Firewall method, eh? That must be true when talking about publishing an FTP server, but I am not trying to publish one in this case. Eventually we may, but we will not use PUT's in that instance. In this case, however, we need to put and it is my INTERNAL network going out to the DMZ. Machines in it's LAT. No publishing involved there. Just plain ip packet filtering(I believe). A simple protocol rule to allow the port you need, then I imagined it would work, but this is not the case and all my troubleshooting attemps have failed, even allowing ALL protocols/packets through. What is up with that? I am really starting to believe it is the product, especially since I am hearing about a lot of people having difficulty as well. With continued appreciation of intellectual conversation and field supported efforts, Logan -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, February 05, 2002 10:39 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FTP Non-Standard Ports http://www.ISAserver.org Hi Logan, You must use the FW client method of publishing FTP servers on non-standard ports. HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> -----Original Message----- From: Logan Ramirez [mailto:LoganRamirez@xxxxxxxxxxxxxx] Sent: Tuesday, February 05, 2002 10:35 AM To: [ISAserver.org Discussion List] Subject: [isalist] FTP Non-Standard Ports http://www.ISAserver.org Does anyone know why it is so difficult to ftp to a non-standard port? Maybe it's just me... Back to back private DMZ setup, and FTP in both directions (from internal network and external network into DMZ) work perfectly on standard port 21 in both active and passive modes, however, when I try to FTP to another port, I get either 500 INVALID PORT COMMAND or Operation Timed Out (depending on PORT or PASV mode, respectively). I am testing with IE 6.0 and also with command line ftp (windows XP) from internal network. I dropped a sniffer on all 3 devices, internal host, internal ISA, and DMZ ftp server (IIS running on windows 2000 DC) and watched the packets float across, and even in true passive mode, with an 'all ports allowed' packet filter enabled and a 'all protocol allowed' filter, only standard port 21 worked. So strange though...same testing environment, from internal host into DMZ, and when in passive mode I see the packets generated as such for port 21: (numbers made up for convenience) client 2872 --> server 21 server 21 ---> client 2872 (with PORT command informing client of its listening data port) client 3154 --> server 5156 server 5156 --> client 3154 for ftp to non-standard port, say 5153: client 2872 --> server 5153 server 5153 ---> client 2872 (with PORT command informing client of its listening data port) client 3154 --> server 5156 No server response. Operation timed out. The packet is never seen on the FTP server, but what the heck is so different about a client making a second request to some random high port when it's initial request was to standard FTP port 21 versus a client making a request to some random high port when it's initial request was to non-standard FTP port 5153? I tried SP1, firewall client software (may have done this incorrectly), making the client a secureNAT client... Sure could use some conversation to get more ideas flowing. Hope this finds all well. Logan ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: loganramirez@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')