is empty...though it is producing logs on every other port???!!!???  So you can stick up for old ISA all you want, but I've got 500 users that lost most of the work day because of it.  I could have uninstalled it myself and done this in 2 hours if management would have let me without a 2nd opinion.  MS support said he's been with the ISA team and hasn't seen this since 2000, so EE would have been a long shot for me solving this one.

I'm just glad it's him rocking the ship today and not me...I'm ready to eat some turkey (o:

Thanks for trying anyway and have a great weekend!
inverted
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20331105
lol - I am a Cisco ccnp & ccdp as well as a Microsoft MVP for ISA server so I like both products equally. I'm also on the IAG2007 Advisory Team so maybe you will meet me when I present on the Live meetings for mthe product.

When all is said and done though, if the ISA team have found corruption after 6 hours and are talking to you over the phone then yes, I'd agree, our corresponding would have taken quite a time....

Glad it is approaching resolution for you either way.

Cheers
Keith Alabaster
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20340060
Ty sir...

I'm sure I'm cya around, and thanks again.

inverted
0
 
LVL 2

Author Closing Comment

by:inverted_2000
ID: 31410201
A reinstallation was what had to be done to complete the task.  It wasn't that the help at EE couldn't have found the issue, it was just too time consuming for anyone to work with.
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20395659
Oh yeah...and 1 last thing for anyone that might come across this article in the future.

Microsoft ISA engineers have confired that folder view and being able to write to external FTP sites is not supported in a "single" NIC configuration of the software.

Thanks everyone,
inverted
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now