We help IT Professionals succeed at work.

FTP Server Configuration through TMG Edge Firewall

Medium Priority
961 Views
Last Modified: 2013-11-16
Hello Everyone,

I am having some issues allowing access to my ftp server from outside.
However, accessing from inside network works fine.

I have forefront 2010 edge firewall (My network layout is Internet------->TMG ForeFront------->Windows Web Server 2008R2 - This server has two NICs - one is connected to Inside LAN and another one is connected to TMG network)Network Topology. I run through the setup wizard create new server publishing rule.

I am using the FTP Server protocol

My Firewall Policy (Non-Web Server Publish)

Traffic: FTP Server
From: External
To: Server IP (10.10.10.30)
Selected “Requests appear to come from the Forefront TMG computer”
Network: Perimeter

FTP Access Rule

Protocols: FTP
From: External
To: Server Name – (FTP Server IP Address 10.10.10.30)
Users: All Users

FTP Server: Windows Web Server 2008R2

When I try to ftp from LAN it works. However, when I try to ftp from external address I
get following log report in my TMG Logs Report Screen


Denied Connection TMGServer 4/11/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP


I am using TMG Logs Reports to check traffic in TMG/Forefront. When I access FTP server from outside Network my TMG Log Report shows:

Denied Connection TMGServer 4/14/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP


If you can help me to figure out this problem I would really appreciate.


Thanks and regards,


AJ
Comment
Watch Question

Aaron TomoskyDirector, SD-WAN Solutions
CERTIFIED EXPERT

Commented:
In you FTP software you need to enter the port range for passive connections, forward those ports. Also there is a place for the external ip but I've always had to use the domain name since it will resolve when either internal or external.

Author

Commented:
Hello,

I tired your solution - did not work.

Is there a complete solution (step by step) that you can email/send me?


Thanks,

AJ
Aaron TomoskyDirector, SD-WAN Solutions
CERTIFIED EXPERT

Commented:
Forefront isn't my thing. I'll find somethig generic though unless another expert comes by
Aaron TomoskyDirector, SD-WAN Solutions
CERTIFIED EXPERT

Commented:

Author

Commented:
I was able to access ftp server form TMG and using a different rule. This indicates that my FTP  server is working. However, accessing from outside is the problem.

Thanks,

AJ
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
You are using passthrough (FTMG is not involved in any authentication) and I would have expected to see the rule set to 'traffic set to appear from client' rather than coming from the tmg server.

Author

Commented:
Keith,

To access from TMG to FTP server I am using Non-Web Server Publish - No Access Rule (this is for testing purpose only)

To access FTP server form outside, I have set up an access rule and  "Request appear to come from
the Forefront TMG computer”

Regards,

Ramjee
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Which is wrong unless you have a 'route' relationship between the external ftmg interface andf the internal. Access rules are NOT used for publishing services.
Most Valuable Expert 2011

Commented:
This person contacted me via other means (not involving EE).  The problem was in the Pub Rule the Network = Perimeter should have been Network = External and the Access Rule should have been deleted.  I listed these in my reply to him.   Not clearly shown in the original post was another problem in that they had an incorrect Network Rule for Internal<-->Perimeter that just simply needed to be deleted.  

Before I noticed I had the message the OP had already contacted MS Support and resolved the issue, but he reported back to me that PSS told him exactly the same thing and the problem was resolved just as I had indicated in my reply to him.
Most Valuable Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.