Authentication on outbound FTP traffic
- From: "Michael Bertelsen" <mbe@xxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 5 Jan 2005 16:49:56 -0700
I have a somewhat strange problem with one of my ISA2004 installations.
It is a pretty simple setup.
Only the default rule and one Access Rule called "My Rule" :
Allow outbound FTP and HTTP for all Authenticated users.
Client setup as secure NAT, but with proxy settings enabled.
Now HTTP traffic flows through the ISA with no problems, and the ISA
correctly logs the username of the user.
FTP traffic is blocked, and according to the logs, by the My Rule, and not
by the default rule, which it should be if the Internet Explorer did not
authenticate to the ISA.
Using a packet sniffer I can see that for HTTP the traffic is sent to the
ISA on TCP 8080, but for FTP the traffic is sent on TCP 21 as SYNs only
(no Syn Ack)
When installing the Firewall Client and trying FTP using the commandline
FTP util, the connection is successfull and allowed by My Rule. Using the
packet sniffer I can see the client connect on TCP 1745 (Which I believe
to be the FW Client communication on the ISA server).
When trying FTP from Internet Explorer (both with and without proxy
settings), the connection is denied by My Rule, and with the packet
sniffer I see traffic on TCP 21.
I have tried several clients, and all with the same problem.
Has anybody seen this kind of behavior from an ISA 2004 server before ?
/Michael
Other related posts:
- » Authentication on outbound FTP traffic
