Solved

Publishing FTP site on ISA 2006 on alternate port

Posted on 2009-07-07
10
1,151 Views
Last Modified: 2012-05-07
I have ISA 2006 going to a win2k3 server.  I was able to setup an ftp site quite easily on port 21.  But, I need to have additional ftp sites on the same IP.  I setup the second ftp server on the win2k3 server easily and got it running.  I have different welcome messages for each ftp site, so I know for sure which one I'm hitting.  I tried to publish the second ftp site on alternate port (currently using 99).  In ISA, it's listening on port 99 and forwarding the requests to port 99 on the win2k3 server.  In viewing the log file on my ftp client, I'm able to see that it's hitting the ftp site on port 99 for login and gets past that.  When the ftp client tries to run the port command, I get "invalid port command", which is coming from the ISA server, not the win2k3 server.  I checked the ftp logs on the server and can see the authentication requests getting through, but nothing about the invalid port command, which seems to be coming directly from ISA 2006 server.  

Any ideas on what I need to do to allow this second ftp server on ISA 2006 to get past the invalid port command error?
0
Comment
Question by:andersjj_IL
  • 5
  • 3
10 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 24794990
You would have had to crate a new protocol for TCP, 99-99, Inbound in order to do this,...but you probably forgot about the FTP Access Filter that is a requirement.

Contrary to what many believe FTP is not a simple protocol,..it is fact a very complex protocol. Hence without the Application Filter "FTP Access Filter" the ISA cannot keep up with and maintain all the port juggling that happens within the protocol.

Go to the Publsihing Rule properties
Go to the Traffic Tab
With the Protocol showing in the dropdown, select the Properties button
Select the Parameters Tab
Down in the Application Filters section enable the FTP Access Filter by checking the checkbox.
0
 

Author Comment

by:andersjj_IL
ID: 24796645
Did that, still getting error.

But, when I'm in the paramters tab off the properties button where I checked off the FTP Access filter, the "Primary connections" box is showing port 21, even though I'm trying to do this one on 99.  There are three buttons to Add Remote or Edit, but they are all greyed out.  Seems like I should be putting the 99 in there also, but it doesn't seem to be any way of doing that with the buttons.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24796954
Please tell me that you did not do this to the original FTP Protocol packaged with ISA.
Never touch the original Protocols.
Create "new" protocols and work with them for special situations like this.
Create this:
Name:  "FTP-99 Server"
Port Range: 99-99
Type: TCP
Direction: Inbound
Secondary Connections:  None
Application Filters:  FTP Access Filter
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24797045
Ok, wait let's just start over.  Delete the Publishig Rule and delete the protocol if you created one.
 Do these,..in this order:
1. Create a new protocol
     Name:  "FTP-99 Server"
     Port Range: 99-99
     Type: TCP
     Direction: Inbound
     Secondary Connections:  None
     Application Filters:  FTP Access Filter
2. Create a new Non-Web Server Publishing Rule
     Name: "Publishing, FTP-99"
     IP#:  (the IP# of the FTP Server)
     Protocol: "FTP-99 Server"  (do not touch the Ports Button)
     Listerner: External, Selected IP (IP# you want to use)

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:andersjj_IL
ID: 24799597
hmmm....did that, still getting the same thing.  The original ftp server works fine.  I can hit the second ftp server internally fine, so it works without ISA.  I looked in the alerts tab and got this...

Description: The server publishing rule FTP-99, which maps 192.168.5.98:99:TCP to 63.xx.xx.xx:99 for the protocol TCP-99, was unable to bind a socket for the server. The server publishing rule cannot be applied.
 The failure is due to error: You were not connected because a duplicate name exists on the network. Go to System in Control Panel to change the computer name and try again.

I know all the servers on the network have a unique IP address, so not sure where the duplication would be.   The original ftp site is on this server as well, so I would think I would get an alert for both ftp publishing rules or they would both work....
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24803450
I'd say that the Rule and the Protocol are fine.  I think you have some kind of issue that is not related to ISA.
0
 

Author Comment

by:andersjj_IL
ID: 24831215
Oh well, not sure what I"m doing wrong.  I just put up a new public IP address on the ISA, put another private IP address on the ftp server, and just did it that way.  I can use another public IP on the ISA anyway, so it's not such a big deal.  That way I can just leave it on port 21 on the second public IP address...
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24839317
Ok, sounds good.
 
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 25503158
Question PAQ'd, 500 points refunded, and stored in the solution database.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
FOPE 1 day Quarantine Notifications 4 260
Spam Email 2 238
Exchange OWA UAG question running on VMware 6 150
ISA 2004 site to site VPN 1 69
Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now