RE: Publishing FTP server
- From: Alexandre Gauthier <gauthiera@xxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 15 Sep 2005 10:38:05 -0400
For the heck of it, could you try
1) Accessing the ftp server from the internet using PASV (passive)
mode?
(The basic built-in ftp client in windows is braindead, and does not support
this. Try a GUI client; make sure it is in passive mode.)
2) Ensuring you have checked the "FTP Access Filter" on the FTP Server
protocol of any Filtering Policy you might have in place
------- Some uncalled for explanations on the FTP protocol below. You shut
up and read if you're interested :P -------------
FTP is a rather hard to work with protocol, I'll give you some explanations
- although you probably already know this ;)
First, two connections are used, basically - port 20 and port 21. Port 21 is
the control session, which is what you use to login and issue commands. 20
is used as the data port, which is any file transfer, or file listings.
Apparently, you can talk on port 21 without problems, but fail to establish
a data connection on port 20.
In default PORT mode, you (the client) are in fact acting as the server,
from a TCP point of view at least. You connect to the FTP server on port 21,
authenticate, then request a directory listing.
*The Server* will then open a connection to *the client machine* on port 20
to send files. That was done as a design decision because back then, putting
the TCP/IP connection load on the client rather than the server would
prevent the server from melting when, say, id software released their doom
demo. (Which happened anyways. But you know the drill.)
This doesn't work very well with NATs (which were probably inexistent at the
time) - so there are two things which were brought up for this very purpose.
PASV mode restores the behaviour you'd expect from a client/server TCP
connection and the client is asked to connect to the server on port 20 when
a directory listing is issued.
While this will work great when the user is behind a NAT, and fix all issues
of the NAT not opening port 20 because it sees no reason to, it will
sometimes be problematic in a situation where you have:
Client Computer ------- NAT ------ [The internet] -------- NAT
--------- FTP Server
The client computer cannot use PORT for it is behind a NAT. So PASV must be
used. However the FTP server will acknowledge the request for passive
connections, and return its IP address to the client for it to connect to.
However, in the case of many FTP servers, the server will return its
*private RFC address* (i.e. 172.16.12.8 - substitute for your favorite
private subnet.) which the client computer obviously cannot connect to.
Any firewall/gateway/proxy worth its salt will handle this by farting around
with the FTP datagrams (both hands deep in Layer 3, beyotch!) and substitute
the address, or use other arcane magic to make it work.
ISA has this, and it is that very "FTP Access Filter" option, apparently.
Cisco PIXes possess the "fixup protocol ftp 21" configuration line, which
works like ass right now, at least in my home setup (it works if the client
is behind a NAT and fails if the client is directly on the internet. Search
me.)
As Jim suggested, running some kind of packet dump will tell you the answer
quite clearly. But your client hanging on "ls" is proof that something is up
with the data connection.
Hope this helps,
--
Alexandre Gauthier
Analyste Réseau / Network Analyst
gauthiera@xxxxxxxxxxxxxxxxx
Québec Loisirs - www.quebecloisirs.com <http://www.quebecloisirs.com/>
_____
De : adam.staub@xxxxxxxxxxxxxxxx [mailto:adam.staub@xxxxxxxxxxxxxxxx]
Envoyé : 14 septembre 2005 16:21
À : [ISAserver.org Discussion List]
Objet : [isalist] Publishing FTP server
http://www.ISAserver.org
I've got the following scenario ISA server 2000 sp2 with rollup patch
running on windows 2000 server fully patched. I'm try to publish a windows
2003 FTP server. I run thru the server publishing rule and config my
system. However, when I attach using a machine located on the internet I
can login successfully but can't list files? Basically, LS and DIR hang.
The FTP server does show a connection to the client. Not sure what is
causing this. I did setup a site and content rule referring to the 2003 FTP
server but that didn't help. Any help would be appreciated.
Adam
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gauthiera@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
*********************************************************************
Note: This E-mail and any attachments may be privileged and confidential and
protected from disclosure. If the reader of this message is not the intended
recipient, or an employee or agent responsible for delivering this message
to the intended recipient, you are hereby notified that any disclosure,
copying, distribution or use of this E-mail and any attachments is strictly
prohibited. If you have received this E-mail in error, please notify us
immediately by returning it to the sender and deleting it from your computer
system. Thank you for your cooperation.
*********************************************************************
Other related posts:
