• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1327
  • Last Modified:

FTP Server Configuration through TMG Edge Firewall

Hello Everyone,

I am having some issues allowing access to my ftp server from outside.
However, accessing from inside network works fine.

I have forefront 2010 edge firewall (My network layout is Internet------->TMG ForeFront------->Windows Web Server 2008R2 - This server has two NICs - one is connected to Inside LAN and another one is connected to TMG network)Network Topology. I run through the setup wizard create new server publishing rule.

I am using the FTP Server protocol

My Firewall Policy (Non-Web Server Publish)

Traffic: FTP Server
From: External
To: Server IP (10.10.10.30)
Selected “Requests appear to come from the Forefront TMG computer”
Network: Perimeter

FTP Access Rule

Protocols: FTP
From: External
To: Server Name – (FTP Server IP Address 10.10.10.30)
Users: All Users

FTP Server: Windows Web Server 2008R2

When I try to ftp from LAN it works. However, when I try to ftp from external address I
get following log report in my TMG Logs Report Screen


Denied Connection TMGServer 4/11/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP


I am using TMG Logs Reports to check traffic in TMG/Forefront. When I access FTP server from outside Network my TMG Log Report shows:

Denied Connection TMGServer 4/14/20xx 10:26:28 PM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (xxx.xx.xxx.xx:2801)
Destination: Local Host (xxx.xx.xx.xx:21)
Protocol: FTP


If you can help me to figure out this problem I would really appreciate.


Thanks and regards,


AJ
0
send3045
Asked:
send3045
  • 4
  • 2
1 Solution
 
Keith AlabasterCommented:
I have already pointed out where you appear to be going wrong on your previous question.
0
 
send3045Author Commented:
Keith,

I deleted previous rules (non-bublish rule and access rule), created a new network rule and  a new Non-Web Server Publish rule - still getting same msg. Any ideas?
0
 
Keith AlabasterCommented:
Only one rule is required to allow external access to the ftp service and this is a non-web publishing rule. This rule handles inbound traffic from the internet plus return traffic.
An allow ACCESS rule is required for outbound (to the internet) for traffic that is initiated from the ftp server (does not include reply traffic, just new connections).

Have you deployed the FTMG sp1 and all the updates yet?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
send3045Author Commented:
thanks,

Yes - I recently deployed sp1 and all updates.

Question:  Since my test rule-accessing FTP server from TMG worked, is there something that I should look into it?
0
 
send3045Author Commented:
Keith,

Do you have any suggestions for me?

Regards,

AJ
0
 
send3045Author Commented:
Hello Everyone,

Thank you all for your help. We have resolved our issue.

We called Microsoft and Keith A. Abluton helped us to sort out our issue. Many thanks to Microsoft and full credit goes to Keith.

 
Solution

 

Non-web Server Protocol Publishing Rules will not work on a Forefront TMG 2010y that was installed as a Back Firewall unless the Perimeter Network is removed.  The following step is required to remove the perimeter network:

On the Network Rules tab in Networking, remove Perimeter Network rules (we had two rules - rule 4 and 5 listed as Perimeter Network Rules) and keep External (Built in network.) Network Rule.

To configured the Non-web Server Protocol Publishing FTP rule, please click this link http://technet.microsoft.com/en-us/library/cc995163.aspx . For more information about how to create FTP server please refer the following links:

http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-FTP-and-FTP-Server-publishing.html
You must also configure your FTP service on the IIS for FTP with Firewalls:
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
http://www.iis.net/ConfigReference/system.applicationHost/sites/siteDefaults/ftpServer/firewallSupport


Regards,
AJ
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now