SFTP Behind ISA 2000

Hello.
Is there any way to connect to a secure FTP site from behind an ISA 2000 Server firewall? Using WinSCP client, connecting to FTP with TLS/SSL implicit encryption on port 990. I can make the connection, but can't make the secondary connections to port 3000-3200 to view the directory listing.
Thank you.
chantalcookwareAsked:
Who is Participating?
 
skullnobrainsConnect With a Mentor Commented:
again, this is NOT sftp but regular ftps. it would be MUCH easier otherwise

post a screenshot or description of the rules you created. this is most definitely possible (and should be reasonably easy) on any firewall including ISA.

you may want to add a session transcript and a copy-paste of the instructions you were given. it seems fairly possible that you misread some of it.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You can set up a Server Publishing Rule that forwards 990 to your server.

It's been a while but there should be a second place in the rule set that allows for secondary inbound connections. Set up your rule with them.

If that fails then set up a new Server Publishing Rule that port forwards 3000-3200 to the SFTP server.

Philip
0
 
chantalcookwareAuthor Commented:
I am connecting to the server from behind an ISA server. The server itself is not behind ISA, and is not in my control. Is my client connection the server that is published?
Thank you.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Okay, the first sentence reads like the SFTP server is _behind_ ISA.

If SFTP is outside ISA (Internet) then a set of Client Access publishing rules would fit the bill. That would allow 900 outbound and 3000-3200 outbound.

Philip
0
 
chantalcookwareAuthor Commented:
Thank you. I have never setup client access publishing rules. Do I need to set something just for the computer that will access the SFTP, or will it affect all computers.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You can set up the scope of the rule to limit to the computer needing access.

DHCP Reserve an IP or statically set an IP and delimit the rule to that PC by IP.

Philip
0
 
chantalcookwareAuthor Commented:
Thank you. I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound. I publish the client IP as a published server using that protocol definiton. After this, the sftp still cannot get the directory listing from the remote site. Anything else I could be missing?

Thanks again
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Outbound. You need Client Access rules for outbound. Not Server Rules for inbound.

Philip
0
 
chantalcookwareAuthor Commented:
I don't see client access rules in the ISA management software. I added a protocol rule to use the protocol definitions for 990 in and out. both 990 in and out use secondary connections of 3000-3200 both inbound and outbound. Same result. I am not able to retrieve directory listing. Error is "could not build data connection to host". Initial connection does take place on 990 but secondary connections are dropped.
Thanks again for your help.
0
 
skullnobrainsCommented:
just a note : you're referring to ftps and not sftp in this thread.

sftp runs over ssh and only requires port 22 (which is much more firewall friendly than either of the above)

every decent firewall around can do ftp/sftp protocol inspection and open ports as required. i'd assume that feature should probably exist in isa as well. if not, it is probably both easier and safer to setup winsocks rather than opening whole port ranges
0
 
chantalcookwareAuthor Commented:
Sorry. Using FTPS over port 990 to make initial connection. Then port 3000-3200 to retrieve directories and transfer. I am seeing that ISA 2000 has trouble with this, but was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

Thanks for your help.
0
 
skullnobrainsCommented:
was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

i don't know if ISA can do protocol inspection. i thought you would. then winsock would be a neat trick.


I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound

if you did not instruct your client (for passive mode, same direction as ftp connection) and servers (for active mode, reverse way) to use the same ports, opening these won't help unless you get lucky

debug active and passive separately

as far as i understand you are allowing INCOMING ftp connections since you allowed 990 inbound

for passive mode :
- your server needs to be set to propose the same port range in answer to PASV command
- your firewall needs to NAT the range to the FTP server
- neither NAT rules (port 21/990 and the range) should not use source nat

for active mode
- you don't really need to setup a range
- you need to allow outgoing connections from the port 20 of your server to the world
- the NAT rule that allows port 21/990 should not use source nat
0
 
chantalcookwareAuthor Commented:
Hello.
I opened 990 inbound only to ensure the connection to the remote server would communicate properly. I don't have control over the settings of the ftp server, but we are required to use passive mode. The port ranges 3000-3200 are specified by the server connection guidelines. All of our internal workstations use a NAT address. Only the ISA server itself uses an external IP.
I don't understand how to do this:
 - your firewall needs to NAT the range to the FTP server
 - neither NAT rules (port 21/990 and the range) should not use source nat


I believe I am doing this, as I have opened 990, and allow secondary connections in and outbound for the additional ports 3000-3200.
 - your server needs to be set to propose the same port range in answer to PASV command

Thanks for your help.
0
 
skullnobrainsCommented:
forget the above if you're connecting internal clients to a remote FTP and not the reverse

- remove 990 inbound (and any other inbound stuff)
- you only need to allow and source NAT outgoing connections to ports 990 and 3000-3200 (same type of rule you use with port 80 for web browsing)
0
 
skullnobrainsCommented:
btw,ISA server does have an ftp-aware proxy dissector. it probably will not handle FTPS if the control connection is encrypted, but it does exist
0
 
chantalcookwareAuthor Commented:
I setup the outbound connections and still no luck. I am thinking the ISA server cannot handle  the connection after control connection is made.
0
 
skullnobrainsCommented:
post the exact rules you created. you should have opened

LAN port > 1024 --> WAN port 21,3000-3200 (with source NAT)

also post the session transcript
0
 
chantalcookwareAuthor Commented:
OK. That is not what I did. I opened the external IP on port 990 out with secondary connections to 3000-3200. I am not sure how to do what you suggest on ISA 2000. Can you advise the steps?
Thank you for your help.
0
 
skullnobrainsCommented:
you don't have to open anything related to the external ip. passive ftp only requires OUTGOING connections

just allow outgoing connections to the ftps server on both port 990 and the 3000-3200 range.

of course, these connections need to be NATed in the same way as any other outgoing connections.

i'm unsure what are "secondary connections" in ISA but you don't really need them and it would be simpler to set things up without. it is fine if they allow the range only after there was a connection to the 990 port first.

if you are unsure,
- remove any rules you added so far
- look at your existing rule that allows web traffic, and just reproduce the same but change port 80 to the required ones.
- once this is done and the rules work, you can restrict them to the ftps server if you want.
0
 
chantalcookwareAuthor Commented:
Hello.
I tried all of this, and still could not connect to SFTP. I do not believe it is possible in ISA 2000.
0
 
chantalcookwareAuthor Commented:
Hello.
Thanks for the help. I am going to implement a new firewall instead of further attempts on this older solution.
Thanks again.
0
 
skullnobrainsCommented:
if you're interested in free firewalls, you may want to use pfsense. various vendors sell appliances with pfsense preinstalled, and they sell tiny appliances on their site as well.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.