RE: Cannot access FTP sites...

  • From: "William Robertson" <william.robertson@xxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 21 Jan 2003 07:49:11 +0200

Hi there

I have now done the following:
- Disable all Server Publishing Rules
- Create Protocol Rule allowing ANY IP TRAFFIC ALWAYS for ANYONE
- Create Site & Content Rule allowing ANY SITE ALWAYS for ANYONE
- Restart all ISA Services regularly

Even after doing the above, I still get:
200 Type set to A.
200 PORT command successful.
425 Can't build data connection: Connection refused

I even tried stopping the Firewall Service on ISA Server and disabling
the FW Client on my workstation but still I get this error. When I check
my WEB Proxy logs, this is all I find: (My Firewall & Packet Filter logs
show nothing)
<My IP Address>, <Domain\UserName>, Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1), Y, 1/21/2003, 7:03:29, w3proxy, <ISA Server>, -,
ftp.europe.datafellows.com, 193.110.109.52,21,8843,425,350, ftp, TCP,
GET, ftp://ftp.europe.datafellows.com/, -, Inet,200, 0x0, pAny, scAny,,

As you can see, I get status code 200 which means that the connection
was successful, but I still cannot get my data channel to work.

Could someone please try and connect to an FTP site and perform some
commands E.g. DIR, and then copy the necessary information from their
WEB Proxy logs and mail them to me? At least I can then see what I
should be seeing in my logs and maybe the answer will be in there
somewhere.

Cheers
William R.

-----Original Message-----
From: William Robertson [mailto:william.robertson@xxxxxxxxx] 
Sent: 20 January 2003 14:48 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cannot access FTP sites...

http://www.ISAserver.org


Yeah ok, but I have never had to do this in the past, and as far as I
know, having the FTP Application Filter caters for the secondary FTP
Data Channel on port 20, or am I mistaken?

Anyway, if I were to follow you're advice, do you imply that I create a
Packet Filter for port 20 to allow the return data channel in, because
surely that is quite a huge security risk?

Cheers
William R.


-----Original Message-----
From: Quillman Shawn (RBNA/CIT1.1) [mailto:Shawn.Quillman@xxxxxxxxxxxx] 
Sent: 20 January 2003 14:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cannot access FTP sites...

http://www.ISAserver.org



You need to open port 20 as well.  FTP uses 20 and 21, 20 for a data
pipe
and 21 for session control.

-Shawn

-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CIT1.1
38000 Hills Tech Drive
Farmington Hills, MI  48331
(248) 553-1164 (P)     (248) 848-2855 (F)
shawn.quillman@xxxxxxxxxxxx


-----Original Message-----
From: William Robertson [mailto:william.robertson@xxxxxxxxx]
Sent: Friday, January 17, 2003 11:51 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cannot access FTP sites...


http://www.ISAserver.org


Hi guys

I have been struggling with this issue for quite some time now, but I am
damned if I know what is wrong. If you don't mind, I'm just going to
rattle on about my problem in order to clarify it for myself, and
hopefully someone can maybe shed a little light as well.

The setup:
I am running ISA 2000 w/ SP1 and FP1. I have 2 hotfixes installed (the
only ISA HFixes available I think). I have 1 WEB Filter installed called
Surfcontrol WEB Filter. My ISA server is on the Internal side of a PIX
Firewall.

The Rules:
I have the following FTP Rules:
 - Allow protocol FTP (Outbound TCP port 21) to specific user group
Internet Surfers
 - Allow all sites to specific user group Internet Surfers
This is the way that these rules have always been, and nothing has
changed here. There are also no DENY rules in place, anywhere.

The problem:
About 1-2 weeks ago, I discovered that I was unable to browse FTP sites
at all. If I try to open an FTP site via a WEB Browser (clients are
setup as WEB Proxy clients) then I get this error:
ISA Server: extended error message : 
200 Type set to A.
200 PORT command successful.
425 Can't build data connection: Connection refused

If I try to connect to an FTP site (e.g. ftp.tacteam.net) via the
command line (which also always used to work), I get prompted for a
username and password. When I connect as anonymous, I can successfully
login, but as soon as I try to perform any commands such as DIR etc, on
ftp.tacteam I just get no response. It is as if the connection is
hanging.

If I try to connect to another website, I actually then get the same
"connection refused" error as mentioned above. Tom, can you perhaps
explain why I "hang" on your site, but get denied errors on other sites?

The other problem is that on my ISA Server, I am able to see FTP traffic
going through, I can also see the FTP traffic going through the PIX
Firewall, so this means that I am definitely getting out of my network
on the FTP control channel, but I cannot seem to get back on the FTP
Data Channel.

The only other FTP stuff I have on my ISA Server is a Server Publishing
Rule for the following:
Publish "FTP Server" protocol on ISA's external interface and map it
through to my internal FTP Server.
Now you would think that this is most probably the problem (I know I
did), but even after disabling this publishing rule, it still doesn't
work.

Now I thought I would get clever and do a "netstat -an" on my ISA Server
to see what was happening, and all I found was this:
  TCP    <ISA's External Interface>:21      0.0.0.0:0
LISTENING

Now that doesn't look too worrying (I think) so now I really don't know
what to do.

Would someone perhaps have any comments on all of my ramblings,
something that makes sense of all this madness?

Thanks for your time,
Cheers
William R.




-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: 10 January 2003 15:45 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Cannot access FTP sites...

http://www.ISAserver.org


Hi there

I have just discovered that I can no longer browse any FTP site. I have
for example tried connecting to the following within my IE Web Browser:
ftp://ftp.microsoft.com
ftp://ftp.europe.datafellows.com (our anti-virus application)
ftp://ftp.is.co.za (our ISP)

and all of them return the following error:
ISA Server: extended error message : 
200 Type set to A.
200 PORT command successful.
425 Can't build data connection: Connection refused

I have also tried connecting from the cmdline but I get the exact same
error as above.

All clients are set up as WEB Proxy, Firewall and SNat clients. I used
to
be able to access FTP Sites quite alright, but I cannot for the life of
me
think what has changed.

My S&C Rules and Protocol Rules do allow FTP Outbound Access, along with
HTTP & HTTPS.

Any ideas would be most appreciated...

Cheers
William R.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')



Other related posts: