Solved

SFTP Behind ISA 2000

Posted on 2014-03-13
22
559 Views
Last Modified: 2014-04-12
Hello.
Is there any way to connect to a secure FTP site from behind an ISA 2000 Server firewall? Using WinSCP client, connecting to FTP with TLS/SSL implicit encryption on port 990. I can make the connection, but can't make the secondary connections to port 3000-3200 to view the directory listing.
Thank you.
0
Comment
Question by:chantalcookware
  • 10
  • 8
  • 4
22 Comments
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
You can set up a Server Publishing Rule that forwards 990 to your server.

It's been a while but there should be a second place in the rule set that allows for secondary inbound connections. Set up your rule with them.

If that fails then set up a new Server Publishing Rule that port forwards 3000-3200 to the SFTP server.

Philip
0
 

Author Comment

by:chantalcookware
Comment Utility
I am connecting to the server from behind an ISA server. The server itself is not behind ISA, and is not in my control. Is my client connection the server that is published?
Thank you.
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
Okay, the first sentence reads like the SFTP server is _behind_ ISA.

If SFTP is outside ISA (Internet) then a set of Client Access publishing rules would fit the bill. That would allow 900 outbound and 3000-3200 outbound.

Philip
0
 

Author Comment

by:chantalcookware
Comment Utility
Thank you. I have never setup client access publishing rules. Do I need to set something just for the computer that will access the SFTP, or will it affect all computers.
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
You can set up the scope of the rule to limit to the computer needing access.

DHCP Reserve an IP or statically set an IP and delimit the rule to that PC by IP.

Philip
0
 

Author Comment

by:chantalcookware
Comment Utility
Thank you. I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound. I publish the client IP as a published server using that protocol definiton. After this, the sftp still cannot get the directory listing from the remote site. Anything else I could be missing?

Thanks again
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
Outbound. You need Client Access rules for outbound. Not Server Rules for inbound.

Philip
0
 

Author Comment

by:chantalcookware
Comment Utility
I don't see client access rules in the ISA management software. I added a protocol rule to use the protocol definitions for 990 in and out. both 990 in and out use secondary connections of 3000-3200 both inbound and outbound. Same result. I am not able to retrieve directory listing. Error is "could not build data connection to host". Initial connection does take place on 990 but secondary connections are dropped.
Thanks again for your help.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
just a note : you're referring to ftps and not sftp in this thread.

sftp runs over ssh and only requires port 22 (which is much more firewall friendly than either of the above)

every decent firewall around can do ftp/sftp protocol inspection and open ports as required. i'd assume that feature should probably exist in isa as well. if not, it is probably both easier and safer to setup winsocks rather than opening whole port ranges
0
 

Author Comment

by:chantalcookware
Comment Utility
Sorry. Using FTPS over port 990 to make initial connection. Then port 3000-3200 to retrieve directories and transfer. I am seeing that ISA 2000 has trouble with this, but was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

Thanks for your help.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

i don't know if ISA can do protocol inspection. i thought you would. then winsock would be a neat trick.


I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound

if you did not instruct your client (for passive mode, same direction as ftp connection) and servers (for active mode, reverse way) to use the same ports, opening these won't help unless you get lucky

debug active and passive separately

as far as i understand you are allowing INCOMING ftp connections since you allowed 990 inbound

for passive mode :
- your server needs to be set to propose the same port range in answer to PASV command
- your firewall needs to NAT the range to the FTP server
- neither NAT rules (port 21/990 and the range) should not use source nat

for active mode
- you don't really need to setup a range
- you need to allow outgoing connections from the port 20 of your server to the world
- the NAT rule that allows port 21/990 should not use source nat
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:chantalcookware
Comment Utility
Hello.
I opened 990 inbound only to ensure the connection to the remote server would communicate properly. I don't have control over the settings of the ftp server, but we are required to use passive mode. The port ranges 3000-3200 are specified by the server connection guidelines. All of our internal workstations use a NAT address. Only the ISA server itself uses an external IP.
I don't understand how to do this:
 - your firewall needs to NAT the range to the FTP server
 - neither NAT rules (port 21/990 and the range) should not use source nat


I believe I am doing this, as I have opened 990, and allow secondary connections in and outbound for the additional ports 3000-3200.
 - your server needs to be set to propose the same port range in answer to PASV command

Thanks for your help.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
forget the above if you're connecting internal clients to a remote FTP and not the reverse

- remove 990 inbound (and any other inbound stuff)
- you only need to allow and source NAT outgoing connections to ports 990 and 3000-3200 (same type of rule you use with port 80 for web browsing)
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
btw,ISA server does have an ftp-aware proxy dissector. it probably will not handle FTPS if the control connection is encrypted, but it does exist
0
 

Author Comment

by:chantalcookware
Comment Utility
I setup the outbound connections and still no luck. I am thinking the ISA server cannot handle  the connection after control connection is made.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
post the exact rules you created. you should have opened

LAN port > 1024 --> WAN port 21,3000-3200 (with source NAT)

also post the session transcript
0
 

Author Comment

by:chantalcookware
Comment Utility
OK. That is not what I did. I opened the external IP on port 990 out with secondary connections to 3000-3200. I am not sure how to do what you suggest on ISA 2000. Can you advise the steps?
Thank you for your help.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
you don't have to open anything related to the external ip. passive ftp only requires OUTGOING connections

just allow outgoing connections to the ftps server on both port 990 and the 3000-3200 range.

of course, these connections need to be NATed in the same way as any other outgoing connections.

i'm unsure what are "secondary connections" in ISA but you don't really need them and it would be simpler to set things up without. it is fine if they allow the range only after there was a connection to the 990 port first.

if you are unsure,
- remove any rules you added so far
- look at your existing rule that allows web traffic, and just reproduce the same but change port 80 to the required ones.
- once this is done and the rules work, you can restrict them to the ftps server if you want.
0
 

Author Comment

by:chantalcookware
Comment Utility
Hello.
I tried all of this, and still could not connect to SFTP. I do not believe it is possible in ISA 2000.
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
Comment Utility
again, this is NOT sftp but regular ftps. it would be MUCH easier otherwise

post a screenshot or description of the rules you created. this is most definitely possible (and should be reasonably easy) on any firewall including ISA.

you may want to add a session transcript and a copy-paste of the instructions you were given. it seems fairly possible that you misread some of it.
0
 

Author Comment

by:chantalcookware
Comment Utility
Hello.
Thanks for the help. I am going to implement a new firewall instead of further attempts on this older solution.
Thanks again.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
if you're interested in free firewalls, you may want to use pfsense. various vendors sell appliances with pfsense preinstalled, and they sell tiny appliances on their site as well.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now