Solved

TMG 2010 will not accept user credentials when connecting to external FTP Sites

Posted on 2014-01-21
10
901 Views
Last Modified: 2014-06-15
I am having an issue connecting to external FTP sites that require a username and password through TMG 2010. I am able to connect to any anonymous FTP site, and I can connect to the authenticating FTP servers, but it just keeps prompting for credentials over and over even though the password is correct. . This was working fine until Century Link changed out our DSL modem and it has not worked since. You would think, of course it's the DSL modem, but when I connect directly to the back of the modem and bypass the TMG server, I can authenticate and login to any FTP server that I want. This TMG server is running SP2 hotfix 4 and I have the FTP policy created, I have made sure that none of the policies have the read only flag checked on the FTP configuration for each policy (even the non ftp), I have active FTP enabled, but still cannot authenticate. The firewall logs show the traffic as "allowed" when I run a test but if I try to access the FTP site through Windows Explorer from the TMG server, it tells me that read only mode is active. All workstations behind the TMG server exhibit the same behavior. I have also tried using the firewall client but get the same results with that, and Filezilla also says the user name and pw are incorrect even though they are not.. I have tried just about every fix that I can find but I can't seem to find any articles describing this exact issue. Any help is greatly appreciated.

Scott
0
Comment
Question by:scottyvanman
  • 6
  • 3
10 Comments
 
LVL 16

Expert Comment

by:AlexPace
Comment Utility
Filezilla automatically sends some commands after the user is authenticated to get a list of features supported by the server and a directory listing from the remote working folder.  

I'd bet what is happening is that the username and password are accepted but the directory listing is failing.  I further suspect that the difference you see between external FTP sites has more to do with if the directory listing is sent via passive or active mode.

While I'm speculating, I'll guess that the firewall snoops the FTP control channel looking for the PORT command sent from the client when it wants to do an active mode data channel.  It modifies the command so that the private IP address of the workstation is replaced by the public IP address of the firewall and then it replaces the last 2 numbers with an available port.  The server will receive the modified port command and attempt to open an outgoing connection back to the replaced address and port which is actually the address of the firewall.  The firewall will then automatically forward (NAT) the connection attempt back to the workstation.  

Obviously that is complicated and prone to error so, when you plug in on the other side of the firewall, none of that happens and the thing just works.  

It would be great if you could get your hands on a copy of the FTP server's log showing what happened on the protocol level from its point of view.
0
 
LVL 3

Author Comment

by:scottyvanman
Comment Utility
Hi Alex, thanks for responding. I might think it was failing the directory listing except I can hit any anonymous FTP site like ftp.microsoft.com and I see all the files with no problem. I noticed last night that I am getting this error in the logs in when the FTP Filter is applied

21      FTP OUT      Initiated Connection      Unrestricted Internet access      0x0 SUCCESS      Local Host      External      -      1/21/2014 23:52

21      FTP OUT      Closed Connection      Unrestricted Internet access      0x80074e24 FWX_E_CONNECTION_KILLED      Local Host      External      -      1/21/2014 23:52


and this one when the FTP filter is not applied


21      FTP OUT      Initiated Connection      Unrestricted Internet access      0x0 SUCCESS      Internal      External      -      1/22/2014 0:13

21      FTP OUT      Closed Connection      Unrestricted Internet access      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN      Internal      External      -      1/22/2014 0:13

I still have the same problem whether the filter is applied or not. I am still researching...
0
 
LVL 16

Expert Comment

by:AlexPace
Comment Utility
There is a comment on this other thread that discusses a resolution for a very similar issue that involved unexpected interference from a different anonymous access rule: http://social.technet.microsoft.com/Forums/forefront/en-US/95cf87c4-f7be-4911-807a-9e6153244388/ftp-upload-issue-with-tmg-2010-sp1?forum=Forefrontedgegeneral
0
 
LVL 3

Author Comment

by:scottyvanman
Comment Utility
Thanks, I had seen that article but I don't have that same issue. I still can't figure it out. I swear if I could figure out how to make Outlook Anywhere work without TMG I would take TMG out and just use a firewall appliance. I'll keep working on it but thanks for trying to help!
0
 
LVL 16

Expert Comment

by:AlexPace
Comment Utility
What happens when you do an FTPS connection with a secured control channel?  The firewall wouldn't be able to snoop it after it goes into protected mode so it literally wouldn't know the difference between an anonymous connection and one where the PASS verb was used... of course it also wouldn't be able to snoop the PORT command so you'd have to use PASV mode or clear the control channel after authentication.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Author Comment

by:scottyvanman
Comment Utility
Let me try that and I will let you know. Thanks for the suggestion!
0
 
LVL 3

Author Comment

by:scottyvanman
Comment Utility
Ok, I tried that and I get the same error. Not sure where to run on this one....

Command:      open "xxxxt@ftp.xxxxxx.com" 2222
Command:      Trust new Hostkey: Yes
Command:      Pass: *********
Error:      Authentication failed.
Error:      Critical error
Error:      Could not connect to server
0
 

Expert Comment

by:vanquisbank
Comment Utility
Hi,

Have you tried adding the username and password to the URL?

e.g. ftp://domain/username:password@ftp.com

I had a similar problem a couple of months ago and this was the only way round it
0
 
LVL 3

Accepted Solution

by:
scottyvanman earned 0 total points
Comment Utility
I had tried that. This has been resolved and what it turned out to be was the FTP Host was blocking the static public IP that we had. They denied it at 1st, but after multiple requests they finally found the issue and unblocked it and we had access again. Ouch!!
0
 
LVL 3

Author Closing Comment

by:scottyvanman
Comment Utility
Solved it myself.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now