Hi Alex, Sorry about the Andre thing. My bad. Good we agree on the evils of tunneling. One way to two way, its all bad. The RDP thing is was a joke -- RDP does data encryption, but not tunneling. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] > Sent: Thursday, October 06, 2005 9:52 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Help - SFTP port 22 > > http://www.ISAserver.org > > > > Oooh, argument mode *on*, raising shields :P > > > >Hi Andre, > > It's Alexandre, but you may use "Alex", the "andre" par > usually confuses the > heck out of English speakers, so they mangle it as "ander" > anyways. Now > let's not even get into the deformations my last name > (Gauthier) can be seen > under ;) > > >Agreed. Allowing outbound VPN connections of any kind from > *my* network > >from untrusted or low trust hosts is not allowed. It's a BIG > security hole > >and "rights to privacy" to d*mned. > > Here we agree. However the security implications of allowing > outbound access > to SSH are not the same as say, a PPtP VPN. And just so you > know, an SSH > tunnel doesn't go both ways, the "evil hosts" on the other > side can't get > back at you -- except maybe in a really unusual form of "you > ran an evil > thing and your client was vulnerable so a malicious SSH > server overflowed > it". It is single use only. It functions like telnet, but has > broader uses > :) > > >SSH is like a weak form of RDP :-) > > Uh-oh, here I take this as a personal insult :P > But I know you're kidding, you wouldn't diss something you > don't understand > or have only seldom used, *would you*? > > I think RDP has more security implications than SSH, from the generic > Network Analyst point of view. > > > > -----Original Message----- > > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] > > Sent: Thursday, October 06, 2005 9:19 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Help - SFTP port 22 > > > > http://www.ISAserver.org > > > > Well, basically, as I have stated, SCP and SFTP just execute > > commands on the > > remote side and pipe you the output through the established > > tunnel. (And SCP > > is a bit of an ugly hack, at base). > > > > If you see an SSH tunnel as an horrible security issue from a > > firewall admin > > point of view, well then you might as well see IPSEC, PPtP > and VPNs in > > general as a security issue as well. > > > > SSH is not Telnet on steroids, it's much more powerful, just > > keep that in > > mind. I do use it to "bypass" the firewall here to connect to > > my mail server > > at home by binding port 25 to my local machine here, then > > connecting to > > that. > > > > -----Message d'origine----- > > De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Envoyé : 6 octobre 2005 09:43 > > À : [ISAserver.org Discussion List] > > Objet : [isalist] RE: Help - SFTP port 22 > > > > http://www.ISAserver.org > > > > Hi Alexander, > > > > If everything is sent and received over an encrypted tunnel > > (a horrible > > security issue from a firewall admin's point of view) over a > > single session, > > then there are no secondary protocols and it should just work > > allowing a > > primary connection outbound on TCP port 22. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > > > -----Original Message----- > > > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] > > > Sent: Thursday, October 06, 2005 8:34 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Help - SFTP port 22 > > > > > > http://www.ISAserver.org > > > > > > *shy cough from the Unix guy in background* > > > > > > Uhm, I do not mean to intrude but they basically are the > > same, they go > > > through an SSH tunnel. > > > > > > SFTP is not more secure than SCP or vice-versa, they are only > > > as secure as > > > SSH itself. (Which means, it's fine. Basically.) > > > > > > They just use different interfaces, but they "work" the > > same, which is > > > inside an SSH tunnel. SFTP is just designed to "look and > > > taste" like an FTP > > > server to the end user, but it is not dual port or anything > > > either, it is > > > just a matter of what application you call on the other end > > of the SSH > > > connection. ISA would see both protocols as the same, from > > > its point of > > > view. > > > > > > And in any case... winSCP3 uses SFTP by default with fallback > > > to SCP if that > > > craps out. It's made like this because sometime > > > administrators will disable > > > one or the other in /etc/ssh/sshd_config for various reasons. > > > > > > Basically all you need to do is allow SSH (which means > > > outgoing connection > > > to port 22 on destination machine(s) (or the internet) and > > > you are set. > > > That's what I did here, and it works wonderfully, I can toss > > > and fetch files > > > from my Linux box at home in a really really strange > > fashion involving > > > tunneling SSH inside SSH to reach a machine behind my NAT ;) > > > > > > > > > Greg, I think you are confusing SFTP with FTPS, perhaps... > > > > > > SSH is such a great protocol, it is a shame the OpenSSH > > implementation > > > doesn't work fully on Windows Server 2003 yet. (At least > last time I > > > checked). With the venue of MSH, it will be even more useful... > > > > > > (And don't you love tunneling clear-text protocols through > > > SSH? You can use > > > it as a "poor man's VPN" also.) > > > > > > > > > OH and FYI, ISA *does* support some amount of FTPS, it > > > depends of it is > > > implicit or explicit, I believe... (I.E. SSL on port 21 > > > instead of on a > > > dedicated port). > > > > > > Now of course if you're talking about the FTP application > > > filter ... Seeing > > > how braindead the FTP client in windows is, I don't doubt > it is not > > > supported :) > > > > > > > > > > > > -----Message d'origine----- > > > De : Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxx] > > > Envoyé : 6 octobre 2005 02:06 > > > À : [ISAserver.org Discussion List] > > > Objet : [isalist] RE: Help - SFTP port 22 > > > > > > http://www.ISAserver.org > > > > > > > > > Noel > > > > > > What are you trying to achieve. My guess is you are trying to > > > dump files > > > to a linux box or a windows box running an ssh server, > > behind the ISA > > > firewall. Instead of using SFTP, try using SCP. It's a more secure > > > protocol. See if that works the same. > > > > > > Greg > > > > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > > > Sent: Thursday, 6 October 2005 3:05 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Help - SFTP port 22 > > > > > > http://www.ISAserver.org > > > > > > SFTP uses TCP:989 & TCP:990; SSH uses TCP:22. > > > Which is it that you think you're using? > > > > > > No; ISA does not support FTPS. > > > > > > -----Original Message----- > > > From: Noel [mailto:noel.callander@xxxxxxx] > > > Sent: Wednesday, October 05, 2005 5:19 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Help - SFTP port 22 > > > > > > http://www.ISAserver.org > > > > > > question > > > is SFTP supported by ISA2000EE, i cant seem to get it to > work i have > > > opened port 22 on the ISA server but it still fails. is > > there anything > > > else that needs to be configurd.i am using the winscp375 > > gui on the XP > > > workstation. > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > gmulholland@xxxxxxxxxxxxxx To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this network has been scanned for viruses > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > gauthiera@xxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > gauthiera@xxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > gauthiera@xxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >