[isalist] Re: [ISAserver.org Discussion List] FTP Servers
- From: "John T (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 22 Mar 2006 12:17:13 -0800
Check the box Allow Upload?
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: Andrew English [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of
Andrew English
Sent: Wednesday, March 22, 2006 11:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
So then tell me what does it work behind this WatchGuard Firebox V60 but
doesn't work behind ISA 2004 Server?
Regards,
Andrew
_____
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
Sent: Wed 22/03/2006 2:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
He would have to publish the external server to the Internal network users.
While this is appropriate in some well defined scenarios, I doubt he has the
sophistication to understand what these scenarios are, therefore there is
either a NAT editor problem with a front-end device, or a NAT editor problem
with the device in front of the destination FTP server, or some other really
off-label SNAFU.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
_____
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Wednesday, March 22, 2006 1:18 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
OK I'll bite.....using the FTP server protocol, which if I am mistaken, is
of the inbound direction, as opposed to the FTP protocol, which is of the
outbound direction., therefore unless his rule is back to front....
_____
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Wednesday, March 22, 2006 3:09 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
Dude,
'preciate ya, but I don't think that can happen. You can use Server PDs in
an Access Rule, so unless something is more whack than what meets the eye,
traces are still in order.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
_____
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Wednesday, March 22, 2006 1:02 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
That's OK...I'll keep you and Jim on the right track...:-)
_____
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Wednesday, March 22, 2006 3:02 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
LOL! I didn't even notice that, it got lost in the noise :))
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
_____
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Wednesday, March 22, 2006 12:57 PM
To: ISA Mailing List
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
You are such a complete ass Andrew....the server protocol is for publishing
your own FTP servers. You want to allow the FTP protocol.
S
_____
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew English
Sent: Wednesday, March 22, 2006 3:04 PM
To: ISA Mailing List
Subject: RE: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
Jim,
None of the workstations use the web proxy, or firewall client software of
ISA 2004. They use Secure NAT, they are going out through ISA like if you
had a dummy Linksys cable DSL router.
Example:
ISA is on 192.168.1.1
GW: for all clients on the DHCP server is 192.168.1.1, again there is no web
proxy setup and no firewall client ware installed.
Secondly what I meant in my other comment which you are so egger to twist
around is that I have not tampered with the default firewall settings of
ISA, yes I have added my own rules to the system, but if you look at the
default core settings for ICMP, etc they have all been left alone.
Now are you going to keep acting this way if I say, you know Jim I installed
a new ISA server that only had two rules in it, one for the FTP server to
the outside using the default FTP Server protocol, and the other which is
the default DENY rule that ISA creates? Are you going to blame on the web
proxy or firewall client if neither are installed or being used?
Lets be realistic here, if you don't know the answer why ISA out of the box
with two rules in it won't connect to FTP servers that don't use passive
mode why make a fuss of it? Why not ask Bill to loan you one his boxes,
install ISA 2004, email me for a couple test accounts and go to town, then
say geez you know there is a bug or maybe Microsoft doesn't care? You have
the time and certainly the money to investigate it further, than I do yet
you keep hounding people to show you more evidence before you will get off
your dairy air and do something.. ;)
Regards,
Andrew
_____
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Wed 22/03/2006 12:33 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: [ISAserver.org Discussion List] FTP Servers
http://www.ISAserver.org
-------------------------------------------------------
No - you said:
"I seem to only be able to get access to FTP servers using PASV modem on my
workstations that are setup under secure NAT".
This leaves the failing case hanging somewhere between web proxy and
firewall clients.
You also stated:
"..I have had to reinstall ISA 2004.." and "Nothing on the ISA configuration
level has been modified or changed", which are just a bit contradictory.
You haven't given anyone anything to work from, like:
- client errors
- ISA logs
- captures
If the problem is important enough to involve an entire list, its important
enough to provide something more than conjecture and contradiction.
There are a great many FTP servers that disallow active mode; and with good
reason.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
Other related posts:
