Solved

Publish a FTP Server on Forefront TMG not working

Posted on 2012-03-22
17
2,038 Views
Last Modified: 2012-08-20
Hi,

I published my FTP server on TMG but for some reason it doesn't work. I don't receive any errors and I'm lost already.

Here is what I have and did:

I have an FTP server on 192.168.1.243 with IIS 7. I created the FTP site with the following features:
- using a self signed SSL that I created on IIS Server Certificates.
- Basic authentication enabled
- Authorization rules: Allow all users read/write
- FTP Firewall suport: Datachanel ports 0-0, Firewall's External IP address (I assumed it is the public IP on the extenal NIC on Forefront). I did this just as my last resource.

I tested on the LAN and it works.

I have a Forefront TMG server on 192.168.1.248 and public IP 190.12.83.19. It is a perimetral Firewall. The External NIC doesn't has a DNS set.

I have three policies that I'll describe in order
I created an access rule called Resend DNS to ISP
- Allow
- Protocol DNS
- From: DNS server
- To External

Web Access access rule:
- Allow
- Protocol FTP, FTP through HTTP, HTTP, HTTPS, Live Messenger, FTP Server, HTTPS Server
- From Internal
- To All networks (and local host). I also put External.

I published a non web server protocol called Acceso FTP with the following features:
- Traffic: FTP Server. Removed the Read only check, the FTP Access filter is checked, the port is 21
- From: anywhere. I also put External, just in case.
- To: 192.168.1.243 (FTP server IP). The requests seems to come from Forefront TMG machine.
- Networks: External and Internal

Then, on my external computer I open CMD and run ftp 190.12.83.19. After some time the ftp> cursor appears but I am not connected. What It should happen is that it asks me for my user and pass.
0
Comment
Question by:AxlTrauts
  • 10
  • 7
17 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37754008
Define perimeter firewall - in TMG terms they are either frontend, backend on proxy only - which did you select? It matters due to the realtionship between the TMG and other networks i.e. route or NAT.

The ONLY thing you should have needed to do was run the non-web publishing rule, selected FTP Server ands assigned it on the external interface. Oh, and the FTP server needs to have TMG either as the default gateway or on the default route path back to the Internet.
0
 

Author Comment

by:AxlTrauts
ID: 37754367
Hi,

Perimeter Firewall is what I chose on my network template. The topology sees in this order:
Internal network-Local host-External network-VPN clients networkI am translating because my Windows is in spanish.

I set the default gateway on the FTP server NIC as the Internal NIC of my TMG server. Still nothing... should I reset the server?
0
 

Author Comment

by:AxlTrauts
ID: 37754465
I read an english forefront template, it's not literally perimeter firewall, it is Edge Firewall.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37755037
OK - so the network relationship between the internal and external TMG nics will be NAT - good.

Change your web access rule and remove external. You REALLY do not want that!! :)
DNS rule is fine

I am still bothered about the FTP publishing rule though. The read-only check is for access rules, not publishing rules. The network should be just external.

Run up the TMG best practice analyser - what does it report?
What do you see in the TMG realtime log monitor when an external ftp attempt is made?
0
 

Author Comment

by:AxlTrauts
ID: 37757147
I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400

I'm investigating about this.

20/03/2012 11:43:01 a.m. - Error en la regla de publicación de servidor Acceso FTP debido a que no existe una escucha de red válida. Para que las solicitudes alcancen el servidor publicado, debe existir una relación de redes entre las redes de la escucha seleccionada y el servidor publicado. Ubicación del error: 325.958.7.0.9027.400.
 El error se debe a lo siguiente: Datos no válidos.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 37757244
In the TMG gui, select networking, network rules. There shout be a relationship between internal --> external set to NAT, not route.

When you made the non-web publishing rule you will have entered in the private, internal ip address of the FTP server, selected FTP Server and selected only the external interface.
0
 

Author Comment

by:AxlTrauts
ID: 37757594
There is one network rule called Internet Access:
From: VPN clients, quarantine VPN clients, Internal
To: External
Nat relationship
Use the default IP address.

Still, nothing, if I execute FTP 190.12.83.19 (public IP for the TMG server) nothing happens...
0
 

Author Comment

by:AxlTrauts
ID: 37763244
The logs show me this when I try: (translated )

Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157
0
 

Author Comment

by:AxlTrauts
ID: 37777567
Please? any help?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779137
If nothing happens then the FTP traffic cannot be reaching the TMG server can it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779152
Look at your error message. FROM Internal TO localhost - what is that all about?  If you are publishing the FTP server then it should be FROM external
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779160
The TO box should be the internal IP address of the FTP server
0
 

Author Comment

by:AxlTrauts
ID: 37779244
The non-web publishing rule called FTP Access goes from external to the IP server address.

There is an access rule called Internet Access, where goes from Internal to external... I guess that has nothing to do with this.

-----------------------------------------------------------
I have two errors (translating again)
Description: The server publishing rule FTP failed because there was no valid network listener. For requests to reach the published server there must be a network relationship between the selected listener networks and the published server. Error location: 325.958.7.0.9027.400.
The error is because of the following: Invalid data.

Now I KNOW there is a network relationship fail... but still can't see it.
The Network relationship is NAT, from Internal to External..
-----------------------------------------------------------
The second error is when I run the real time logging and each Time I execute "ftp 190.12.83.19" on an external network:
Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157


- I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779256
I hear what you are saying - but that is NOT what your message above shows, is it. It is showing that the Web Access rule is FROM internal TO host local.
0
 

Author Comment

by:AxlTrauts
ID: 37779396
Yes! that was it.
I was definitely not reading AT ALL.

So I did the following:

I moved the FTP Access rule (the non web that as the From External To FTP Server IP "above and below" the Web Access Rule (the rule that has From Internal To All networks and host local. The FTP access rule is ignored and the web access (that has the FTP Server and FTP protocol on it) denies the rule.

By the way, I did what you asked on Web Access rule, but it bypasses both rules, FTP access and Web Access and goes to default rule, that ignores everything... So I changed it back.
0
 

Author Comment

by:AxlTrauts
ID: 37779415
Now the "Web Access" access rule is set from internal to external.
the "FTP access" non web access rule is still ignored... that should be the one...
0
 

Author Comment

by:AxlTrauts
ID: 37852399
So, any other help? I'm planning to start from zero with Forefront and see what happens
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question