Solved

FTP Passive Access ISA2000

Posted on 2008-06-18
8
576 Views
Last Modified: 2008-06-20
Hi,
SBS 2003 Premium:
I have setup an FTP site within IIS on our SBS box. I can access it from external if I use the PORT method. However since IE uses PASSIVE method by default I want to allow this. I have followed the instructions in this article http://www.microsoft.com/technet/archive/isa/2000/maintain/isaftpci.mspx?mfr=true but it still won't let me through using IE's FTP folder view if using the passive method.

Interestingly though, I can access the FTP site from an internal source using the passive method.

Question: Does the fact that I can access it fine with PORT method mean that I have ports and packet filters setup correctly in ISA 2000 ?

Rick
0
Comment
Question by:realtec
  • 4
  • 3
8 Comments
 
LVL 11

Accepted Solution

by:
EricTViking earned 500 total points
ID: 21811008
Since PASSIVE FTP uses random data ports, it might be the firewall at the external clients end that is preventing PASSIVE mode from working rather than your ISA server. Passive mode is a complex protocol as your comunications go out on port 21, but your data comes back on a random port - this is difficult to setup securely on a clients firewall.

Also passive mode doesn't work well with some NAT routers, if your client is behind a NAT router you may have trouble using passive FTP.

The fact you have ISA working with PORT (Active) FTP, only proves PORT mode is working. However if you have followed the steps in the kb article you mentioned passive should be working too.

Just remember that the client firewall has to be setup properly too.
0
 
LVL 6

Expert Comment

by:Nyah247
ID: 21815048
Are there any firewalls between ISA and the internet?  Also...have you tried using the firewall client?  
0
 
LVL 1

Author Comment

by:realtec
ID: 21817471
Thankyou for your comments Eric, they have re-inforced some of the understandings I hold on FTP stuff. In answer to Nyah's comment, my understanding is that there are no firewalls between ISA and the internet, The SBS box has two NIC's, the second NIC (Internet facing) has been setup via the internet connection wizard in SBS and NAT is running on that interface. I don't believe the firewall client can be run on an external client PC ?, especially one from another company. The SBS box replaces an older SBS Premium box which was a bit flakey. On the old box I setup an FTP site with no problems regarding passive connections from outside. However the old box was on 2k3 SP1 whereas the new box is SP2. I've read about some problems on SBS boxes after installing SP2 but they seem a bit deep. I could just tell my client to tell it's FTP users to untick USE PASSIVE FTP in IE, but when I mentioned that as a solution there was lots of air being sucked in through teeth, they just want it to be 'the same as it was before' - oh the joys of IT...
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 21817659
Yes, the tooth-suckers - at least they keep us in business ;-)

here's aanother good article that may be a bit more focussed than the MS one you mentioned - http://www.isaserver.org/tutorials/Publishing-Secure-FTP-Servers.html talks plenty about PASV mode so might help to eliminate any issues at the ISA server end.

Don't like to just post links here - but this article looks like it can explain far better than I.

BTW I've seen 2k3 SP2 knock out a few ISA Servers (mainly ISA 2006). Nothing specific but bits of ISA server just stopped workign with it installed. This was some time ago so there's probably a whole load of hotfixes and patches that solve the issues caused. But SP2 definitely did bad things at the time.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 11

Expert Comment

by:EricTViking
ID: 21817685
Forgot to add: always worth going to the Monitoring -> Logging section of ISA server and starting a log query running. Make sure you enable logging on your firewall rules and see what appears when you try to FTP in PASV mode. If something is blocking your data channels it should become apparent.
0
 
LVL 1

Author Comment

by:realtec
ID: 21821076
Ok, I think I now know the reason PASV is not fully working. I refer to this article http://support.microsoft.com/kb/283679 particularly the common problems with pasv FTP. This describes exactly my situation, i.e I can logon and CWD \ ok but the list command gets blocked on it's way out from the server? back to me by ISA, either that or the firewall on my router or windows firewall is blocking it back in. The thing I've been searching for is a standard set of packet filters for isa server which allow pasv mode. There doesn't seem to be any, maybe there's the clue. Regarding the logging, I can see the ISA logs but can't seem to create a log that tracks the rules, how do I do that ?
0
 
LVL 11

Expert Comment

by:EricTViking
ID: 21821618
In theory with ISA you enable the FTP application filter and it will do all the magic of port shifting and mapping for you.

To allow a firewall rule to show in the logs, open the properties for the rule and tick the "log requests matching this rule" checkbox on the "Actions" tab.

Then select Monitoring, go to the logging tab and select "Start Query".
0
 
LVL 1

Author Comment

by:realtec
ID: 21829232
Hi again,

Listen, I read through quite a lot of stuff now about FTP and have landed at a conclusion. Rather than explain it I will paste below the contents of the email I sent to my client. Oh by the way I will credit Eric with the points as he has been the most helpful.

Morning Tracy,
      
      After 3 weeks of looking at the FTP site situation I finally understand how and why. Ill try to keep the tech blurb down here as I explain things. Firstly as I may have stated earlier there are two type of access for ftp sites, Active and Passive, we know that the active method works fine on your server. The Active method uses designated ports on the server namely ports 20 and 21. These are easily setup on the ISA firewall that your server runs. Passive method is a little more complex in that it uses port 20 and 21 but also uses random ports anywhere between 1000-60000. There lies the problem, it is impossible for the servers firewall to guess which port has been randomly chosen for the users ftp session at that time. The reason the old server worked with this method is because rightly or wrongly Id put a big hole in the firewall to allow these connections to get through. As time goes by and experience is gained I am not really happy about putting such a hole in customers firewalls anymore, primarily because it leaves the door open for hacking attempts. At the end of the day the firewall (and ISA server is one of the best around) is there to protect you from malicious attempts at breaking in to your system, and whacking a big hole in it just so that ftp passive mode works isnt such a great idea. Ok that being said what can we do next ? well there are two straight forward solutions for your clients:
1)      For customers that prefer to use Internet Explorer to FTP, they will have to untick Use Passive Method for FTP in internet options>advanced
2)      For other users including Mac, download a free FTP program such as this one http://www.coffeecup.com/free-ftp/download.php?getFile  (taking care to untick use passive mode during the setup)

It can be explained to your customers that this is due to tightened security, Im sure most of them are competent computer users and that this shouldnt create a problem for them. In any case they can always call me with any initial problems. Let me know your thoughts as always.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now