Hi guys I have been struggling with this issue for quite some time now, but I am damned if I know what is wrong. If you don't mind, I'm just going to rattle on about my problem in order to clarify it for myself, and hopefully someone can maybe shed a little light as well. The setup: I am running ISA 2000 w/ SP1 and FP1. I have 2 hotfixes installed (the only ISA HFixes available I think). I have 1 WEB Filter installed called Surfcontrol WEB Filter. My ISA server is on the Internal side of a PIX Firewall. The Rules: I have the following FTP Rules: - Allow protocol FTP (Outbound TCP port 21) to specific user group Internet Surfers - Allow all sites to specific user group Internet Surfers This is the way that these rules have always been, and nothing has changed here. There are also no DENY rules in place, anywhere. The problem: About 1-2 weeks ago, I discovered that I was unable to browse FTP sites at all. If I try to open an FTP site via a WEB Browser (clients are setup as WEB Proxy clients) then I get this error: ISA Server: extended error message : 200 Type set to A. 200 PORT command successful. 425 Can't build data connection: Connection refused If I try to connect to an FTP site (e.g. ftp.tacteam.net) via the command line (which also always used to work), I get prompted for a username and password. When I connect as anonymous, I can successfully login, but as soon as I try to perform any commands such as DIR etc, on ftp.tacteam I just get no response. It is as if the connection is hanging. If I try to connect to another website, I actually then get the same "connection refused" error as mentioned above. Tom, can you perhaps explain why I "hang" on your site, but get denied errors on other sites? The other problem is that on my ISA Server, I am able to see FTP traffic going through, I can also see the FTP traffic going through the PIX Firewall, so this means that I am definitely getting out of my network on the FTP control channel, but I cannot seem to get back on the FTP Data Channel. The only other FTP stuff I have on my ISA Server is a Server Publishing Rule for the following: Publish "FTP Server" protocol on ISA's external interface and map it through to my internal FTP Server. Now you would think that this is most probably the problem (I know I did), but even after disabling this publishing rule, it still doesn't work. Now I thought I would get clever and do a "netstat -an" on my ISA Server to see what was happening, and all I found was this: TCP <ISA's External Interface>:21 0.0.0.0:0 LISTENING Now that doesn't look too worrying (I think) so now I really don't know what to do. Would someone perhaps have any comments on all of my ramblings, something that makes sense of all this madness? Thanks for your time, Cheers William R. -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: 10 January 2003 15:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] Cannot access FTP sites... http://www.ISAserver.org Hi there I have just discovered that I can no longer browse any FTP site. I have for example tried connecting to the following within my IE Web Browser: ftp://ftp.microsoft.com ftp://ftp.europe.datafellows.com (our anti-virus application) ftp://ftp.is.co.za (our ISP) and all of them return the following error: ISA Server: extended error message : 200 Type set to A. 200 PORT command successful. 425 Can't build data connection: Connection refused I have also tried connecting from the cmdline but I get the exact same error as above. All clients are set up as WEB Proxy, Firewall and SNat clients. I used to be able to access FTP Sites quite alright, but I cannot for the life of me think what has changed. My S&C Rules and Protocol Rules do allow FTP Outbound Access, along with HTTP & HTTPS. Any ideas would be most appreciated... Cheers William R. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')