Solved

Publish a FTP Server on Forefront TMG not working

Posted on 2012-03-22
17
2,010 Views
Last Modified: 2012-08-20
Hi,

I published my FTP server on TMG but for some reason it doesn't work. I don't receive any errors and I'm lost already.

Here is what I have and did:

I have an FTP server on 192.168.1.243 with IIS 7. I created the FTP site with the following features:
- using a self signed SSL that I created on IIS Server Certificates.
- Basic authentication enabled
- Authorization rules: Allow all users read/write
- FTP Firewall suport: Datachanel ports 0-0, Firewall's External IP address (I assumed it is the public IP on the extenal NIC on Forefront). I did this just as my last resource.

I tested on the LAN and it works.

I have a Forefront TMG server on 192.168.1.248 and public IP 190.12.83.19. It is a perimetral Firewall. The External NIC doesn't has a DNS set.

I have three policies that I'll describe in order
I created an access rule called Resend DNS to ISP
- Allow
- Protocol DNS
- From: DNS server
- To External

Web Access access rule:
- Allow
- Protocol FTP, FTP through HTTP, HTTP, HTTPS, Live Messenger, FTP Server, HTTPS Server
- From Internal
- To All networks (and local host). I also put External.

I published a non web server protocol called Acceso FTP with the following features:
- Traffic: FTP Server. Removed the Read only check, the FTP Access filter is checked, the port is 21
- From: anywhere. I also put External, just in case.
- To: 192.168.1.243 (FTP server IP). The requests seems to come from Forefront TMG machine.
- Networks: External and Internal

Then, on my external computer I open CMD and run ftp 190.12.83.19. After some time the ftp> cursor appears but I am not connected. What It should happen is that it asks me for my user and pass.
0
Comment
Question by:AxlTrauts
  • 10
  • 7
17 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37754008
Define perimeter firewall - in TMG terms they are either frontend, backend on proxy only - which did you select? It matters due to the realtionship between the TMG and other networks i.e. route or NAT.

The ONLY thing you should have needed to do was run the non-web publishing rule, selected FTP Server ands assigned it on the external interface. Oh, and the FTP server needs to have TMG either as the default gateway or on the default route path back to the Internet.
0
 

Author Comment

by:AxlTrauts
ID: 37754367
Hi,

Perimeter Firewall is what I chose on my network template. The topology sees in this order:
Internal network-Local host-External network-VPN clients networkI am translating because my Windows is in spanish.

I set the default gateway on the FTP server NIC as the Internal NIC of my TMG server. Still nothing... should I reset the server?
0
 

Author Comment

by:AxlTrauts
ID: 37754465
I read an english forefront template, it's not literally perimeter firewall, it is Edge Firewall.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37755037
OK - so the network relationship between the internal and external TMG nics will be NAT - good.

Change your web access rule and remove external. You REALLY do not want that!! :)
DNS rule is fine

I am still bothered about the FTP publishing rule though. The read-only check is for access rules, not publishing rules. The network should be just external.

Run up the TMG best practice analyser - what does it report?
What do you see in the TMG realtime log monitor when an external ftp attempt is made?
0
 

Author Comment

by:AxlTrauts
ID: 37757147
I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400

I'm investigating about this.

20/03/2012 11:43:01 a.m. - Error en la regla de publicación de servidor Acceso FTP debido a que no existe una escucha de red válida. Para que las solicitudes alcancen el servidor publicado, debe existir una relación de redes entre las redes de la escucha seleccionada y el servidor publicado. Ubicación del error: 325.958.7.0.9027.400.
 El error se debe a lo siguiente: Datos no válidos.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 37757244
In the TMG gui, select networking, network rules. There shout be a relationship between internal --> external set to NAT, not route.

When you made the non-web publishing rule you will have entered in the private, internal ip address of the FTP server, selected FTP Server and selected only the external interface.
0
 

Author Comment

by:AxlTrauts
ID: 37757594
There is one network rule called Internet Access:
From: VPN clients, quarantine VPN clients, Internal
To: External
Nat relationship
Use the default IP address.

Still, nothing, if I execute FTP 190.12.83.19 (public IP for the TMG server) nothing happens...
0
 

Author Comment

by:AxlTrauts
ID: 37763244
The logs show me this when I try: (translated )

Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:AxlTrauts
ID: 37777567
Please? any help?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779137
If nothing happens then the FTP traffic cannot be reaching the TMG server can it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779152
Look at your error message. FROM Internal TO localhost - what is that all about?  If you are publishing the FTP server then it should be FROM external
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779160
The TO box should be the internal IP address of the FTP server
0
 

Author Comment

by:AxlTrauts
ID: 37779244
The non-web publishing rule called FTP Access goes from external to the IP server address.

There is an access rule called Internet Access, where goes from Internal to external... I guess that has nothing to do with this.

-----------------------------------------------------------
I have two errors (translating again)
Description: The server publishing rule FTP failed because there was no valid network listener. For requests to reach the published server there must be a network relationship between the selected listener networks and the published server. Error location: 325.958.7.0.9027.400.
The error is because of the following: Invalid data.

Now I KNOW there is a network relationship fail... but still can't see it.
The Network relationship is NAT, from Internal to External..
-----------------------------------------------------------
The second error is when I run the real time logging and each Time I execute "ftp 190.12.83.19" on an external network:
Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157


- I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779256
I hear what you are saying - but that is NOT what your message above shows, is it. It is showing that the Web Access rule is FROM internal TO host local.
0
 

Author Comment

by:AxlTrauts
ID: 37779396
Yes! that was it.
I was definitely not reading AT ALL.

So I did the following:

I moved the FTP Access rule (the non web that as the From External To FTP Server IP "above and below" the Web Access Rule (the rule that has From Internal To All networks and host local. The FTP access rule is ignored and the web access (that has the FTP Server and FTP protocol on it) denies the rule.

By the way, I did what you asked on Web Access rule, but it bypasses both rules, FTP access and Web Access and goes to default rule, that ignores everything... So I changed it back.
0
 

Author Comment

by:AxlTrauts
ID: 37779415
Now the "Web Access" access rule is set from internal to external.
the "FTP access" non web access rule is still ignored... that should be the one...
0
 

Author Comment

by:AxlTrauts
ID: 37852399
So, any other help? I'm planning to start from zero with Forefront and see what happens
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now