Avatar of chantalcookware
chantalcookware asked on

SFTP Behind ISA 2000

Hello.
Is there any way to connect to a secure FTP site from behind an ISA 2000 Server firewall? Using WinSCP client, connecting to FTP with TLS/SSL implicit encryption on port 990. I can make the connection, but can't make the secondary connections to port 3000-3200 to view the directory listing.
Thank you.
Software FirewallsSBSMicrosoft Forefront ISA Server

Avatar of undefined
Last Comment
skullnobrains

8/22/2022 - Mon
Philip Elder

You can set up a Server Publishing Rule that forwards 990 to your server.

It's been a while but there should be a second place in the rule set that allows for secondary inbound connections. Set up your rule with them.

If that fails then set up a new Server Publishing Rule that port forwards 3000-3200 to the SFTP server.

Philip
ASKER
chantalcookware

I am connecting to the server from behind an ISA server. The server itself is not behind ISA, and is not in my control. Is my client connection the server that is published?
Thank you.
Philip Elder

Okay, the first sentence reads like the SFTP server is _behind_ ISA.

If SFTP is outside ISA (Internet) then a set of Client Access publishing rules would fit the bill. That would allow 900 outbound and 3000-3200 outbound.

Philip
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
chantalcookware

Thank you. I have never setup client access publishing rules. Do I need to set something just for the computer that will access the SFTP, or will it affect all computers.
Philip Elder

You can set up the scope of the rule to limit to the computer needing access.

DHCP Reserve an IP or statically set an IP and delimit the rule to that PC by IP.

Philip
ASKER
chantalcookware

Thank you. I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound. I publish the client IP as a published server using that protocol definiton. After this, the sftp still cannot get the directory listing from the remote site. Anything else I could be missing?

Thanks again
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Philip Elder

Outbound. You need Client Access rules for outbound. Not Server Rules for inbound.

Philip
ASKER
chantalcookware

I don't see client access rules in the ISA management software. I added a protocol rule to use the protocol definitions for 990 in and out. both 990 in and out use secondary connections of 3000-3200 both inbound and outbound. Same result. I am not able to retrieve directory listing. Error is "could not build data connection to host". Initial connection does take place on 990 but secondary connections are dropped.
Thanks again for your help.
skullnobrains

just a note : you're referring to ftps and not sftp in this thread.

sftp runs over ssh and only requires port 22 (which is much more firewall friendly than either of the above)

every decent firewall around can do ftp/sftp protocol inspection and open ports as required. i'd assume that feature should probably exist in isa as well. if not, it is probably both easier and safer to setup winsocks rather than opening whole port ranges
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
chantalcookware

Sorry. Using FTPS over port 990 to make initial connection. Then port 3000-3200 to retrieve directories and transfer. I am seeing that ISA 2000 has trouble with this, but was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

Thanks for your help.
skullnobrains

was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

i don't know if ISA can do protocol inspection. i thought you would. then winsock would be a neat trick.


I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound

if you did not instruct your client (for passive mode, same direction as ftp connection) and servers (for active mode, reverse way) to use the same ports, opening these won't help unless you get lucky

debug active and passive separately

as far as i understand you are allowing INCOMING ftp connections since you allowed 990 inbound

for passive mode :
- your server needs to be set to propose the same port range in answer to PASV command
- your firewall needs to NAT the range to the FTP server
- neither NAT rules (port 21/990 and the range) should not use source nat

for active mode
- you don't really need to setup a range
- you need to allow outgoing connections from the port 20 of your server to the world
- the NAT rule that allows port 21/990 should not use source nat
ASKER
chantalcookware

Hello.
I opened 990 inbound only to ensure the connection to the remote server would communicate properly. I don't have control over the settings of the ftp server, but we are required to use passive mode. The port ranges 3000-3200 are specified by the server connection guidelines. All of our internal workstations use a NAT address. Only the ISA server itself uses an external IP.
I don't understand how to do this:
 - your firewall needs to NAT the range to the FTP server
 - neither NAT rules (port 21/990 and the range) should not use source nat


I believe I am doing this, as I have opened 990, and allow secondary connections in and outbound for the additional ports 3000-3200.
 - your server needs to be set to propose the same port range in answer to PASV command

Thanks for your help.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
skullnobrains

forget the above if you're connecting internal clients to a remote FTP and not the reverse

- remove 990 inbound (and any other inbound stuff)
- you only need to allow and source NAT outgoing connections to ports 990 and 3000-3200 (same type of rule you use with port 80 for web browsing)
skullnobrains

btw,ISA server does have an ftp-aware proxy dissector. it probably will not handle FTPS if the control connection is encrypted, but it does exist
ASKER
chantalcookware

I setup the outbound connections and still no luck. I am thinking the ISA server cannot handle  the connection after control connection is made.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
skullnobrains

post the exact rules you created. you should have opened

LAN port > 1024 --> WAN port 21,3000-3200 (with source NAT)

also post the session transcript
ASKER
chantalcookware

OK. That is not what I did. I opened the external IP on port 990 out with secondary connections to 3000-3200. I am not sure how to do what you suggest on ISA 2000. Can you advise the steps?
Thank you for your help.
skullnobrains

you don't have to open anything related to the external ip. passive ftp only requires OUTGOING connections

just allow outgoing connections to the ftps server on both port 990 and the 3000-3200 range.

of course, these connections need to be NATed in the same way as any other outgoing connections.

i'm unsure what are "secondary connections" in ISA but you don't really need them and it would be simpler to set things up without. it is fine if they allow the range only after there was a connection to the 990 port first.

if you are unsure,
- remove any rules you added so far
- look at your existing rule that allows web traffic, and just reproduce the same but change port 80 to the required ones.
- once this is done and the rules work, you can restrict them to the ftps server if you want.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
chantalcookware

Hello.
I tried all of this, and still could not connect to SFTP. I do not believe it is possible in ISA 2000.
ASKER CERTIFIED SOLUTION
skullnobrains

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
chantalcookware

Hello.
Thanks for the help. I am going to implement a new firewall instead of further attempts on this older solution.
Thanks again.
skullnobrains

if you're interested in free firewalls, you may want to use pfsense. various vendors sell appliances with pfsense preinstalled, and they sell tiny appliances on their site as well.
Your help has saved me hundreds of hours of internet surfing.
fblack61