[isalist] Re: FTP Oddity over TMG
- From: Rob Moore <RMoore@xxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 14 May 2010 12:42:38 -0400
That makes sense. Thanks.
Rob
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Friday, May 14, 2010 12:06 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FTP Oddity over TMG
Rob,
That second error you see (502 Active FTP not allowed) is because the TMG FTP
filter has been changed to disallow active FTP.
This was done to prevent malware creating an inbound connection to non-FTP
listeners such as RPC (port 135), SMB (port 445), etc.
The difference between active and passive FTP is that when the FTP server sends
data (other than status messages) to the client, the FTP server must
Active: create a connection to the client on the port specified by the client.
Passive: accept a connection from the client on a port specified by the FTP
server
Scenario: a vulnerability exists in component "x". This component listens on
TCP:666. A new chunk of malware wants to exploit this vulnerability and uses
active FTP to communicate with its "master" and create connections to the
client on TCP:666, opening the vulnerable component to attack from the
malicious server through your firewall.
To prevent this scenario, TMG requires passive FTP, which requires that any
connection between the client and remote server occur outbound only. Yuri
Diogenes discussed this in
http://blogs.technet.com/yuridiogenes/archive/2010/03/16/error-502-active-ftp-not-allowed-when-trying-to-list-files-in-a-ftp-session-behind-forefront-tmg-2010.aspx
Jim.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Rob Moore
Sent: Friday, May 14, 2010 05:33
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] FTP Oddity over TMG
OK, here's an odd one for you.
I've almost completed my transition from ISA 2006 to TMG. Yesterday I
reconfigured DHCP so that all my clients started using TMG as their default
gateway. We then discovered a problem. One of the users needed to FTP a file to
someplace offsite. Something he does regularly to this site. (I hadn't
discovered this problem because those of us testing the firewall don't use FTP
much.) His FTP failed when using Windows Explorer to do the FTPing. I tried
replicating the problem from the command line, while monitoring the activity
from TMG. My FTP also failed. The command line returned this error:
502 Active FTP not allowed.
550 Access is denied.
However, TMG returned no errors at all.
After a while, I hit upon the FTP filter. It has a checkbox that is checked by
default that is labeled "Read Only" and says "When Read Only is selected, FTP
uploads will be blocked." I unchecked that box and tried again. The upload from
the command line failed again, with a slightly different error:
502 Active FTP not allowed.
550 No port specified.
Again, no errors reported by TMG.
However, the FTP now works from Windows Explorer.
So, a couple of oddities come to mind.
1. Why is it that the default in an "allow" rule is to have the filter block
the traffic you just allowed? Seems weird to me.
2. Why does FTP work from Windows Explorer but not from the command line?
Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC
Other related posts:
