Solved

Publish a FTP Server on Forefront TMG not working

Posted on 2012-03-22
17
2,076 Views
Last Modified: 2012-08-20
Hi,

I published my FTP server on TMG but for some reason it doesn't work. I don't receive any errors and I'm lost already.

Here is what I have and did:

I have an FTP server on 192.168.1.243 with IIS 7. I created the FTP site with the following features:
- using a self signed SSL that I created on IIS Server Certificates.
- Basic authentication enabled
- Authorization rules: Allow all users read/write
- FTP Firewall suport: Datachanel ports 0-0, Firewall's External IP address (I assumed it is the public IP on the extenal NIC on Forefront). I did this just as my last resource.

I tested on the LAN and it works.

I have a Forefront TMG server on 192.168.1.248 and public IP 190.12.83.19. It is a perimetral Firewall. The External NIC doesn't has a DNS set.

I have three policies that I'll describe in order
I created an access rule called Resend DNS to ISP
- Allow
- Protocol DNS
- From: DNS server
- To External

Web Access access rule:
- Allow
- Protocol FTP, FTP through HTTP, HTTP, HTTPS, Live Messenger, FTP Server, HTTPS Server
- From Internal
- To All networks (and local host). I also put External.

I published a non web server protocol called Acceso FTP with the following features:
- Traffic: FTP Server. Removed the Read only check, the FTP Access filter is checked, the port is 21
- From: anywhere. I also put External, just in case.
- To: 192.168.1.243 (FTP server IP). The requests seems to come from Forefront TMG machine.
- Networks: External and Internal

Then, on my external computer I open CMD and run ftp 190.12.83.19. After some time the ftp> cursor appears but I am not connected. What It should happen is that it asks me for my user and pass.
0
Comment
Question by:AxlTrauts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
17 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37754008
Define perimeter firewall - in TMG terms they are either frontend, backend on proxy only - which did you select? It matters due to the realtionship between the TMG and other networks i.e. route or NAT.

The ONLY thing you should have needed to do was run the non-web publishing rule, selected FTP Server ands assigned it on the external interface. Oh, and the FTP server needs to have TMG either as the default gateway or on the default route path back to the Internet.
0
 

Author Comment

by:AxlTrauts
ID: 37754367
Hi,

Perimeter Firewall is what I chose on my network template. The topology sees in this order:
Internal network-Local host-External network-VPN clients networkI am translating because my Windows is in spanish.

I set the default gateway on the FTP server NIC as the Internal NIC of my TMG server. Still nothing... should I reset the server?
0
 

Author Comment

by:AxlTrauts
ID: 37754465
I read an english forefront template, it's not literally perimeter firewall, it is Edge Firewall.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37755037
OK - so the network relationship between the internal and external TMG nics will be NAT - good.

Change your web access rule and remove external. You REALLY do not want that!! :)
DNS rule is fine

I am still bothered about the FTP publishing rule though. The read-only check is for access rules, not publishing rules. The network should be just external.

Run up the TMG best practice analyser - what does it report?
What do you see in the TMG realtime log monitor when an external ftp attempt is made?
0
 

Author Comment

by:AxlTrauts
ID: 37757147
I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400

I'm investigating about this.

20/03/2012 11:43:01 a.m. - Error en la regla de publicación de servidor Acceso FTP debido a que no existe una escucha de red válida. Para que las solicitudes alcancen el servidor publicado, debe existir una relación de redes entre las redes de la escucha seleccionada y el servidor publicado. Ubicación del error: 325.958.7.0.9027.400.
 El error se debe a lo siguiente: Datos no válidos.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 37757244
In the TMG gui, select networking, network rules. There shout be a relationship between internal --> external set to NAT, not route.

When you made the non-web publishing rule you will have entered in the private, internal ip address of the FTP server, selected FTP Server and selected only the external interface.
0
 

Author Comment

by:AxlTrauts
ID: 37757594
There is one network rule called Internet Access:
From: VPN clients, quarantine VPN clients, Internal
To: External
Nat relationship
Use the default IP address.

Still, nothing, if I execute FTP 190.12.83.19 (public IP for the TMG server) nothing happens...
0
 

Author Comment

by:AxlTrauts
ID: 37763244
The logs show me this when I try: (translated )

Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157
0
 

Author Comment

by:AxlTrauts
ID: 37777567
Please? any help?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779137
If nothing happens then the FTP traffic cannot be reaching the TMG server can it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779152
Look at your error message. FROM Internal TO localhost - what is that all about?  If you are publishing the FTP server then it should be FROM external
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779160
The TO box should be the internal IP address of the FTP server
0
 

Author Comment

by:AxlTrauts
ID: 37779244
The non-web publishing rule called FTP Access goes from external to the IP server address.

There is an access rule called Internet Access, where goes from Internal to external... I guess that has nothing to do with this.

-----------------------------------------------------------
I have two errors (translating again)
Description: The server publishing rule FTP failed because there was no valid network listener. For requests to reach the published server there must be a network relationship between the selected listener networks and the published server. Error location: 325.958.7.0.9027.400.
The error is because of the following: Invalid data.

Now I KNOW there is a network relationship fail... but still can't see it.
The Network relationship is NAT, from Internal to External..
-----------------------------------------------------------
The second error is when I run the real time logging and each Time I execute "ftp 190.12.83.19" on an external network:
Connection denied VMSRVSEC 25/03/2012 01:52:55 p.m.
Tipo de registro: firewall service
Status: the action cannot be performed because the session not authenticated.  
Rule: Web access
from: Internal (190.239.86.157:52376)
to: Host local (190.12.83.19:21)
Protocol: FTP
 Información adicional
Número de bytes enviados: 0 Número de bytes recibidos: 0
Tiempo de procesamiento: 0ms IP del cliente original: 190.239.86.157


- I read there is an error that seems to have relation with there is not a valid network listener. Also says that there needs to be a network relationship between the selected network listeners and the published server.
Error location 325.958.7.0.9027.400
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 37779256
I hear what you are saying - but that is NOT what your message above shows, is it. It is showing that the Web Access rule is FROM internal TO host local.
0
 

Author Comment

by:AxlTrauts
ID: 37779396
Yes! that was it.
I was definitely not reading AT ALL.

So I did the following:

I moved the FTP Access rule (the non web that as the From External To FTP Server IP "above and below" the Web Access Rule (the rule that has From Internal To All networks and host local. The FTP access rule is ignored and the web access (that has the FTP Server and FTP protocol on it) denies the rule.

By the way, I did what you asked on Web Access rule, but it bypasses both rules, FTP access and Web Access and goes to default rule, that ignores everything... So I changed it back.
0
 

Author Comment

by:AxlTrauts
ID: 37779415
Now the "Web Access" access rule is set from internal to external.
the "FTP access" non web access rule is still ignored... that should be the one...
0
 

Author Comment

by:AxlTrauts
ID: 37852399
So, any other help? I'm planning to start from zero with Forefront and see what happens
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question