send3045
asked on
FTP Server Configuration through TMG Edge Firewall
Hello Everyone,
I am having some issues allowing access to my ftp server from outside.
However, accessing from inside network works fine.
I have forefront 2010 edge firewall (My network layout is Internet------->TMG ForeFront------->Windows Web Server 2008R2 - This server has two NICs - one is connected to Inside LAN and another one is connected to TMG network)Network Topology. I run through the setup wizard create new server publishing rule.
I am using the FTP Server protocol
My Firewall Policy (Non-Web Server Publish)
Traffic: FTP Server
From: External
To: Server IP (10.10.10.30)
Selected “Requests appear to come from the Forefront TMG computer”
Network: Perimeter
FTP Access Rule
Protocols: FTP
From: External
To: Server Name – (FTP Server IP Address 10.10.10.30)
Users: All Users
FTP Server: Windows Web Server 2008R2
When I try to ftp from LAN it works. However, when I try to ftp from external address I
get following log report in my TMG Logs Report Screen
Denied Connection TMGServer 4/11/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP
I am using TMG Logs Reports to check traffic in TMG/Forefront. When I access FTP server from outside Network my TMG Log Report shows:
Denied Connection TMGServer 4/14/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP
If you can help me to figure out this problem I would really appreciate.
Thanks and regards,
AJ
I am having some issues allowing access to my ftp server from outside.
However, accessing from inside network works fine.
I have forefront 2010 edge firewall (My network layout is Internet------->TMG ForeFront------->Windows Web Server 2008R2 - This server has two NICs - one is connected to Inside LAN and another one is connected to TMG network)Network Topology. I run through the setup wizard create new server publishing rule.
I am using the FTP Server protocol
My Firewall Policy (Non-Web Server Publish)
Traffic: FTP Server
From: External
To: Server IP (10.10.10.30)
Selected “Requests appear to come from the Forefront TMG computer”
Network: Perimeter
FTP Access Rule
Protocols: FTP
From: External
To: Server Name – (FTP Server IP Address 10.10.10.30)
Users: All Users
FTP Server: Windows Web Server 2008R2
When I try to ftp from LAN it works. However, when I try to ftp from external address I
get following log report in my TMG Logs Report Screen
Denied Connection TMGServer 4/11/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP
I am using TMG Logs Reports to check traffic in TMG/Forefront. When I access FTP server from outside Network my TMG Log Report shows:
Denied Connection TMGServer 4/14/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP
If you can help me to figure out this problem I would really appreciate.
Thanks and regards,
AJ
Aaron Tomosky
In you FTP software you need to enter the port range for passive connections, forward those ports. Also there is a place for the external ip but I've always had to use the domain name since it will resolve when either internal or external.
ASKER
Hello,
I tired your solution - did not work.
Is there a complete solution (step by step) that you can email/send me?
Thanks,
AJ
I tired your solution - did not work.
Is there a complete solution (step by step) that you can email/send me?
Thanks,
AJ
Forefront isn't my thing. I'll find somethig generic though unless another expert comes by
ASKER
I was able to access ftp server form TMG and using a different rule. This indicates that my FTP server is working. However, accessing from outside is the problem.
Thanks,
AJ
Thanks,
AJ
You are using passthrough (FTMG is not involved in any authentication) and I would have expected to see the rule set to 'traffic set to appear from client' rather than coming from the tmg server.
ASKER
Keith,
To access from TMG to FTP server I am using Non-Web Server Publish - No Access Rule (this is for testing purpose only)
To access FTP server form outside, I have set up an access rule and "Request appear to come from
the Forefront TMG computer”
Regards,
Ramjee
To access from TMG to FTP server I am using Non-Web Server Publish - No Access Rule (this is for testing purpose only)
To access FTP server form outside, I have set up an access rule and "Request appear to come from
the Forefront TMG computer”
Regards,
Ramjee
Which is wrong unless you have a 'route' relationship between the external ftmg interface andf the internal. Access rules are NOT used for publishing services.
This person contacted me via other means (not involving EE). The problem was in the Pub Rule the Network = Perimeter should have been Network = External and the Access Rule should have been deleted. I listed these in my reply to him. Not clearly shown in the original post was another problem in that they had an incorrect Network Rule for Internal<-->Perimeter that just simply needed to be deleted.
Before I noticed I had the message the OP had already contacted MS Support and resolved the issue, but he reported back to me that PSS told him exactly the same thing and the problem was resolved just as I had indicated in my reply to him.
Before I noticed I had the message the OP had already contacted MS Support and resolved the issue, but he reported back to me that PSS told him exactly the same thing and the problem was resolved just as I had indicated in my reply to him.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.