send3045
asked on
FTP Server Configuration through TMG Edge Firewall
Hello Everyone,
I am having some issues allowing access to my ftp server from outside.
However, accessing from inside network works fine.
I have forefront 2010 edge firewall (My network layout is Internet------->TMG ForeFront------->Windows Web Server 2008R2 - This server has two NICs - one is connected to Inside LAN and another one is connected to TMG network)Network Topology. I run through the setup wizard create new server publishing rule.
I am using the FTP Server protocol
My Firewall Policy (Non-Web Server Publish)
Traffic: FTP Server
From: External
To: Server IP (10.10.10.30)
Selected “Requests appear to come from the Forefront TMG computer”
Network: Perimeter
FTP Access Rule
Protocols: FTP
From: External
To: Server Name – (FTP Server IP Address 10.10.10.30)
Users: All Users
FTP Server: Windows Web Server 2008R2
When I try to ftp from LAN it works. However, when I try to ftp from external address I
get following log report in my TMG Logs Report Screen
Denied Connection TMGServer 4/11/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP
I am using TMG Logs Reports to check traffic in TMG/Forefront. When I access FTP server from outside Network my TMG Log Report shows:
Denied Connection TMGServer 4/14/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP
If you can help me to figure out this problem I would really appreciate.
Thanks and regards,
AJ
I am having some issues allowing access to my ftp server from outside.
However, accessing from inside network works fine.
I have forefront 2010 edge firewall (My network layout is Internet------->TMG ForeFront------->Windows Web Server 2008R2 - This server has two NICs - one is connected to Inside LAN and another one is connected to TMG network)Network Topology. I run through the setup wizard create new server publishing rule.
I am using the FTP Server protocol
My Firewall Policy (Non-Web Server Publish)
Traffic: FTP Server
From: External
To: Server IP (10.10.10.30)
Selected “Requests appear to come from the Forefront TMG computer”
Network: Perimeter
FTP Access Rule
Protocols: FTP
From: External
To: Server Name – (FTP Server IP Address 10.10.10.30)
Users: All Users
FTP Server: Windows Web Server 2008R2
When I try to ftp from LAN it works. However, when I try to ftp from external address I
get following log report in my TMG Logs Report Screen
Denied Connection TMGServer 4/11/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP
I am using TMG Logs Reports to check traffic in TMG/Forefront. When I access FTP server from outside Network my TMG Log Report shows:
Denied Connection TMGServer 4/14/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP
If you can help me to figure out this problem I would really appreciate.
Thanks and regards,
AJ
I have already pointed out where you appear to be going wrong on your previous question.
ASKER
Keith,
I deleted previous rules (non-bublish rule and access rule), created a new network rule and a new Non-Web Server Publish rule - still getting same msg. Any ideas?
I deleted previous rules (non-bublish rule and access rule), created a new network rule and a new Non-Web Server Publish rule - still getting same msg. Any ideas?
Only one rule is required to allow external access to the ftp service and this is a non-web publishing rule. This rule handles inbound traffic from the internet plus return traffic.
An allow ACCESS rule is required for outbound (to the internet) for traffic that is initiated from the ftp server (does not include reply traffic, just new connections).
Have you deployed the FTMG sp1 and all the updates yet?
An allow ACCESS rule is required for outbound (to the internet) for traffic that is initiated from the ftp server (does not include reply traffic, just new connections).
Have you deployed the FTMG sp1 and all the updates yet?
ASKER
thanks,
Yes - I recently deployed sp1 and all updates.
Question: Since my test rule-accessing FTP server from TMG worked, is there something that I should look into it?
Yes - I recently deployed sp1 and all updates.
Question: Since my test rule-accessing FTP server from TMG worked, is there something that I should look into it?
ASKER
Keith,
Do you have any suggestions for me?
Regards,
AJ
Do you have any suggestions for me?
Regards,
AJ
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.