[isalist] Re: [ISAserver.org Discussion List] FTP Servers
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 22 Mar 2006 13:25:59 -0600
He would have to publish the external server to the Internal network
users. While this is appropriate in some well defined scenarios, I doubt
he has the sophistication to understand what these scenarios are,
therefore there is either a NAT editor problem with a front-end device,
or a NAT editor problem with the device in front of the destination FTP
server, or some other really off-label SNAFU.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: Wednesday, March 22, 2006 1:18 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP
Servers
OK I'll bite.....using the FTP server protocol, which if I am
mistaken, is of the inbound direction, as opposed to the FTP protocol,
which is of the outbound direction., therefore unless his rule is back
to front....
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Wednesday, March 22, 2006 3:09 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP
Servers
Dude,
'preciate ya, but I don't think that can happen. You can use
Server PDs in an Access Rule, so unless something is more whack than
what meets the eye, traces are still in order.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: Wednesday, March 22, 2006 1:02 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List]
FTP Servers
That's OK...I'll keep you and Jim on the right track...J
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Wednesday, March 22, 2006 3:02 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List]
FTP Servers
LOL! I didn't even notice that, it got lost in the noise
:))
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: Wednesday, March 22, 2006 12:57 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion
List] FTP Servers
You are such a complete ass Andrew....the server
protocol is for publishing your own FTP servers. You want to allow the
FTP protocol.
S
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew English
Sent: Wednesday, March 22, 2006 3:04 PM
To: ISA Mailing List
Subject: RE: [isalist] Re: [ISAserver.org
Discussion List] FTP Servers
Jim,
None of the workstations use the web proxy, or
firewall client software of ISA 2004. They use Secure NAT, they are
going out through ISA like if you had a dummy Linksys cable DSL router.
Example:
ISA is on 192.168.1.1
GW: for all clients on the DHCP server is
192.168.1.1, again there is no web proxy setup and no firewall client
ware installed.
Secondly what I meant in my other comment which
you are so egger to twist around is that I have not tampered with the
default firewall settings of ISA, yes I have added my own rules to the
system, but if you look at the default core settings for ICMP, etc they
have all been left alone.
Now are you going to keep acting this way if I
say, you know Jim I installed a new ISA server that only had two rules
in it, one for the FTP server to the outside using the default FTP
Server protocol, and the other which is the default DENY rule that ISA
creates? Are you going to blame on the web proxy or firewall client if
neither are installed or being used?
Lets be realistic here, if you don't know the
answer why ISA out of the box with two rules in it won't connect to FTP
servers that don't use passive mode why make a fuss of it? Why not ask
Bill to loan you one his boxes, install ISA 2004, email me for a couple
test accounts and go to town, then say geez you know there is a bug or
maybe Microsoft doesn't care? You have the time and certainly the money
to investigate it further, than I do yet you keep hounding people to
show you more evidence before you will get off your dairy air and do
something.. ;)
Regards,
Andrew
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of
Jim Harrison
Sent: Wed 22/03/2006 12:33 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion
List] FTP Servers
http://www.ISAserver.org
-------------------------------------------------------
No - you said:
"I seem to only be able to get access to FTP
servers using PASV modem on my workstations that are setup under secure
NAT".
This leaves the failing case hanging somewhere
between web proxy and firewall clients.
You also stated:
"..I have had to reinstall ISA 2004.." and
"Nothing on the ISA configuration level has been modified or changed",
which are just a bit contradictory.
You haven't given anyone anything to work from,
like:
- client errors
- ISA logs
- captures
If the problem is important enough to involve an
entire list, its important enough to provide something more than
conjecture and contradiction.
There are a great many FTP servers that disallow
active mode; and with good reason.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
Other related posts:
