?
Solved

TMG 2010 will not accept user credentials when connecting to external FTP Sites

Posted on 2014-01-21
10
Medium Priority
?
1,002 Views
Last Modified: 2014-06-15
I am having an issue connecting to external FTP sites that require a username and password through TMG 2010. I am able to connect to any anonymous FTP site, and I can connect to the authenticating FTP servers, but it just keeps prompting for credentials over and over even though the password is correct. . This was working fine until Century Link changed out our DSL modem and it has not worked since. You would think, of course it's the DSL modem, but when I connect directly to the back of the modem and bypass the TMG server, I can authenticate and login to any FTP server that I want. This TMG server is running SP2 hotfix 4 and I have the FTP policy created, I have made sure that none of the policies have the read only flag checked on the FTP configuration for each policy (even the non ftp), I have active FTP enabled, but still cannot authenticate. The firewall logs show the traffic as "allowed" when I run a test but if I try to access the FTP site through Windows Explorer from the TMG server, it tells me that read only mode is active. All workstations behind the TMG server exhibit the same behavior. I have also tried using the firewall client but get the same results with that, and Filezilla also says the user name and pw are incorrect even though they are not.. I have tried just about every fix that I can find but I can't seem to find any articles describing this exact issue. Any help is greatly appreciated.

Scott
0
Comment
Question by:scottyvanman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 
LVL 16

Expert Comment

by:AlexPace
ID: 39800317
Filezilla automatically sends some commands after the user is authenticated to get a list of features supported by the server and a directory listing from the remote working folder.  

I'd bet what is happening is that the username and password are accepted but the directory listing is failing.  I further suspect that the difference you see between external FTP sites has more to do with if the directory listing is sent via passive or active mode.

While I'm speculating, I'll guess that the firewall snoops the FTP control channel looking for the PORT command sent from the client when it wants to do an active mode data channel.  It modifies the command so that the private IP address of the workstation is replaced by the public IP address of the firewall and then it replaces the last 2 numbers with an available port.  The server will receive the modified port command and attempt to open an outgoing connection back to the replaced address and port which is actually the address of the firewall.  The firewall will then automatically forward (NAT) the connection attempt back to the workstation.  

Obviously that is complicated and prone to error so, when you plug in on the other side of the firewall, none of that happens and the thing just works.  

It would be great if you could get your hands on a copy of the FTP server's log showing what happened on the protocol level from its point of view.
0
 
LVL 3

Author Comment

by:scottyvanman
ID: 39800774
Hi Alex, thanks for responding. I might think it was failing the directory listing except I can hit any anonymous FTP site like ftp.microsoft.com and I see all the files with no problem. I noticed last night that I am getting this error in the logs in when the FTP Filter is applied

21      FTP OUT      Initiated Connection      Unrestricted Internet access      0x0 SUCCESS      Local Host      External      -      1/21/2014 23:52

21      FTP OUT      Closed Connection      Unrestricted Internet access      0x80074e24 FWX_E_CONNECTION_KILLED      Local Host      External      -      1/21/2014 23:52


and this one when the FTP filter is not applied


21      FTP OUT      Initiated Connection      Unrestricted Internet access      0x0 SUCCESS      Internal      External      -      1/22/2014 0:13

21      FTP OUT      Closed Connection      Unrestricted Internet access      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN      Internal      External      -      1/22/2014 0:13

I still have the same problem whether the filter is applied or not. I am still researching...
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 39801044
There is a comment on this other thread that discusses a resolution for a very similar issue that involved unexpected interference from a different anonymous access rule: http://social.technet.microsoft.com/Forums/forefront/en-US/95cf87c4-f7be-4911-807a-9e6153244388/ftp-upload-issue-with-tmg-2010-sp1?forum=Forefrontedgegeneral
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 3

Author Comment

by:scottyvanman
ID: 39805697
Thanks, I had seen that article but I don't have that same issue. I still can't figure it out. I swear if I could figure out how to make Outlook Anywhere work without TMG I would take TMG out and just use a firewall appliance. I'll keep working on it but thanks for trying to help!
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 39806006
What happens when you do an FTPS connection with a secured control channel?  The firewall wouldn't be able to snoop it after it goes into protected mode so it literally wouldn't know the difference between an anonymous connection and one where the PASS verb was used... of course it also wouldn't be able to snoop the PORT command so you'd have to use PASV mode or clear the control channel after authentication.
0
 
LVL 3

Author Comment

by:scottyvanman
ID: 39811039
Let me try that and I will let you know. Thanks for the suggestion!
0
 
LVL 3

Author Comment

by:scottyvanman
ID: 39822857
Ok, I tried that and I get the same error. Not sure where to run on this one....

Command:      open "xxxxt@ftp.xxxxxx.com" 2222
Command:      Trust new Hostkey: Yes
Command:      Pass: *********
Error:      Authentication failed.
Error:      Critical error
Error:      Could not connect to server
0
 

Expert Comment

by:vanquisbank
ID: 40124645
Hi,

Have you tried adding the username and password to the URL?

e.g. ftp://domain/username:password@ftp.com

I had a similar problem a couple of months ago and this was the only way round it
0
 
LVL 3

Accepted Solution

by:
scottyvanman earned 0 total points
ID: 40124990
I had tried that. This has been resolved and what it turned out to be was the FTP Host was blocking the static public IP that we had. They denied it at 1st, but after multiple requests they finally found the issue and unblocked it and we had access again. Ouch!!
0
 
LVL 3

Author Closing Comment

by:scottyvanman
ID: 40134946
Solved it myself.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question