Solved

SFTP Behind ISA 2000

Posted on 2014-03-13
22
562 Views
Last Modified: 2014-04-12
Hello.
Is there any way to connect to a secure FTP site from behind an ISA 2000 Server firewall? Using WinSCP client, connecting to FTP with TLS/SSL implicit encryption on port 990. I can make the connection, but can't make the secondary connections to port 3000-3200 to view the directory listing.
Thank you.
0
Comment
Question by:chantalcookware
  • 10
  • 8
  • 4
22 Comments
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39926944
You can set up a Server Publishing Rule that forwards 990 to your server.

It's been a while but there should be a second place in the rule set that allows for secondary inbound connections. Set up your rule with them.

If that fails then set up a new Server Publishing Rule that port forwards 3000-3200 to the SFTP server.

Philip
0
 

Author Comment

by:chantalcookware
ID: 39927097
I am connecting to the server from behind an ISA server. The server itself is not behind ISA, and is not in my control. Is my client connection the server that is published?
Thank you.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39927201
Okay, the first sentence reads like the SFTP server is _behind_ ISA.

If SFTP is outside ISA (Internet) then a set of Client Access publishing rules would fit the bill. That would allow 900 outbound and 3000-3200 outbound.

Philip
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:chantalcookware
ID: 39929591
Thank you. I have never setup client access publishing rules. Do I need to set something just for the computer that will access the SFTP, or will it affect all computers.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39929703
You can set up the scope of the rule to limit to the computer needing access.

DHCP Reserve an IP or statically set an IP and delimit the rule to that PC by IP.

Philip
0
 

Author Comment

by:chantalcookware
ID: 39929754
Thank you. I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound. I publish the client IP as a published server using that protocol definiton. After this, the sftp still cannot get the directory listing from the remote site. Anything else I could be missing?

Thanks again
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39929964
Outbound. You need Client Access rules for outbound. Not Server Rules for inbound.

Philip
0
 

Author Comment

by:chantalcookware
ID: 39929990
I don't see client access rules in the ISA management software. I added a protocol rule to use the protocol definitions for 990 in and out. both 990 in and out use secondary connections of 3000-3200 both inbound and outbound. Same result. I am not able to retrieve directory listing. Error is "could not build data connection to host". Initial connection does take place on 990 but secondary connections are dropped.
Thanks again for your help.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39931326
just a note : you're referring to ftps and not sftp in this thread.

sftp runs over ssh and only requires port 22 (which is much more firewall friendly than either of the above)

every decent firewall around can do ftp/sftp protocol inspection and open ports as required. i'd assume that feature should probably exist in isa as well. if not, it is probably both easier and safer to setup winsocks rather than opening whole port ranges
0
 

Author Comment

by:chantalcookware
ID: 39934804
Sorry. Using FTPS over port 990 to make initial connection. Then port 3000-3200 to retrieve directories and transfer. I am seeing that ISA 2000 has trouble with this, but was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

Thanks for your help.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39936613
was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

i don't know if ISA can do protocol inspection. i thought you would. then winsock would be a neat trick.


I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound

if you did not instruct your client (for passive mode, same direction as ftp connection) and servers (for active mode, reverse way) to use the same ports, opening these won't help unless you get lucky

debug active and passive separately

as far as i understand you are allowing INCOMING ftp connections since you allowed 990 inbound

for passive mode :
- your server needs to be set to propose the same port range in answer to PASV command
- your firewall needs to NAT the range to the FTP server
- neither NAT rules (port 21/990 and the range) should not use source nat

for active mode
- you don't really need to setup a range
- you need to allow outgoing connections from the port 20 of your server to the world
- the NAT rule that allows port 21/990 should not use source nat
0
 

Author Comment

by:chantalcookware
ID: 39937200
Hello.
I opened 990 inbound only to ensure the connection to the remote server would communicate properly. I don't have control over the settings of the ftp server, but we are required to use passive mode. The port ranges 3000-3200 are specified by the server connection guidelines. All of our internal workstations use a NAT address. Only the ISA server itself uses an external IP.
I don't understand how to do this:
 - your firewall needs to NAT the range to the FTP server
 - neither NAT rules (port 21/990 and the range) should not use source nat


I believe I am doing this, as I have opened 990, and allow secondary connections in and outbound for the additional ports 3000-3200.
 - your server needs to be set to propose the same port range in answer to PASV command

Thanks for your help.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39937438
forget the above if you're connecting internal clients to a remote FTP and not the reverse

- remove 990 inbound (and any other inbound stuff)
- you only need to allow and source NAT outgoing connections to ports 990 and 3000-3200 (same type of rule you use with port 80 for web browsing)
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39937462
btw,ISA server does have an ftp-aware proxy dissector. it probably will not handle FTPS if the control connection is encrypted, but it does exist
0
 

Author Comment

by:chantalcookware
ID: 39946418
I setup the outbound connections and still no luck. I am thinking the ISA server cannot handle  the connection after control connection is made.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39947130
post the exact rules you created. you should have opened

LAN port > 1024 --> WAN port 21,3000-3200 (with source NAT)

also post the session transcript
0
 

Author Comment

by:chantalcookware
ID: 39950914
OK. That is not what I did. I opened the external IP on port 990 out with secondary connections to 3000-3200. I am not sure how to do what you suggest on ISA 2000. Can you advise the steps?
Thank you for your help.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39953646
you don't have to open anything related to the external ip. passive ftp only requires OUTGOING connections

just allow outgoing connections to the ftps server on both port 990 and the 3000-3200 range.

of course, these connections need to be NATed in the same way as any other outgoing connections.

i'm unsure what are "secondary connections" in ISA but you don't really need them and it would be simpler to set things up without. it is fine if they allow the range only after there was a connection to the 990 port first.

if you are unsure,
- remove any rules you added so far
- look at your existing rule that allows web traffic, and just reproduce the same but change port 80 to the required ones.
- once this is done and the rules work, you can restrict them to the ftps server if you want.
0
 

Author Comment

by:chantalcookware
ID: 39989025
Hello.
I tried all of this, and still could not connect to SFTP. I do not believe it is possible in ISA 2000.
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 39990885
again, this is NOT sftp but regular ftps. it would be MUCH easier otherwise

post a screenshot or description of the rules you created. this is most definitely possible (and should be reasonably easy) on any firewall including ISA.

you may want to add a session transcript and a copy-paste of the instructions you were given. it seems fairly possible that you misread some of it.
0
 

Author Comment

by:chantalcookware
ID: 39994544
Hello.
Thanks for the help. I am going to implement a new firewall instead of further attempts on this older solution.
Thanks again.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39995757
if you're interested in free firewalls, you may want to use pfsense. various vendors sell appliances with pfsense preinstalled, and they sell tiny appliances on their site as well.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
firewall inside of network 9 76
General computer performance vs. am I just impatient? 7 89
Can't Decide: Office 365 Premium or Status Quo 7 100
FInd Local Administrators 6 40
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now