Hi, Thomas I have read the article you suggested me: "How the FTP protocol Challenges Firewall Security" by Stefaan Pouseele and I have more elements to give you about my problem with FTP access from SecureNAT clients. I send you a file with the information I have recopiled from my log and a comparison with the logs of the article I had read. Is there any way to access FTP Sites from a SecureNAT Client to Download and Upload files without install the Firewall client application? Thanks very much for your time Tom.
RULES APPLIED TO ANY REQUEST In the case of: Protocol rule "PR A FTP Out" and Site & Content Rule "S&C A Sitios ONAT" are applied to "Any request" or to IPs I have access to FTP Sites and I can Upload and Download fine from SecureNAT clients. Below are the Logs for the cases of client in ACTIVE MODE and in PASSIVE MODE, with a comparison of the logs for SecureNAT Clients from the Stefaan Pouseele's Article. #Software: Microsoft(R) Internet Security and Acceleration Server 2000 #Version: 1.0 #Date: 2003-02-22 07:08:59 ACTIVE, PORT MODE --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- My results: FTP Client access active: #Fields: c-ip time r-ip r-port cs-protocol s-operation sc-status rule#1 rule#2 sessionid connectionid 192.168.60.2 17:15:41 169.158.1.20 21 21 TCP Connect 0 PR A FTP Out S&C A Sitios ONAT 2 1 192.168.60.2 17:15:43 - - 0 TCP Bind 0 PR A FTP Out - 2 2 192.168.60.2 17:15:43 - 6511 0 TCP Listen 0 - - 2 2 192.168.60.2 17:15:44 169.158.1.20 20 0 TCP Accept 0 PR A FTP Out - 2 2 192.168.60.2 17:15:44 - - 0 TCP Bind 20000 PR A FTP Out - 2 2 192.168.60.2 17:15:49 169.158.1.20 20 0 TCP Accept 20000 PR A FTP Out - 2 2 192.168.60.2 17:15:55 169.158.1.20 21 21 TCP Connect 20000 PR A FTP Out S&C A Sitios ONAT 2 1 From Stefaan Pouseele's Article FTP Client access active: c-ip time r-ip r-port cs-prot s-oper sc-stat rule#1 rule#2 sessid connid 172.16.16.2 14:41:0 64.90.59.34 21 21 TCP Connect 0 SPECIAL INTERNT 6556 20504 172.16.16.2 14:41:0 64.90.59.34 20 0 TCP Accept 0 SPECIAL - 6556 20505 172.16.16.2 14:41:0 64.90.59.34 20 0 TCP Accept 20000 SPECIAL - 6556 20505 172.16.16.2 14:43:4 64.90.59.34 21 21 TCP Connect 20000 SPECIAL INTERNT 6556 20504 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- PASSIVE, PASV MODE --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- My results: FTP Client access passive: #Fields: c-ip time r-ip r-port cs-protocol s-operation sc-status rule#1 rule#2 sessionid connectionid 192.168.60.2 17:10:46 169.158.1.20 21 21 TCP Connect 0 PR A FTP Out S&C A Sitios ONAT 2 1 192.168.60.2 17:10:48 169.158.1.20 2328 2328 TCP Connect 0 - - 2 2 192.168.60.2 17:10:49 169.158.1.20 2328 2328 TCP Connect 20000 - - 2 2 192.168.60.2 17:11:30 169.158.1.20 21 21 TCP Connect 20000 PR A FTP Out S&C A Sitios ONAT 2 1 From Stefaan Pouseele's Article FTP Client access passive: c-ip time r-ip r-port cs-prot s-oper sc-stat rule#1 rule#2 sessid connid 172.16.16.2 14:44:5 64.90.59.34 21 21 TCP Connect 0 SPECIAL INTERNT 6557 20506 172.16.16.2 14:44:5 64.90.59.34 61659 61659 TCP Connect 0 SPECIAL INTERNT 6557 20507 172.16.16.2 14:45:2 64.90.59.34 61659 61659 TCP Connect 20000 SPECIAL INTERNT 6557 20507 172.16.16.2 14:46:2 64.90.59.34 21 21 TCP Connect 20000 SPECIAL INTERNT 6557 20506 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- RULES APPLIED TO A ESPECIFIC GROUP OF USERS In the case of: Protocol rule "PR A FTP Out" is applies to "A specific group of users" I recieve two diferent messages according to the PASV or PORT Mode used for the SecureNAT client in his navegator. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- FROM THE CLIENT SIDE (IE 5.0, 5.01, 6.0 English & Spanish) WITH (PASV MODE) And "Enable folder view for FTP sites" is not checked I recieve the message: ISA Server: extended error message : 200 Type set to I. 200 PORT Command successful. 550 Permission denied. THE "PROXY LOG" REPORT THE FOLLOWING #Software: Microsoft(R) Internet Security and Acceleration Server 2000 #Version: 1.0 #Date: 2003-02-22 18:52:05 #Fields: c-ip cs-username c-agent time r-ip r-port cs-protocol cs-transport s-operation sc-status rule#1 rule#2 sessionid connectionid 192.168.60.254 anonymous 19:11:44 ftp.onat.gov.cu - 21 ftp GET - 407 - - 192.168.60.254 anonymous 19:11:45 ftp.onat.gov.cu - 21 ftp GET - 407 - - 192.168.60.254 anonymous 19:11:45 ftp.onat.gov.cu - 21 ftp GET - 407 - - 192.168.60.254 anonymous 19:11:46 ftp.onat.gov.cu - 21 ftp GET - 407 - - 192.168.60.254 anonymous 19:11:47 ftp.onat.gov.cu - 21 ftp GET - 407 - - 192.168.60.254 anonymous 19:11:47 ftp.onat.gov.cu - 21 ftp GET - 407 - - 192.168.60.254 ONATCFG\Leskyam 19:11:49 ftp.onat.gov.cu 169.158.1.20 21 ftp GET Inet 200 PR A FTP Out S&C A Sitios ONAT ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- FROM THE CLIENT SIDE (IE 5.0, 5.01, 6.0 English & Spanish) WITH (PASV MODE) And "Enable folder view for FTP sites" checked I recieve a popup window message with the text: Windows cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder. Details: The FTP session was terminated THE "FIREWALL LOG" REPORT THE FOLLOWING #Software: Microsoft(R) Internet Security and Acceleration Server 2000 #Version: 1.0 #Date: 2003-02-22 18:52:05 #Fields: c-ip cs-username c-agent time r-ip r-port cs-protocol cs-transport s-operation sc-status rule#1 rule#2 sessionid connectionid 192.168.60.2 - - 19:36:14 169.158.1.20 21 21 TCP Connect 13301 - S&C FTP Server 6 37 192.168.60.2 - - 19:36:14 169.158.1.20 21 21 TCP Connect 13301 - S&C FTP Server 6 38 -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------