Solved

SFTP Behind ISA 2000

Posted on 2014-03-13
22
572 Views
Last Modified: 2014-04-12
Hello.
Is there any way to connect to a secure FTP site from behind an ISA 2000 Server firewall? Using WinSCP client, connecting to FTP with TLS/SSL implicit encryption on port 990. I can make the connection, but can't make the secondary connections to port 3000-3200 to view the directory listing.
Thank you.
0
Comment
Question by:chantalcookware
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
  • 4
22 Comments
 
LVL 39

Expert Comment

by:Philip Elder
ID: 39926944
You can set up a Server Publishing Rule that forwards 990 to your server.

It's been a while but there should be a second place in the rule set that allows for secondary inbound connections. Set up your rule with them.

If that fails then set up a new Server Publishing Rule that port forwards 3000-3200 to the SFTP server.

Philip
0
 

Author Comment

by:chantalcookware
ID: 39927097
I am connecting to the server from behind an ISA server. The server itself is not behind ISA, and is not in my control. Is my client connection the server that is published?
Thank you.
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 39927201
Okay, the first sentence reads like the SFTP server is _behind_ ISA.

If SFTP is outside ISA (Internet) then a set of Client Access publishing rules would fit the bill. That would allow 900 outbound and 3000-3200 outbound.

Philip
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:chantalcookware
ID: 39929591
Thank you. I have never setup client access publishing rules. Do I need to set something just for the computer that will access the SFTP, or will it affect all computers.
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 39929703
You can set up the scope of the rule to limit to the computer needing access.

DHCP Reserve an IP or statically set an IP and delimit the rule to that PC by IP.

Philip
0
 

Author Comment

by:chantalcookware
ID: 39929754
Thank you. I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound. I publish the client IP as a published server using that protocol definiton. After this, the sftp still cannot get the directory listing from the remote site. Anything else I could be missing?

Thanks again
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 39929964
Outbound. You need Client Access rules for outbound. Not Server Rules for inbound.

Philip
0
 

Author Comment

by:chantalcookware
ID: 39929990
I don't see client access rules in the ISA management software. I added a protocol rule to use the protocol definitions for 990 in and out. both 990 in and out use secondary connections of 3000-3200 both inbound and outbound. Same result. I am not able to retrieve directory listing. Error is "could not build data connection to host". Initial connection does take place on 990 but secondary connections are dropped.
Thanks again for your help.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39931326
just a note : you're referring to ftps and not sftp in this thread.

sftp runs over ssh and only requires port 22 (which is much more firewall friendly than either of the above)

every decent firewall around can do ftp/sftp protocol inspection and open ports as required. i'd assume that feature should probably exist in isa as well. if not, it is probably both easier and safer to setup winsocks rather than opening whole port ranges
0
 

Author Comment

by:chantalcookware
ID: 39934804
Sorry. Using FTPS over port 990 to make initial connection. Then port 3000-3200 to retrieve directories and transfer. I am seeing that ISA 2000 has trouble with this, but was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

Thanks for your help.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39936613
was hoping someone may have a trick to work around it since this firewall will not be updated in the immediate future.

i don't know if ISA can do protocol inspection. i thought you would. then winsock would be a neat trick.


I have setup a protocol definition for 990 inbound and secondary connections to 3000-3200 both in and out bound

if you did not instruct your client (for passive mode, same direction as ftp connection) and servers (for active mode, reverse way) to use the same ports, opening these won't help unless you get lucky

debug active and passive separately

as far as i understand you are allowing INCOMING ftp connections since you allowed 990 inbound

for passive mode :
- your server needs to be set to propose the same port range in answer to PASV command
- your firewall needs to NAT the range to the FTP server
- neither NAT rules (port 21/990 and the range) should not use source nat

for active mode
- you don't really need to setup a range
- you need to allow outgoing connections from the port 20 of your server to the world
- the NAT rule that allows port 21/990 should not use source nat
0
 

Author Comment

by:chantalcookware
ID: 39937200
Hello.
I opened 990 inbound only to ensure the connection to the remote server would communicate properly. I don't have control over the settings of the ftp server, but we are required to use passive mode. The port ranges 3000-3200 are specified by the server connection guidelines. All of our internal workstations use a NAT address. Only the ISA server itself uses an external IP.
I don't understand how to do this:
 - your firewall needs to NAT the range to the FTP server
 - neither NAT rules (port 21/990 and the range) should not use source nat


I believe I am doing this, as I have opened 990, and allow secondary connections in and outbound for the additional ports 3000-3200.
 - your server needs to be set to propose the same port range in answer to PASV command

Thanks for your help.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39937438
forget the above if you're connecting internal clients to a remote FTP and not the reverse

- remove 990 inbound (and any other inbound stuff)
- you only need to allow and source NAT outgoing connections to ports 990 and 3000-3200 (same type of rule you use with port 80 for web browsing)
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39937462
btw,ISA server does have an ftp-aware proxy dissector. it probably will not handle FTPS if the control connection is encrypted, but it does exist
0
 

Author Comment

by:chantalcookware
ID: 39946418
I setup the outbound connections and still no luck. I am thinking the ISA server cannot handle  the connection after control connection is made.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39947130
post the exact rules you created. you should have opened

LAN port > 1024 --> WAN port 21,3000-3200 (with source NAT)

also post the session transcript
0
 

Author Comment

by:chantalcookware
ID: 39950914
OK. That is not what I did. I opened the external IP on port 990 out with secondary connections to 3000-3200. I am not sure how to do what you suggest on ISA 2000. Can you advise the steps?
Thank you for your help.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39953646
you don't have to open anything related to the external ip. passive ftp only requires OUTGOING connections

just allow outgoing connections to the ftps server on both port 990 and the 3000-3200 range.

of course, these connections need to be NATed in the same way as any other outgoing connections.

i'm unsure what are "secondary connections" in ISA but you don't really need them and it would be simpler to set things up without. it is fine if they allow the range only after there was a connection to the 990 port first.

if you are unsure,
- remove any rules you added so far
- look at your existing rule that allows web traffic, and just reproduce the same but change port 80 to the required ones.
- once this is done and the rules work, you can restrict them to the ftps server if you want.
0
 

Author Comment

by:chantalcookware
ID: 39989025
Hello.
I tried all of this, and still could not connect to SFTP. I do not believe it is possible in ISA 2000.
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 39990885
again, this is NOT sftp but regular ftps. it would be MUCH easier otherwise

post a screenshot or description of the rules you created. this is most definitely possible (and should be reasonably easy) on any firewall including ISA.

you may want to add a session transcript and a copy-paste of the instructions you were given. it seems fairly possible that you misread some of it.
0
 

Author Comment

by:chantalcookware
ID: 39994544
Hello.
Thanks for the help. I am going to implement a new firewall instead of further attempts on this older solution.
Thanks again.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39995757
if you're interested in free firewalls, you may want to use pfsense. various vendors sell appliances with pfsense preinstalled, and they sell tiny appliances on their site as well.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question