Hi Andre, Agreed. Allowing outbound VPN connections of any kind from *my* network from untrusted or low trust hosts is not allowed. It's a BIG security hole and "rights to privacy" to d*mned. SSH is like a weak form of RDP :-) Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] > Sent: Thursday, October 06, 2005 9:19 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Help - SFTP port 22 > > http://www.ISAserver.org > > Well, basically, as I have stated, SCP and SFTP just execute > commands on the > remote side and pipe you the output through the established > tunnel. (And SCP > is a bit of an ugly hack, at base). > > If you see an SSH tunnel as an horrible security issue from a > firewall admin > point of view, well then you might as well see IPSEC, PPtP and VPNs in > general as a security issue as well. > > SSH is not Telnet on steroids, it's much more powerful, just > keep that in > mind. I do use it to "bypass" the firewall here to connect to > my mail server > at home by binding port 25 to my local machine here, then > connecting to > that. > > -----Message d'origine----- > De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Envoyé : 6 octobre 2005 09:43 > À : [ISAserver.org Discussion List] > Objet : [isalist] RE: Help - SFTP port 22 > > http://www.ISAserver.org > > Hi Alexander, > > If everything is sent and received over an encrypted tunnel > (a horrible > security issue from a firewall admin's point of view) over a > single session, > then there are no secondary protocols and it should just work > allowing a > primary connection outbound on TCP port 22. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] > > Sent: Thursday, October 06, 2005 8:34 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Help - SFTP port 22 > > > > http://www.ISAserver.org > > > > *shy cough from the Unix guy in background* > > > > Uhm, I do not mean to intrude but they basically are the > same, they go > > through an SSH tunnel. > > > > SFTP is not more secure than SCP or vice-versa, they are only > > as secure as > > SSH itself. (Which means, it's fine. Basically.) > > > > They just use different interfaces, but they "work" the > same, which is > > inside an SSH tunnel. SFTP is just designed to "look and > > taste" like an FTP > > server to the end user, but it is not dual port or anything > > either, it is > > just a matter of what application you call on the other end > of the SSH > > connection. ISA would see both protocols as the same, from > > its point of > > view. > > > > And in any case... winSCP3 uses SFTP by default with fallback > > to SCP if that > > craps out. It's made like this because sometime > > administrators will disable > > one or the other in /etc/ssh/sshd_config for various reasons. > > > > Basically all you need to do is allow SSH (which means > > outgoing connection > > to port 22 on destination machine(s) (or the internet) and > > you are set. > > That's what I did here, and it works wonderfully, I can toss > > and fetch files > > from my Linux box at home in a really really strange > fashion involving > > tunneling SSH inside SSH to reach a machine behind my NAT ;) > > > > > > Greg, I think you are confusing SFTP with FTPS, perhaps... > > > > SSH is such a great protocol, it is a shame the OpenSSH > implementation > > doesn't work fully on Windows Server 2003 yet. (At least last time I > > checked). With the venue of MSH, it will be even more useful... > > > > (And don't you love tunneling clear-text protocols through > > SSH? You can use > > it as a "poor man's VPN" also.) > > > > > > OH and FYI, ISA *does* support some amount of FTPS, it > > depends of it is > > implicit or explicit, I believe... (I.E. SSL on port 21 > > instead of on a > > dedicated port). > > > > Now of course if you're talking about the FTP application > > filter ... Seeing > > how braindead the FTP client in windows is, I don't doubt it is not > > supported :) > > > > > > > > -----Message d'origine----- > > De : Greg Mulholland [mailto:gmulholland@xxxxxxxxxxxxxx] > > Envoyé : 6 octobre 2005 02:06 > > À : [ISAserver.org Discussion List] > > Objet : [isalist] RE: Help - SFTP port 22 > > > > http://www.ISAserver.org > > > > > > Noel > > > > What are you trying to achieve. My guess is you are trying to > > dump files > > to a linux box or a windows box running an ssh server, > behind the ISA > > firewall. Instead of using SFTP, try using SCP. It's a more secure > > protocol. See if that works the same. > > > > Greg > > > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > Sent: Thursday, 6 October 2005 3:05 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Help - SFTP port 22 > > > > http://www.ISAserver.org > > > > SFTP uses TCP:989 & TCP:990; SSH uses TCP:22. > > Which is it that you think you're using? > > > > No; ISA does not support FTPS. > > > > -----Original Message----- > > From: Noel [mailto:noel.callander@xxxxxxx] > > Sent: Wednesday, October 05, 2005 5:19 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Help - SFTP port 22 > > > > http://www.ISAserver.org > > > > question > > is SFTP supported by ISA2000EE, i cant seem to get it to work i have > > opened port 22 on the ISA server but it still fails. is > there anything > > else that needs to be configurd.i am using the winscp375 > gui on the XP > > workstation. > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > All mail to and from this domain is GFI-scanned. > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > gmulholland@xxxxxxxxxxxxxx To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this network has been scanned for viruses > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > gauthiera@xxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > gauthiera@xxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >