Solved

ISA 2004 + FTP - need to know how to allow and allow folder view  ****Users Standing By****

Posted on 2007-11-20
18
1,041 Views
Last Modified: 2013-12-02
Hey everyone,

I just started this new job about a month ago and I'm learning all of the crazy stuff that the manager has done while there wasn't enough help around.

ISA 2004 is the Proxy for the entire network...and I've got people in other states that need to be allowed FTP access.

On the ISA box, I've created a rule that states:

|       Action        |  Protocols             |   From / Listener          |       To                  |     Condition      |
---------------------------------------------------------------------------------------------------------------------------
|       Allow          | FTP, FTP Server    |  All Networks               |   All Networks      |      All Users       |

It's at the top of the list in the Firewall Policy and I've "Unchecked" the "Allow Read Only" check box so people can drag and drop files on remote FTP servers.

Problem is that I still need to access the FTP servers via:
ftp://username:password@FQDN

and it won't allow me to switch to folder view from IE.

What might I be missing...I appreciate everyone's help in advance because everyone here is so great!!!

Thanks,
inverted
0
Comment
Question by:inverted_2000
  • 13
  • 5
18 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20322820
ISA does not control the view - it just controls the data flows.
What do you think ISA is blocking?

The folder view is normally set within the advanced options inside the browser.
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20322963
It's not just the view...I need to access FTP folder across the Public Internet:

check this out...if I go to a known public FTP server in my city across the public internet via:
ftp://69.xx.xxx.xxx

I Get:
Technical Information (for support personnel)
Error Code: 502 Proxy Error. The login request was denied. The logon account might have been disabled or logon information might have changed. Log on again to verify that the information was typed correctly. If the problem continues, report the problem to the administrator of the Internet server you are requesting. (12015)
IP Address: 69.xx.xxx.xx
Date: 11/20/2007 8:32:12 PM
Server: mydomain.com
Source: proxy


So the above states that anonymous access isn't allowed:

so I try:
ftp://username:password@69.xx.xxx.xx

with a known account on that server and it accesses the FTP list in list view.

If I try to switch to folder view it states that it isn't allowed.

Where else is ISA blocking folder viewing and anonymous access to FTP sites?

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 20323035
Ah - So you are trying to pass the credentials with the command? Are you using ISA as a firewall also?

If yes, and you are getting that error, it suggests that you have not deployed the ISA firewall client. This is the utility that passes the credentials to ISA server.

If no, then add that specific url to the exceptions tab in the browser

0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323062
I really don't won't to have to pass the creds with a URL command...all I really want...as do my users...is to see the folder view so we can drag and drop folders in remote FTP locations.

do I need the ISA client?  I don't know if that was rolled out or not.  How might I see if it is?

Thanks a bunch (o;
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323130
Oh sorry...I guess ISA is a firewall too...the firewall service is running on the ISA box...I was under the impression that it was just a proxy, but I have confirmed that it is also a firewall.
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323243
I loaded Filezilla Client on my laptop too.

That doesn't even come close to connecting to the outside FTP source.  I guess once a client such as that connects, I'll know that everything is okay.

How might I go about this?
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323424
Under the Application Filters...I disable the FTP Access Filter...will that resolve it after I restart the services?

0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20323587
I do what they say here...and it doesn't work:
http://www.microsoft.com/technet/isa/2000/maintain/isaftpci.mspx

I can folder view and write to public FTP folders from the ISA server itself...because the rules don't apply to itself...but none of the clients can use FileZilla or folder view FTP sites.

Please someone layout the configuration for this FTP rule in ISA for me.

Thanks people,
inverted
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20324819
If it is deployed, you will see the icon in the bottom right corner of the client.

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Author Comment

by:inverted_2000
ID: 20327317
I don't see it...the XP and Vista firewalls are OFF via GPO's.

Do I push the package from ISA or can I install it from the install disc / download?

Thanks
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20327411
I got the client...gosh everytime I come back to ISA I hate it a little more.  Other then SBS2003...where it's a nice thing to have included...what kind of manager do I have that uses it as a corporate proxy.

Let me see what theis "client" does for me.

Thanks
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20327553
I can now ping the isa server and view it's shared folders.

How do I get the client to connect.  It fails to automatically find the server and when I direct it to the server name it also fails.

Almost there !!!  

(o:
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330404
ISA Server is likely the best layer 3 firewall/layer 7 application gateway on the market. No offence but it is a specialist product - it is not an out-of-the-box-solution. When it is configured correctly 6there is nothing to compare.

Open the ISA GUI, select configuration - networks - internal properties - Check the firewall client tab - have you configured this?
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20330984
No offense taken keith...I know it's a highly customizable, but it's still a MS product and a lot of code to make it look fancy and expensive...I'm a Cisco or Linux guy for any routing/firewalling stuff, though I have a lot more ISA experience then I might had let to believe.  I've never needed the firewall client before, and it turns out I don't in this case either.  I personally don't like it because of its nature and I've never believed MS should control this stuff, though I loved it in SBS2003 which made me more money by reducing the rollout cost to my clients.  I am however excited for some reason to be a part of the IAG 2007 rollout that we're going to give a shot at.  I think I'll be a lot happier with the controls.

I do however have MS on the phone with my premire support agreement...and 6 hours later and he's just now seeing some corruption!!!  ISA isn't even picking up traffic on port 21...netmon is blank...ISA monitoring on 21 is empty...though it is producing logs on every other port???!!!???  So you can stick up for old ISA all you want, but I've got 500 users that lost most of the work day because of it.  I could have uninstalled it myself and done this in 2 hours if management would have let me without a 2nd opinion.  MS support said he's been with the ISA team and hasn't seen this since 2000, so EE would have been a long shot for me solving this one.

I'm just glad it's him rocking the ship today and not me...I'm ready to eat some turkey (o:

Thanks for trying anyway and have a great weekend!
inverted
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20331105
lol - I am a Cisco ccnp & ccdp as well as a Microsoft MVP for ISA server so I like both products equally. I'm also on the IAG2007 Advisory Team so maybe you will meet me when I present on the Live meetings for mthe product.

When all is said and done though, if the ISA team have found corruption after 6 hours and are talking to you over the phone then yes, I'd agree, our corresponding would have taken quite a time....

Glad it is approaching resolution for you either way.

Cheers
Keith Alabaster
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20340060
Ty sir...

I'm sure I'm cya around, and thanks again.

inverted
0
 
LVL 2

Author Closing Comment

by:inverted_2000
ID: 31410201
A reinstallation was what had to be done to complete the task.  It wasn't that the help at EE couldn't have found the issue, it was just too time consuming for anyone to work with.
0
 
LVL 2

Author Comment

by:inverted_2000
ID: 20395659
Oh yeah...and 1 last thing for anyone that might come across this article in the future.

Microsoft ISA engineers have confired that folder view and being able to write to external FTP sites is not supported in a "single" NIC configuration of the software.

Thanks everyone,
inverted
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now