[isalist] Re: [ISAserver.org Discussion List] FTP Servers

So then tell me what does it work behind this WatchGuard Firebox V60 but 
doesn't work behind ISA 2004 Server?
 
Regards,
Andrew

________________________________

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
Sent: Wed 22/03/2006 2:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers


He would have to publish the external server to the Internal network users. 
While this is appropriate in some well defined scenarios, I doubt he has the 
sophistication to understand what these scenarios are, therefore there is 
either a NAT editor problem with a front-end device, or a NAT editor problem 
with the device in front of the destination FTP server, or some other really 
off-label SNAFU.
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 


________________________________

        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
        Sent: Wednesday, March 22, 2006 1:18 PM
        To: ISA Mailing List
        Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
        
        

        OK I'll bite.....using the FTP server protocol, which if I am mistaken, 
is of the inbound direction, as opposed to the FTP protocol, which is of the 
outbound direction., therefore unless his rule is back to front....

         

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
        Sent: Wednesday, March 22, 2006 3:09 PM
        To: ISA Mailing List
        Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers

         

        Dude,

        'preciate ya, but I don't think that can happen. You can use Server PDs 
in an Access Rule, so unless something is more whack than what meets the eye, 
traces are still in order.

         

        Thomas W Shinder, M.D.
        Site: www.isaserver.org <http://www.isaserver.org/> 
        Blog: http://blogs.isaserver.org/shinder/
        Book: http://tinyurl.com/3xqb7
        MVP -- ISA Firewalls

         

                 

________________________________

                From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
                Sent: Wednesday, March 22, 2006 1:02 PM
                To: ISA Mailing List
                Subject: [isalist] Re: [ISAserver.org Discussion List] FTP 
Servers

                That's OK...I'll keep you and Jim on the right track...J

                 

________________________________

                From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
                Sent: Wednesday, March 22, 2006 3:02 PM
                To: ISA Mailing List
                Subject: [isalist] Re: [ISAserver.org Discussion List] FTP 
Servers

                 

                LOL! I didn't even notice that, it got lost in the noise :))

                 

                Thomas W Shinder, M.D.
                Site: www.isaserver.org <http://www.isaserver.org/> 
                Blog: http://blogs.isaserver.org/shinder/
                Book: http://tinyurl.com/3xqb7
                MVP -- ISA Firewalls

                 

                         

________________________________

                        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
                        Sent: Wednesday, March 22, 2006 12:57 PM
                        To: ISA Mailing List
                        Subject: [isalist] Re: [ISAserver.org Discussion List] 
FTP Servers

                        You are such a complete ass Andrew....the server 
protocol is for publishing your own FTP servers. You want to allow the FTP 
protocol.

                         

                        S

                         

________________________________

                        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew English
                        Sent: Wednesday, March 22, 2006 3:04 PM
                        To: ISA Mailing List
                        Subject: RE: [isalist] Re: [ISAserver.org Discussion 
List] FTP Servers

                         

                        Jim,

                         

                        None of the workstations use the web proxy, or firewall 
client software of ISA 2004. They use Secure NAT, they are going out through 
ISA like if you had a dummy Linksys cable DSL router.

                         

                        Example:

                         

                        ISA is on 192.168.1.1

                         

                        GW: for all clients on the DHCP server is 192.168.1.1, 
again there is no web proxy setup and no firewall client ware installed. 

                         

                        Secondly what I meant in my other comment which you are 
so egger to twist around is that I have not tampered with the default firewall 
settings of ISA, yes I have added my own rules to the system, but if you look 
at the default core settings for ICMP, etc they have all been left alone.

                         

                        Now are you going to keep acting this way if I say, you 
know Jim I installed a new ISA server that only had two rules in it, one for 
the FTP server to the outside using the default FTP Server protocol, and the 
other which is the default DENY rule that ISA creates? Are you going to blame 
on the web proxy or firewall client if neither are installed or being used?

                         

                        Lets be realistic here, if you don't know the answer 
why ISA out of the box with two rules in it won't connect to FTP servers that 
don't use passive mode why make a fuss of it? Why not ask Bill to loan you one 
his boxes, install ISA 2004, email me for a couple test accounts and go to 
town, then say geez you know there is a bug or maybe Microsoft doesn't care?  
You have the time and certainly the money to investigate it further, than I do 
yet you keep hounding people to show you more evidence before you will get off 
your dairy air and do something.. ;)

                         

                        Regards,

                        Andrew

                         

________________________________

                        From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim 
Harrison
                        Sent: Wed 22/03/2006 12:33 PM
                        To: isalist@xxxxxxxxxxxxx
                        Subject: [isalist] Re: [ISAserver.org Discussion List] 
FTP Servers

                        http://www.ISAserver.org
                        -------------------------------------------------------
                         
                        No - you said:
                        "I seem to only be able to get access to FTP servers 
using PASV modem on my workstations that are setup under secure NAT".
                        This leaves the failing case hanging somewhere between 
web proxy and firewall clients.
                        You also stated:
                        "..I have had to reinstall ISA 2004.." and "Nothing on 
the ISA configuration level has been modified or changed", which are just a bit 
contradictory.
                        
                        You haven't given anyone anything to work from, like:
                        - client errors
                        - ISA logs
                        - captures
                        
                        If the problem is important enough to involve an entire 
list, its important enough to provide something more than conjecture and 
contradiction.
                        
                        There are a great many FTP servers that disallow active 
mode; and with good reason.
                        
                        -------------------------------------------------------
                           Jim Harrison
                           MCP(NT4, W2K), A+, Network+, PCG
                           http://isaserver.org/Jim_Harrison/
                           http://isatools.org
                           Read the help / books / articles!
                        -------------------------------------------------------

Other related posts: