Solved

ISA Server 2006 seems to be doing odd things to outbound ftp connections

Posted on 2009-04-07
18
1,346 Views
Last Modified: 2012-05-06
I have an unrestricted traffic rule for all protocols set, however any pc inside my network cannot make properly successful outbound ftp connections,

they authenticate to the external server, but when they issue LS, they get the message "connection closed by remote host"

this doesn't make sense, I have another ISA 2006 server on another site configured with the same rules, and all FTP outbound connections work fine from that site.

I have checked the logging on the ISA server and it is very unhelpful simply showing an FTP connection open, then the next message is ftp connection closed.

any ideas?
0
Comment
Question by:HHRSS2008
  • 9
  • 9
18 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24088420
1. Is it standard FTP or FTPS or SFTP?
2. Are you using IE to test FTP access?
3. Do you have any ISA add-ons installed (GFi, Websense etc)?
0
 
LVL 1

Author Comment

by:HHRSS2008
ID: 24088497
1. it's just FTP for the moment, but FTPS and SFTP would be great if I can get that working too
2. no I am using the DOS command line to test, oddly filezilla seems to work ok, but I have an automated process that has to use DOS to perform ftp functions
3. no, no addons at the moment.

thank you
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24088719
There's your problem, dos ftp is not proxy aware - meaning you have to create an allow rule to allow All Users access to FTP. Make sure this rule is above your internet access rule and report back.

Also, try using a test ftp site to rule out any permission issues at the destination. I use ftp.microsoft.com - user: anonymous password: email


Thanks,
Raj
0
 
LVL 1

Author Comment

by:HHRSS2008
ID: 24088818
I had a rule in for this, so I deleted it and created another rule as per your suggestion.


no difference.

my rule basically says, FTP protocol from internal hosts allow external and it is first one my list.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24088893
Is this rule allowing "All Users" or "Authenticated Users" access to FTP?
0
 
LVL 1

Author Comment

by:HHRSS2008
ID: 24088916
All Users,

I am not configured for anybody to authenticate to ISA at the moment
0
 
LVL 14

Accepted Solution

by:
Raj-GT earned 500 total points
ID: 24088996
You has similar issues with HTTPS recently which was attributed to Websense filter in the end; are you sure there are no filters in place? Also, can you check whether the FTP protocol has "FTP Access Filter" applied and FTP Access filter is enabled in ISA Add-ins.
0
 
LVL 1

Author Comment

by:HHRSS2008
ID: 24089039
this is a different ISA server than the one that had the HTTPS access problem, this server has never had websense installed

the FTP access filter is checked for this connection and is enabled in my add-ins.

thanks
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24089101
Can you copy the ISA log entries for the client PC please? Do not restrict the log for FTP only, I want to see everything going out from the PC to outside.

Thanks.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:HHRSS2008
ID: 24089238
from the PC? or the ISA server?

I'm not sure what you mean by the PC log so I am pasting the ISA server log here,


actually it appears that if I enable all logging for all protocols, it refuses to log anything at all. :(


so I am not sure what to do now :(

however the logs show nothing helpful at all except a connection closed message, which doesn't it do that under normal circumstances as well?
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24089293
Looks like your ISA have other problem than just FTP. Perhaps a re-install is the only option?!
0
 
LVL 1

Author Comment

by:HHRSS2008
ID: 24089343
I am not sure I agree with that, and it really isn't an option as FTP really is the only thing not operating properly at the moment, I did get the lgo entries in the end it was just taking some time as there is a lot of connections going via our ISA.

here are the log entries,

Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
10.99.0.120                        NJR2-ISA1      -            TCP      -                                    -                        4/7/2009 4:44:24 PM      2865      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -      4/7/2009 12:44:24 PM      207.46.236.102      21      FTP      Initiated Connection      Unrestricted Internet access      10.99.0.120            Internal      External      -      -
10.99.0.120                        NJR2-ISA1      -            TCP      -                                    -                        4/7/2009 4:45:07 PM      2865      43000      643      709      0x80074e21 FWX_E_ABORTIVE_SHUTDOWN            0x0      0x0      Firewall      -      4/7/2009 12:45:07 PM      207.46.236.102      21      FTP      Closed Connection      Unrestricted Internet access      10.99.0.120            Internal      External      -      -
10.99.0.120                        NJR2-ISA1      -            TCP      -                                    -                        4/7/2009 4:45:47 PM      2881      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -      4/7/2009 12:45:47 PM      207.46.236.102      21      FTP      Initiated Connection      Unrestricted Internet access      10.99.0.120            Internal      External      -      -
10.99.0.120                        NJR2-ISA1      -            TCP      -                                    -                        4/7/2009 4:46:05 PM      2881      18000      591      566      0x80074e21 FWX_E_ABORTIVE_SHUTDOWN            0x0      0x0      Firewall      -      4/7/2009 12:46:05 PM      207.46.236.102      21      FTP      Closed Connection      Unrestricted Internet access      10.99.0.120            Internal      External      -      -

log-entries.txt
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24089545
Are you able to access ftp.microsoft.com or some other ftp site using ftp.exe?
0
 
LVL 1

Author Comment

by:HHRSS2008
ID: 24089987
yes I can open the FTP connection, but as soon as I issue "LS" command, the connection closes.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24092449
To be honest, I am running out of ideas! Since you mentioned that FileZilla is working, I don't think ISA is the culprit here.

Command line FTP only works with active mode FTP Servers, can you confirm the ftp server you are using is configured in active mode?
Do you have all the updates installed for ISA 2006?
Do you have multiple IPs assigned to the external interface of ISA by any chance?
0
 
LVL 1

Author Comment

by:HHRSS2008
ID: 24093036
it turned out to be a fault of the FTP proxy filter, I ended up needing a hotfix from Microsoft to cure the problem, but you were on the right track!
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24095175
Glad you got it working! Could you provide a link for the hotfix here so anyone else experiencing the issue can also benefit.
0
 
LVL 1

Author Comment

by:HHRSS2008
ID: 24095974
I will check to see if it is ok to do that as the hotfix was provided from MS directly and was not publicly downloadable as per yesterday
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now