ISA 2004 + FTP - need to know how to allow and allow folder view ****Users Standing By****

Hey everyone,

I just started this new job about a month ago and I'm learning all of the crazy stuff that the manager has done while there wasn't enough help around.

ISA 2004 is the Proxy for the entire network...and I've got people in other states that need to be allowed FTP access.

On the ISA box, I've created a rule that states:

|       Action        |  Protocols             |   From / Listener          |       To                  |     Condition      |
---------------------------------------------------------------------------------------------------------------------------
|       Allow          | FTP, FTP Server    |  All Networks               |   All Networks      |      All Users       |

It's at the top of the list in the Firewall Policy and I've "Unchecked" the "Allow Read Only" check box so people can drag and drop files on remote FTP servers.

Problem is that I still need to access the FTP servers via:
ftp://username:password@FQDN

and it won't allow me to switch to folder view from IE.

What might I be missing...I appreciate everyone's help in advance because everyone here is so great!!!

Thanks,
inverted
LVL 2
inverted_2000Asked:
Who is Participating?
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Ah - So you are trying to pass the credentials with the command? Are you using ISA as a firewall also?

If yes, and you are getting that error, it suggests that you have not deployed the ISA firewall client. This is the utility that passes the credentials to ISA server.

If no, then add that specific url to the exceptions tab in the browser

0
 
Keith AlabasterEnterprise ArchitectCommented:
ISA does not control the view - it just controls the data flows.
What do you think ISA is blocking?

The folder view is normally set within the advanced options inside the browser.
0
 
inverted_2000Author Commented:
It's not just the view...I need to access FTP folder across the Public Internet:

check this out...if I go to a known public FTP server in my city across the public internet via:
ftp://69.xx.xxx.xxx

I Get:
Technical Information (for support personnel)
Error Code: 502 Proxy Error. The login request was denied. The logon account might have been disabled or logon information might have changed. Log on again to verify that the information was typed correctly. If the problem continues, report the problem to the administrator of the Internet server you are requesting. (12015)
IP Address: 69.xx.xxx.xx
Date: 11/20/2007 8:32:12 PM
Server: mydomain.com
Source: proxy


So the above states that anonymous access isn't allowed:

so I try:
ftp://username:password@69.xx.xxx.xx

with a known account on that server and it accesses the FTP list in list view.

If I try to switch to folder view it states that it isn't allowed.

Where else is ISA blocking folder viewing and anonymous access to FTP sites?

0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
inverted_2000Author Commented:
I really don't won't to have to pass the creds with a URL command...all I really want...as do my users...is to see the folder view so we can drag and drop folders in remote FTP locations.

do I need the ISA client?  I don't know if that was rolled out or not.  How might I see if it is?

Thanks a bunch (o;
0
 
inverted_2000Author Commented:
Oh sorry...I guess ISA is a firewall too...the firewall service is running on the ISA box...I was under the impression that it was just a proxy, but I have confirmed that it is also a firewall.
0
 
inverted_2000Author Commented:
I loaded Filezilla Client on my laptop too.

That doesn't even come close to connecting to the outside FTP source.  I guess once a client such as that connects, I'll know that everything is okay.

How might I go about this?
0
 
inverted_2000Author Commented:
Under the Application Filters...I disable the FTP Access Filter...will that resolve it after I restart the services?

0
 
inverted_2000Author Commented:
I do what they say here...and it doesn't work:
http://www.microsoft.com/technet/isa/2000/maintain/isaftpci.mspx

I can folder view and write to public FTP folders from the ISA server itself...because the rules don't apply to itself...but none of the clients can use FileZilla or folder view FTP sites.

Please someone layout the configuration for this FTP rule in ISA for me.

Thanks people,
inverted
0
 
Keith AlabasterEnterprise ArchitectCommented:
If it is deployed, you will see the icon in the bottom right corner of the client.

0
 
inverted_2000Author Commented:
I don't see it...the XP and Vista firewalls are OFF via GPO's.

Do I push the package from ISA or can I install it from the install disc / download?

Thanks
0
 
inverted_2000Author Commented:
I got the client...gosh everytime I come back to ISA I hate it a little more.  Other then SBS2003...where it's a nice thing to have included...what kind of manager do I have that uses it as a corporate proxy.

Let me see what theis "client" does for me.

Thanks
0
 
inverted_2000Author Commented:
I can now ping the isa server and view it's shared folders.

How do I get the client to connect.  It fails to automatically find the server and when I direct it to the server name it also fails.

Almost there !!!  

(o:
0
 
Keith AlabasterEnterprise ArchitectCommented:
ISA Server is likely the best layer 3 firewall/layer 7 application gateway on the market. No offence but it is a specialist product - it is not an out-of-the-box-solution. When it is configured correctly 6there is nothing to compare.

Open the ISA GUI, select configuration - networks - internal properties - Check the firewall client tab - have you configured this?
0
 
inverted_2000Author Commented:
No offense taken keith...I know it's a highly customizable, but it's still a MS product and a lot of code to make it look fancy and expensive...I'm a Cisco or Linux guy for any routing/firewalling stuff, though I have a lot more ISA experience then I might had let to believe.  I've never needed the firewall client before, and it turns out I don't in this case either.  I personally don't like it because of its nature and I've never believed MS should control this stuff, though I loved it in SBS2003 which made me more money by reducing the rollout cost to my clients.  I am however excited for some reason to be a part of the IAG 2007 rollout that we're going to give a shot at.  I think I'll be a lot happier with the controls.

I do however have MS on the phone with my premire support agreement...and 6 hours later and he's just now seeing some corruption!!!  ISA isn't even picking up traffic on port 21...netmon is blank...ISA monitoring on 21 is empty...though it is producing logs on every other port???!!!???  So you can stick up for old ISA all you want, but I've got 500 users that lost most of the work day because of it.  I could have uninstalled it myself and done this in 2 hours if management would have let me without a 2nd opinion.  MS support said he's been with the ISA team and hasn't seen this since 2000, so EE would have been a long shot for me solving this one.

I'm just glad it's him rocking the ship today and not me...I'm ready to eat some turkey (o:

Thanks for trying anyway and have a great weekend!
inverted
0
 
Keith AlabasterEnterprise ArchitectCommented:
lol - I am a Cisco ccnp & ccdp as well as a Microsoft MVP for ISA server so I like both products equally. I'm also on the IAG2007 Advisory Team so maybe you will meet me when I present on the Live meetings for mthe product.

When all is said and done though, if the ISA team have found corruption after 6 hours and are talking to you over the phone then yes, I'd agree, our corresponding would have taken quite a time....

Glad it is approaching resolution for you either way.

Cheers
Keith Alabaster
0
 
inverted_2000Author Commented:
Ty sir...

I'm sure I'm cya around, and thanks again.

inverted
0
 
inverted_2000Author Commented:
A reinstallation was what had to be done to complete the task.  It wasn't that the help at EE couldn't have found the issue, it was just too time consuming for anyone to work with.
0
 
inverted_2000Author Commented:
Oh yeah...and 1 last thing for anyone that might come across this article in the future.

Microsoft ISA engineers have confired that folder view and being able to write to external FTP sites is not supported in a "single" NIC configuration of the software.

Thanks everyone,
inverted
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.