RE: FTP Non-Standard Ports
- From: Logan Ramirez <LoganRamirez@xxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 6 Feb 2002 14:51:46 -0600
So, does anyone know why this does not work with ISA? Allowing an internal
client to FTP to a non-standard port to an IIS FTP server located in the
Windows 2000 AD DMZ sone in a back to back configuration?
Also, I did some more packet sniffing, and it seems when you uncheck the box
'Enable folder view for FTP sites' and uncheck the 'Use Passive mode...',
that IE (6.0) uses the HTTP protocol to transfer data. Weird...
Enabling both boxes gives an error time out, but the packets are seen on
ISA, just not allowed.
Logan
-----Original Message-----
From: Scott Sandeman [mailto:sandeman@xxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, February 06, 2002 1:56 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FTP Non-Standard Ports
http://www.ISAserver.org
Thomas,
can you tell me where I can get your book in Canada.. I would dearly
love to be able to get my hands on it today...and not have to wait for a
couple of days for delivery....
-- Scott
> http://www.ISAserver.org
>
>
> Hi Logan,
>
> You must use the FW client method of publishing FTP servers on
> non-standard ports.
>
> HTH,
> Tom
> www.isaserver.org/shinder <http://www.isaserver.org/shinder>
>
>
> -----Original Message-----
> From: Logan Ramirez [mailto:LoganRamirez@xxxxxxxxxxxxxx]
> Sent: Tuesday, February 05, 2002 10:35 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] FTP Non-Standard Ports
>
> http://www.ISAserver.org
> Does anyone know why it is so difficult to ftp to a non-standard port?
>
> Maybe it's just me...
>
> Back to back private DMZ setup, and FTP in both directions (from
> internal network and external network into DMZ) work perfectly on
> standard port 21 in both active and passive modes, however, when I try
> to FTP to another port, I get either 500 INVALID PORT COMMAND or
> Operation Timed Out (depending on PORT or PASV mode, respectively).
>
> I am testing with IE 6.0 and also with command line ftp (windows XP)
> from internal network.
>
> I dropped a sniffer on all 3 devices, internal host, internal ISA, and
> DMZ ftp server (IIS running on windows 2000 DC) and watched the
> packets float across, and even in true passive mode, with an 'all
> ports allowed' packet filter enabled and a 'all protocol allowed'
> filter, only standard port 21 worked.
>
> So strange though...same testing environment, from internal host into
> DMZ, and when in passive mode I see the packets generated as such for
> port 21: (numbers made up for convenience)
>
> client 2872 --> server 21
> server 21 ---> client 2872 (with PORT command informing client of its
> listening data port) client 3154 --> server 5156
> server 5156 --> client 3154
>
> for ftp to non-standard port, say 5153:
> client 2872 --> server 5153
> server 5153 ---> client 2872 (with PORT command informing client of
> its listening data port) client 3154 --> server 5156
> No server response. Operation timed out.
>
> The packet is never seen on the FTP server, but what the heck is so
> different about a client making a second request to some random high
> port when it's initial request was to standard FTP port 21 versus a
> client making a request to some random high port when it's initial
> request was to non-standard FTP port 5153?
>
> I tried SP1, firewall client software (may have done this
> incorrectly), making the client a secureNAT client...
>
> Sure could use some conversation to get more ideas flowing.
>
> Hope this finds all well.
>
> Logan
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> sandeman@xxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
loganramirez@xxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
