Solved

Publish a FTP Server on Forefront TMG not working

Posted on 2012-03-22
17
2,022 Views
Last Modified: 2012-08-20
Hi,

I published my FTP server on TMG but for some reason it doesn't work. I don't receive any errors and I'm lost already.

Here is what I have and did:

I have an FTP server on 192.168.1.243 with IIS 7. I created the FTP site with the following features:
- using a self signed SSL that I created on IIS Server Certificates.
- Basic authentication enabled
- Authorization rules: Allow all users read/write
- FTP Firewall suport: Datachanel ports 0-0, Firewall's External IP address (I assumed it is the public IP on the extenal NIC on Forefront). I did this just as my last resource.

I tested on the LAN and it works.

I have a Forefront TMG server on 192.168.1.248 and public IP 190.12.83.19. It is a perimetral Firewall. The External NIC doesn't has a DNS set.

I have three policies that I'll describe in order
I created an access rule called Resend DNS to ISP
- Allow
- Protocol DNS
- From: DNS server
- To External

Web Access access rule:
- Allow
- Protocol FTP, FTP through HTTP, HTTP, HTTPS, Live Messenger, FTP Server, HTTPS Server
- From Internal
- To All networks (and local host). I also put External.

I published a non web server protocol called Acceso FTP with the following features:
- Traffic: FTP Server. Removed the Read only check, the FTP Access filter is checked, the port is 21
- From: anywhere. I also put External, just in case.
- To: 192.168.1.243 (FTP server IP). The requests seems to come from Forefront TMG machine.
- Networks: External and Internal

Then, on my external computer I open CMD and run ftp 190.12.83.19. After some time the ftp> cursor appears but I am not connected. What It should happen is that it asks me for my user and pass.
0
Comment
Question by:AxlTrauts
  • 10
  • 7
17 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37754008
Define perimeter firewall - in TMG terms they are either frontend, backend on proxy only - which did you select? It matters due to the realtionship between the TMG and other networks i.e. route or NAT.

The ONLY thing you should have needed to do was run the non-web publishing rule, selected FTP Server ands assigned it on the external interface. Oh, and the FTP server needs to have TMG either as the default gateway or on the default route path back to the Internet.
0
 

Author Comment

by:AxlTrauts
ID: 37754367
Hi,

Perimeter Firewall is what I chose on my network template. The topology sees in this order:
Internal network-Local host-External network-VPN clients networkI am translating because my Windows is in spanish.

I set the default gateway on the FTP server NIC as the Internal NIC of my TMG server. Still nothing... should I reset the server?
0
 

Author Comment

by:AxlTrauts
ID: 37754465
I read an english forefront template, it's not literally perimeter firewall, it is Edge Firewall.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37755037
OK - so the network relationship between the internal and external TMG nics will be NAT - good.

Change your web access rule and remove external. You REALLY do not want that!! :)
DNS rule is fine

I am still bothered about the FTP publishing rule though. The read-only check is for access rules, not publishing rules. The network should be just external.

Run up the TMG best practice analyser - what does it report?
What do you see in the TMG realtime log monitor when an external ftp attempt is made?
0
 

Author Comment

by:AxlTrauts
ID: 37757147
I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400

I'm investigating about this.

20/03/2012 11:43:01 a.m. - Error en la regla de publicación de servidor Acceso FTP debido a que no existe una escucha de red válida. Para que las solicitudes alcancen el servidor publicado, debe existir una relación de redes entre las redes de la escucha seleccionada y el servidor publicado. Ubicación del error: 325.958.7.0.9027.400.
 El error se debe a lo siguiente: Datos no válidos.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 37757244
In the TMG gui, select networking, network rules. There shout be a relationship between internal --> external set to NAT, not route.

When you made the non-web publishing rule you will have entered in the private, internal ip address of the FTP server, selected FTP Server and selected only the external interface.
0
 

Author Comment

by:AxlTrauts
ID: 37757594
There is one network rule called Internet Access:
From: VPN clients, quarantine VPN clients, Internal
To: External
Nat relationship
Use the default IP address.

Still, nothing, if I execute FTP 190.12.83.19 (public IP for the TMG server) nothing happens...
0
 

Author Comment

by:AxlTrauts
ID: 37763244
The logs show me this when I try: (translated )

Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:AxlTrauts
ID: 37777567
Please? any help?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779137
If nothing happens then the FTP traffic cannot be reaching the TMG server can it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779152
Look at your error message. FROM Internal TO localhost - what is that all about?  If you are publishing the FTP server then it should be FROM external
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779160
The TO box should be the internal IP address of the FTP server
0
 

Author Comment

by:AxlTrauts
ID: 37779244
The non-web publishing rule called FTP Access goes from external to the IP server address.

There is an access rule called Internet Access, where goes from Internal to external... I guess that has nothing to do with this.

-----------------------------------------------------------
I have two errors (translating again)
Description: The server publishing rule FTP failed because there was no valid network listener. For requests to reach the published server there must be a network relationship between the selected listener networks and the published server. Error location: 325.958.7.0.9027.400.
The error is because of the following: Invalid data.

Now I KNOW there is a network relationship fail... but still can't see it.
The Network relationship is NAT, from Internal to External..
-----------------------------------------------------------
The second error is when I run the real time logging and each Time I execute "ftp 190.12.83.19" on an external network:
Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157


- I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779256
I hear what you are saying - but that is NOT what your message above shows, is it. It is showing that the Web Access rule is FROM internal TO host local.
0
 

Author Comment

by:AxlTrauts
ID: 37779396
Yes! that was it.
I was definitely not reading AT ALL.

So I did the following:

I moved the FTP Access rule (the non web that as the From External To FTP Server IP "above and below" the Web Access Rule (the rule that has From Internal To All networks and host local. The FTP access rule is ignored and the web access (that has the FTP Server and FTP protocol on it) denies the rule.

By the way, I did what you asked on Web Access rule, but it bypasses both rules, FTP access and Web Access and goes to default rule, that ignores everything... So I changed it back.
0
 

Author Comment

by:AxlTrauts
ID: 37779415
Now the "Web Access" access rule is set from internal to external.
the "FTP access" non web access rule is still ignored... that should be the one...
0
 

Author Comment

by:AxlTrauts
ID: 37852399
So, any other help? I'm planning to start from zero with Forefront and see what happens
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now