Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2172
  • Last Modified:

Publish a FTP Server on Forefront TMG not working

Hi,

I published my FTP server on TMG but for some reason it doesn't work. I don't receive any errors and I'm lost already.

Here is what I have and did:

I have an FTP server on 192.168.1.243 with IIS 7. I created the FTP site with the following features:
- using a self signed SSL that I created on IIS Server Certificates.
- Basic authentication enabled
- Authorization rules: Allow all users read/write
- FTP Firewall suport: Datachanel ports 0-0, Firewall's External IP address (I assumed it is the public IP on the extenal NIC on Forefront). I did this just as my last resource.

I tested on the LAN and it works.

I have a Forefront TMG server on 192.168.1.248 and public IP 190.12.83.19. It is a perimetral Firewall. The External NIC doesn't has a DNS set.

I have three policies that I'll describe in order
I created an access rule called Resend DNS to ISP
- Allow
- Protocol DNS
- From: DNS server
- To External

Web Access access rule:
- Allow
- Protocol FTP, FTP through HTTP, HTTP, HTTPS, Live Messenger, FTP Server, HTTPS Server
- From Internal
- To All networks (and local host). I also put External.

I published a non web server protocol called Acceso FTP with the following features:
- Traffic: FTP Server. Removed the Read only check, the FTP Access filter is checked, the port is 21
- From: anywhere. I also put External, just in case.
- To: 192.168.1.243 (FTP server IP). The requests seems to come from Forefront TMG machine.
- Networks: External and Internal

Then, on my external computer I open CMD and run ftp 190.12.83.19. After some time the ftp> cursor appears but I am not connected. What It should happen is that it asks me for my user and pass.
0
AxlTrauts
Asked:
AxlTrauts
  • 10
  • 7
1 Solution
 
Keith AlabasterCommented:
Define perimeter firewall - in TMG terms they are either frontend, backend on proxy only - which did you select? It matters due to the realtionship between the TMG and other networks i.e. route or NAT.

The ONLY thing you should have needed to do was run the non-web publishing rule, selected FTP Server ands assigned it on the external interface. Oh, and the FTP server needs to have TMG either as the default gateway or on the default route path back to the Internet.
0
 
AxlTrautsAuthor Commented:
Hi,

Perimeter Firewall is what I chose on my network template. The topology sees in this order:
Internal network-Local host-External network-VPN clients networkI am translating because my Windows is in spanish.

I set the default gateway on the FTP server NIC as the Internal NIC of my TMG server. Still nothing... should I reset the server?
0
 
AxlTrautsAuthor Commented:
I read an english forefront template, it's not literally perimeter firewall, it is Edge Firewall.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Keith AlabasterCommented:
OK - so the network relationship between the internal and external TMG nics will be NAT - good.

Change your web access rule and remove external. You REALLY do not want that!! :)
DNS rule is fine

I am still bothered about the FTP publishing rule though. The read-only check is for access rules, not publishing rules. The network should be just external.

Run up the TMG best practice analyser - what does it report?
What do you see in the TMG realtime log monitor when an external ftp attempt is made?
0
 
AxlTrautsAuthor Commented:
I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400

I'm investigating about this.

20/03/2012 11:43:01 a.m. - Error en la regla de publicación de servidor Acceso FTP debido a que no existe una escucha de red válida. Para que las solicitudes alcancen el servidor publicado, debe existir una relación de redes entre las redes de la escucha seleccionada y el servidor publicado. Ubicación del error: 325.958.7.0.9027.400.
 El error se debe a lo siguiente: Datos no válidos.
0
 
Keith AlabasterCommented:
In the TMG gui, select networking, network rules. There shout be a relationship between internal --> external set to NAT, not route.

When you made the non-web publishing rule you will have entered in the private, internal ip address of the FTP server, selected FTP Server and selected only the external interface.
0
 
AxlTrautsAuthor Commented:
There is one network rule called Internet Access:
From: VPN clients, quarantine VPN clients, Internal
To: External
Nat relationship
Use the default IP address.

Still, nothing, if I execute FTP 190.12.83.19 (public IP for the TMG server) nothing happens...
0
 
AxlTrautsAuthor Commented:
The logs show me this when I try: (translated )

Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157
0
 
AxlTrautsAuthor Commented:
Please? any help?
0
 
Keith AlabasterCommented:
If nothing happens then the FTP traffic cannot be reaching the TMG server can it.
0
 
Keith AlabasterCommented:
Look at your error message. FROM Internal TO localhost - what is that all about?  If you are publishing the FTP server then it should be FROM external
0
 
Keith AlabasterCommented:
The TO box should be the internal IP address of the FTP server
0
 
AxlTrautsAuthor Commented:
The non-web publishing rule called FTP Access goes from external to the IP server address.

There is an access rule called Internet Access, where goes from Internal to external... I guess that has nothing to do with this.

-----------------------------------------------------------
I have two errors (translating again)
Description: The server publishing rule FTP failed because there was no valid network listener. For requests to reach the published server there must be a network relationship between the selected listener networks and the published server. Error location: 325.958.7.0.9027.400.
The error is because of the following: Invalid data.

Now I KNOW there is a network relationship fail... but still can't see it.
The Network relationship is NAT, from Internal to External..
-----------------------------------------------------------
The second error is when I run the real time logging and each Time I execute "ftp 190.12.83.19" on an external network:
Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157


- I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400
0
 
Keith AlabasterCommented:
I hear what you are saying - but that is NOT what your message above shows, is it. It is showing that the Web Access rule is FROM internal TO host local.
0
 
AxlTrautsAuthor Commented:
Yes! that was it.
I was definitely not reading AT ALL.

So I did the following:

I moved the FTP Access rule (the non web that as the From External To FTP Server IP "above and below" the Web Access Rule (the rule that has From Internal To All networks and host local. The FTP access rule is ignored and the web access (that has the FTP Server and FTP protocol on it) denies the rule.

By the way, I did what you asked on Web Access rule, but it bypasses both rules, FTP access and Web Access and goes to default rule, that ignores everything... So I changed it back.
0
 
AxlTrautsAuthor Commented:
Now the "Web Access" access rule is set from internal to external.
the "FTP access" non web access rule is still ignored... that should be the one...
0
 
AxlTrautsAuthor Commented:
So, any other help? I'm planning to start from zero with Forefront and see what happens
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now