pfpoulsen
asked on
Publish FTP through TMG 2010 listener do not "hear" ftp packets
Hi All
I'm trying to Publish a FTP site hosted on a IIS 7.5 through TMG 2010.
I've configured the FTP site to run passive and i'm using port range 5000-5005.
I'm running a frontend - backend firewall setup. ASA at the front <-> DMZ <-> TMG2010.
I've allowed port 21 and port range 5000-5005 from the ASA to the TMG. So far so good.
On the TMG i've made a "publish non-web-server" rule to publish my internal FTP server. Im listening for port 21 connections on my Perimeter network (connected to the ASA).
But the FTP traffic is not matching on my publishing rule, insted its matching my Default rule (deny any any) :-(
I'm, sure that the ftp request is comming on the perimeter network - but why is it not matching my publishing rule??
Best Regards, Steffen
I'm trying to Publish a FTP site hosted on a IIS 7.5 through TMG 2010.
I've configured the FTP site to run passive and i'm using port range 5000-5005.
I'm running a frontend - backend firewall setup. ASA at the front <-> DMZ <-> TMG2010.
I've allowed port 21 and port range 5000-5005 from the ASA to the TMG. So far so good.
On the TMG i've made a "publish non-web-server" rule to publish my internal FTP server. Im listening for port 21 connections on my Perimeter network (connected to the ASA).
But the FTP traffic is not matching on my publishing rule, insted its matching my Default rule (deny any any) :-(
I'm, sure that the ftp request is comming on the perimeter network - but why is it not matching my publishing rule??
Best Regards, Steffen
Had you select the built-in FTP server protocol and select ftp filler a in attachment ?
ftp.JPG
ftp.JPG
ASKER
Hi
In our setup the External Nic is called Perimeter so it is not the wrong nic. I can also see the public ip on the perimeter nic card in TMG.
The Deny Message in the live log look like this (I've censored the public ip :-))
Denied Connection TMG-1 13-02-2012 09:37:59
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (78.156.212.218:49334)
Destination: Local Host (77.xx.xx.xx1:21)
Protocol: FTP
And to the second question, yes I use the built-in FTP protocol, and selected the ftp access filter...
Any suggestions? :)
In our setup the External Nic is called Perimeter so it is not the wrong nic. I can also see the public ip on the perimeter nic card in TMG.
The Deny Message in the live log look like this (I've censored the public ip :-))
Denied Connection TMG-1 13-02-2012 09:37:59
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (78.156.212.218:49334)
Destination: Local Host (77.xx.xx.xx1:21)
Protocol: FTP
And to the second question, yes I use the built-in FTP protocol, and selected the ftp access filter...
Any suggestions? :)
Just to confirm, ftp server protocol not ftp protocol ?
ASKER
Custom Protocol. See attached. But have tried FTP server protocol. It's just port 21 that should match right?
Denied Connection TMG-1 13-02-2012 09:37:59
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (78.156.212.218:49334)
Destination: Local Host (77.xx.xx.xx1:21)
Protocol: FTP
FTP.PNG
Denied Connection TMG-1 13-02-2012 09:37:59
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (78.156.212.218:49334)
Destination: Local Host (77.xx.xx.xx1:21)
Protocol: FTP
FTP.PNG
ASKER
Even if I make a normal access rule and allow port 21 inboud from any source port - from perimeter to local host, I still got this in the live log .. :/ Damn Microsoft firewall ...
Denied Connection TMG-1 13-02-2012 12:54:24
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (78.156.212.218:49401)
Destination: Local Host (77.xx.xx.xx:21)
Protocol: FTP
Denied Connection TMG-1 13-02-2012 12:54:24
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Perimeter (78.156.212.218:49401)
Destination: Local Host (77.xx.xx.xx:21)
Protocol: FTP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also Tried to use the default protocol. I'm Actually using it now - still the same.. :/
You also mentioned access rule - you must use a non-web publishing rule, not an access rule?
Access rules are for outbound traffic scenarios or for inbound traffic when there is a route relationship between the external and internal interfaces - which we know you do not have.
Access rules are for outbound traffic scenarios or for inbound traffic when there is a route relationship between the external and internal interfaces - which we know you do not have.
Also get the TMG up to date. I think there may have been some FTP related issues in the earlier stages of TMG. But I don't remember any real details,..maybe Keith knows.
You need to apply SP1,..then the SP1 Rollup,...then the SP2 if I remember that correctly.
You need to apply SP1,..then the SP1 Rollup,...then the SP2 if I remember that correctly.
That's correct in respect to the sequence but FTP worked OK for TMG even in the RTM release
ASKER
Its not an access rule i use - It IS a "non-webserver publish rule" The access rule was just a try since it not working.. :(
On the TMG i've made a "publish non-web-server" rule to publish my internal FTP server. Im listening for port 21 connections on my Perimeter network (connected to the ASA).ASKER
I should be runny latest version: 7.0.9193.500
http://technet.microsoft.com/en-us/forefront/ff899332
http://technet.microsoft.com/en-us/forefront/ff899332
ASKER
Maybe this explains why it is not working for me?
http://fixmyitsystem.com/2011/05/tmg-non-web-server-protocol-does-not.html
"Non-web Server protocol publishing rules will not work on a Forefront 2010 TMG that was configured as a Back Firewall unless the Perimeter Network is removed"
http://fixmyitsystem.com/2011/05/tmg-non-web-server-protocol-does-not.html
"Non-web Server protocol publishing rules will not work on a Forefront 2010 TMG that was configured as a Back Firewall unless the Perimeter Network is removed"
Could be something to that. I never choose Back Firewall,...I always choose Edge no matter what,..unless it is a single Nic box. A "back" firewall is not expected to have a perimeter (DMZ) because the DMZ is already the same as the External which is between it and the Front Firewall. Having a 2nd, 3rd, or 4th network on the Back Firewall is probably fine as long as the "type" chosen during their config was "internal"
Can you post up a screen shot of the deny messages you are seeing in the TMG realtime log as FTP requests are received?