RE: FTP over VPN

• From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 27 Feb 2006 16:51:43 -0500

I asked him about NAT-t and he didn't respond but then after a while,
said try again. My server is nat from the Comcast router. But we got a
little farther.

SBS2003 -               UDP     -                               Yes
-                               500     0       0       0
0x0     0x0     Firewall        204.90.187.158  Initiated Connection
Allow VPN site-to-site traffic from ISA Server  10.1.10.40
-       Local Host      IKE Client      500     GXS VPN -
2/27/2006 4:31:31 PM    0x0 
10.1.10.40

                                SBS2003 -               UDP     -
Yes             -                               500     124000  1260
68              0x0     0x0     Firewall        204.90.187.158  Closed
Connection      Allow VPN site-to-site traffic from ISA Server
10.1.10.40              -       Local Host      IKE Client      500
GXS VPN -       2/27/2006 4:18:54 PM    0x80074e20

I looked up the code it means that the session closed normally. But he
gets this: 

Information:              IKE: Main Mode Failed to match proposal: DES,
MD5, Pre-shared secret, Group 2 (1024 bit)

Since ISA only logs the beginning and end of the session what do I need
to do to see the in between stuff? Do I have to ethereal or is there a
native log?

Amy
 


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Monday, February 27, 2006 4:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FTP over VPN

http://www.ISAserver.org

Hi Amy,

OK, if you're not getting the VPN gateway connection started, then the
FTP connection to the remote site connection isn't going to work.

If the remote site VPN gateway isn't receiving the IKE negotiation
connection, then something else is going on.

Is there a NAT device anyone in the path? If so, do path side support
RFC IPSec NAT-T (ISA does, don't know if the Check Point server does).

Tom 


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, February 27, 2006 2:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FTP over VPN

http://www.ISAserver.org

Sorry wrong log file...

0.0.0.0                         SBS2003 -               TCP     -
No              -                               36319   21032   0
0               0x0     0x0     Firewall        198.133.250.19  Failed
Connection Attempt      GXS FTP out Rule        10.1.10.40
-       Local Host      FTP     21      GXS VPN -       2/27/2006
4:00:39 PM      0x80072751


I've got the book in hand and am following along but still no luck. I
don't understand why he doesn't see an IKE connection but I do?

Amy
 

 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Monday, February 27, 2006 3:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FTP over VPN

http://www.ISAserver.org

Hi amy,
Those logs show that the connections are not using direct access.
Also check our book on special issues re ipsec tunnel mode and web proxy
Tom


Sent via ISA firewall protected Exchange 2003 Windows Mobile


-----Original Message-----
From: "Amy Babinchak"<amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Sent: 2/27/06 2:07:26 PM
To: "[ISAserver.org Discussion List]"<isalist@xxxxxxxxxxxxx>
Subject: [isalist] RE: FTP over VPN

http://www.ISAserver.org

Tom,

When I try direct access I get unreachable host error and ISA logs a
failed connection attempt. When I try to go through the proxy I get a
message that it's not allowed because it's read-only. I see to be
spinning my wheels here. 

When I try to make an FTP connection using direct access, which I've
specified in the browser, I see in the ISA logs this:

10.1.10.40                              SBS2003 -               UDP
-                               Yes             -
500     0       0       0               0x0     0x0     Firewall
198.133.250.19  Initiated Connection    Allow VPN site-to-site traffic
from ISA Server 10.1.10.40              -       Local Host      IKE
Client  500     GXS VPN -       2/27/2006 2:59:48 PM    0x0

I think that this looks good so far. Although the guy on the other end
says he doesn't see a tunnel come up. He's on a checkpoint firewall so I
might be wrong.

Then I see the FTP attempt. It looks like this:

0.0.0.0 Microsoft(r) Windows(tm) FTP Folder     No      Proxy   SBS2003
198.133.250.19  TCP             Internet        -       -
-               -       -       -       0       21000   4250    112
10065   0x0     0x40    Web Proxy Filter        198.133.250.19  Failed
Connection Attempt      GXS FTP out Rule        192.168.16.2
anonymous       ftp://198.133.250.19/   Local Host      ftp     21
GXS VPN GET     2/27/2006 3:01:43 PM
        
0.0.0.0                         SBS2003 -               TCP     -
No              -                               35324   20953   0
0               0x0     0x0     Firewall        198.133.250.19  Failed
Connection Attempt      GXS FTP out Rule        10.1.10.40
-       Local Host      FTP     21      GXS VPN -       2/27/2006
3:00:07 PM      0x80072751

I think this means that its first trying to use anonymous, which will
fail, and then attempting to use the specified FTP username and password
and also failing. 

Am I interpreting these log entries correctly?

Amy
 
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Monday, February 27, 2006 1:45 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FTP over VPN

http://www.ISAserver.org

Hi Amy,

The remote site should be set for Direct Access. Otherwise, the Web
proxy filter intercepts the request.

HTH,
Tom 


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, February 27, 2006 12:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] FTP over VPN

http://www.ISAserver.org

I'm setting my first VPN gateway. The client needs to send FTP over the
Gateway to another company. I'm getting an error message that the proxy
is set for read-only. I've unchecked the read only box on the VPN rule.
I'm still getting this message. Here's what the log says.

Original Client IP      Client Agent    Authenticated Client    Service
Server Name     Referring Server        Destination Host Name
Transport       MIME Type       Object Source   Source Proxy
Destination Proxy       Bidirectional   Client Host Name        Filter
Information     Network Interface       Raw IP Header   Raw Payload
Source Port     Processing Time Bytes Sent      Bytes Received  HTTP
Status Code     Cache Information       Error Information       Log
Record Type     Destination IP  Action  Rule    Client IP       Client
Username        URL     Source Network  Protocol        Destination Port
Destination Network     HTTP Method     Log Time        Result Code

0.0.0.0                         SBS2003 -               TCP     -
No              -                               33544   20922   0
0               0x0     0x0     Firewall        198.133.250.19  Failed
Connection Attempt      GXS FTP out Rule        10.1.10.40
-       Local Host      FTP     21      GXS VPN -       2/27/2006
1:34:45 PM      0x8007274c 

0.0.0.0 Microsoft(r) Windows(tm) FTP Folder     No      Proxy   SBS2003
198.133.250.19  TCP             Internet        -       -
-               -       -       -       0       21000   4496    112
10060   0x0     0x40    Web Proxy Filter        198.133.250.19  Failed
Connection Attempt      GXS FTP out Rule        192.168.16.2
anonymous       ftp://198.133.250.19/   Local Host      ftp     21
GXS VPN GET     2/27/2006 1:35:06 PM    

What am I missing? 

Thanks,

Amy
 
Harbor Computer Services
Small Business Computer Specialists

Client Blog: http://smalltechnotes.blogspot.com/
Tech Blog: http://isainsbs.blogspot.com/
Website: http://www.harborcomputerservices.net/
 

 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, February 16, 2006 10:50 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Wireless Access and ISA 2004

http://www.ISAserver.org

Hi Tom,
That's a pretty interesting question. Have you enabled all RPC outbound
to the user's Exchange Server? I'm assuming that you're talking about
Outlook MAPI connections. 


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Tom Rogers [mailto:trogers@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, February 16, 2006 9:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Wireless Access and ISA 2004

http://www.ISAserver.org

I have a guest on my network, who says that any wireless network he
connects to, at hotels for instance, can use Outlook to grab his email.
I
setup guest Internet access for him today, but the mail servers cannot
be
accessed through our ISA 2004 server. I tried to Telnet with no luck.
Now
with my desktop PC that is part of my domain, I have no trouble. I have
the Firewall Client installed. I tried to install the FW Client on the
guest PC, but it still did not work. If the guest is able to connect to
the Internet, shouldn't we be able to telnet to the mail server?

I just upgraded to ISA 2004 yesterday, so I'm sure something is not set
right, but am not sure what it could be, because I am allowing all
protocols access at this point.

Any advice? TIA,

-Tom Rogers
 ISA 2004 Rookie

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN
• » RE: FTP over VPN

1. Home
2. isalist
3. Archive
4. 02-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---