[isalist] Re: FTP Delete
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 31 May 2006 16:23:30 -0700
http://www.ISAserver.org
-------------------------------------------------------
Can't RDP into the ISA & clients?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Wednesday, May 31, 2006 15:33
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FTP Delete
http://www.ISAserver.org
-------------------------------------------------------
Tomorrow...
Amy
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, May 31, 2006 5:42 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FTP Delete
http://www.ISAserver.org
-------------------------------------------------------
When the ISA FTP filter rejects a command, it also sends a 550 "access denied"
response.
This is why we need a simultaneously-nsiffed steaming pile of packets from both
ends of ISA.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Wednesday, May 31, 2006 13:48
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FTP Delete
http://www.ISAserver.org
-------------------------------------------------------
If ISA will return an FTP 550 access denied error, then you're right, the OS of
the FTP server doesn't matter. But I didn't think ISA would return a protocol
error on behalf of a protected server. Does it really do that?
In past experience - pre-ISA - a 550 error usually meant one of the following
(which is why I asked about platform):
The initial FTP directory is not set.
The 550 error means that the client is being told by the server that the user
who logged on does not have permission to perform the action being attempted -
in this case delete. This could either be the specific file or the directory
in which the file resides.
And, if I recall correctly, in the *nix world you can configure FTP to grant
permissions based on source IP - even IIS can do this.
From the description of your problem, it sounds like you can delete files just
fine on the FTP server when connecting from a client local to the FTP server's
subnet but can't from outside of that subnet. If that's the scope, I'd start
by looking closer at home - the configuration of the FTP server - before
jumping into ISA, unless, of course, ISA does return FTP protocol error codes.
Cordially yours,
Jerry G. Young II
MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Wednesday, May 31, 2006 4:22 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FTP Delete
http://www.ISAserver.org
-------------------------------------------------------
By server, I meant one of the local servers on site, not the FTP server.
Sorry for not being clear.
I don't know that OS the FTP server runs. I don't think it matters for this
issue.
Amy
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Wednesday, May 31, 2006 4:11 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FTP Delete
http://www.ISAserver.org
-------------------------------------------------------
What platform is it?
And I didn't quite understand what you meant when you said:
"If administrator logs into the workstation, no delete. If administrator logs
into the server, then delete works."
Do you mean to say that if a delete is attempted remotely it doesn't work but
if it's attempted on the server it works fine?
You say that it's the same FTP login credentials for all users.
If it works for you but not someone else, might the restriction be based off of
source IP?
Cordially yours,
Jerry G. Young II
MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Wednesday, May 31, 2006 4:05 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FTP Delete
http://www.ISAserver.org
-------------------------------------------------------
The FTP site is not a Windows 2003 server.
Amy
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Young, Gerald G
Sent: Wednesday, May 31, 2006 3:50 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FTP Delete
http://www.ISAserver.org
-------------------------------------------------------
Amy,
If the users are getting a 550 access denied error that indicates to me that
traffic is passing between the client and server just fine. I'd look at the
permissions on the particular file that they are attempting to delete.
If the server is Windows 2003, you can open up properties on the file in
question, flip over to the security tab, hit the advanced button, then flip to
the effective permissions tab, plug in the user in question and see what their
effective permissions are for that file.
A lot of people will miss specific deny permissions on files, which will take
precedence over any allow permissions.
Cordially yours,
Jerry G. Young II
MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
ECNS Microsoft Engineering
Unisys
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Wednesday, May 31, 2006 3:14 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] FTP Delete
http://www.ISAserver.org
-------------------------------------------------------
I have a client whose FTP site is hosted by SBC. Local users are unable to
delete files on the FTP site. They get a 550 access denied error.
We've tried various FTP clients and IE with the same results. All local PC's
are XP SP2 running the firewall client. SBC insists this is a local firewall
issue. I'm not seeing it. Anyone think SBC's diagnosis has any merit? The only
thing that has me questioning myself is that if I log onto the server as
administrator and attempt to delete from the FTP site, I can.
I have loads of successful FTP connections and only 2 denied packets in the
last 24 hours. They look like this:
Original Client IP Client Agent Authenticated Client Service
Server Name Referring Server Destination Host Name
Transport MIME Type Object Source Source Proxy
Destination Proxy Bidirectional Client Host Name Filter
Information Network Interface Raw IP Header Raw Payload
Source Port Processing Time Bytes Sent Bytes Received Result
Code Cache Information Log Record Type Log Time
Destination IP Destination Port Protocol Action Rule
Client IP Client Username Source Network Destination Network
HTTP Method URL Error Information HTTP Status Code
70.229.250.114 - SVCTAG-H442T91 -
TCP - - - -
- - 1540 0 0 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 Firewall
5/31/2006 9:25:26 AM 68.142.234.92 21 FTP Denied
Connection - 70.229.250.114 - Local Host External
0x0
Amy
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
