RE: TFTP from external interface?

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 7 Sep 2004 18:52:37 -0500

Hi William,

That's correct. If the TFTP server is on the ISA firewall, then go with
Tim's packet filter rec's. If the TFTP server is on a protected network
behind the ISA firewall, then you'll need to use the Firewall client
method of Server Publishing or create a TFTP application filter to
manage the secondary connections.

HTH,
Tom 

-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: Tuesday, September 07, 2004 6:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

Thanks Tom, but surely a FWClient on the ISA server itself would not be
a recommended practice?

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: 08 September 2004 12:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

Hi William,

It won't work unless the TFTP server is on the ISA firewall itself. The
reason is that TFTP is a complex protocol, which requires either an
application filter or the Firewall client to be installed on the
published server (for 2000 only; the 2004 ISA firewall do NOT support
Firewall client publishing scenarios).

HTH,

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: Tuesday, September 07, 2004 4:53 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?


http://www.ISAserver.org

Thanks Thor, will set it up and let you know.

Cheers
William R.

-----Original Message-----
From: Thor [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: 07 September 2004 10:12 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

I have not been able to get tft working from an external client to a ISA

server hosting TFTP services with a single UDP packet filter.  Even with

local 69 and all remote ports, as well as "Receive Send" and/or "Both" 
directions set up, it required 2 different filters- one "Receive Send"
local

69 remote all, and one "Send Receive" local all/remote 69.  You would 
obviously limit the remote address to the single client you wish to
support,

and ensure that your permissions on the TFTP server you are using are
set 
properly.

t

----- Original Message ----- 
From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, September 07, 2004 11:27 AM
Subject: [isalist] RE: TFTP from external interface?


> http://www.ISAserver.org
>
> <light bulb on>
> Aaaahhhh
> <light bulb off>
>
> Thanks Tom, forgot that Packet Filters were for explicit access to ISA
> alone... Would that imply that if I recreate my packet filters, and
then 
> try
> to connect from the ISA itself with a TFTP server it may in fact work?
>
> Regarding Secondary connections... I dunno actually. There is a TFTP
> protocol definition within ISA, and I see it does have a secondary
> connection... does that imply I would need to setup a 2nd Packet
Filter
> maybe? (I cannot see that I can setup secondary connections within the

> same
> Packet Filter rule)
>
> Thanks
> William R.
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: 07 September 2004 07:38 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TFTP from external interface?
>
> http://www.ISAserver.org
>
> Hi William,
>
> Packet filters don't control inbound access except to the ISA firewall
> itself.
>
> You'll need to use Server Publishing Rules. I haven't studied the TFTP
> protocol lately (mainly because I always explicitly block it as it's a
> favorite of blended worm writers), but IIRC, doesn't it require
> secondary connections?
>
> HTH,
>
> Tom
> www.isaserver.org/shinder
> Get the book!
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> Sent: Tuesday, September 07, 2004 12:28 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TFTP from external interface?
>
>
> http://www.ISAserver.org
>
> PFilter:
> Allow custom protocol
> UDP-Receive Send
> Local Port=Dynamic
> Remote Port=FixedPort 69
> Applied to this isa's ext interface
> For only 1 remote computer (IP address of external device)
>
> I allowed logging of ALLOW rules on Packet Filter, but still all I got
> was
> the following:
> 9/7/2004, 19:22:58, <External Device>, <Internal Workstation>, Udp,
> 12345,
> 69, -, BLOCKED, <ISA External NIC>, -, -
>
> Your comments/thoughts?
>
> Thanks
> William R.
>
> -----Original Message-----
> From: Quillman Shawn (RBNA/CSA1) *
[mailto:Shawn.Quillman@xxxxxxxxxxxx]
> Sent: 07 September 2004 04:48 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TFTP from external interface?
>
> http://www.ISAserver.org
>
>
> Yeah, you're right.  My bad (only one cup of coffee so far this
> morning...)  How did you create the packet filter?
>
> -Shawn
>
> -----
> Shawn R. Quillman
> Robert Bosch Corporation RBNA/CSA1
> 38000 Hills Tech Drive
> Farmington Hills, MI 48331
> (248) 553-1164 (P) (248) 848-6969 (F)
> shawn.quillman@xxxxxxxxxxxx
>
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> Sent: Tuesday, September 07, 2004 10:36 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TFTP from external interface?
>
> http://www.ISAserver.org
>
> No, just did UDP 'cause as I understand it TFTP is a UDP protocol???
>
> -----Original Message-----
> From: Quillman Shawn (RBNA/CSA1) *
[mailto:Shawn.Quillman@xxxxxxxxxxxx]
> Sent: 07 September 2004 04:14 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TFTP from external interface?
>
> http://www.ISAserver.org
>
>
> Did you also create one for tcp/69?
>
> -Shawn
>
>
> -----
> Shawn R. Quillman
> Robert Bosch Corporation RBNA/CSA1
> 38000 Hills Tech Drive
> Farmington Hills, MI 48331
> (248) 553-1164 (P) (248) 848-6969 (F)
> shawn.quillman@xxxxxxxxxxxx
>
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> Sent: Tuesday, September 07, 2004 10:08 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TFTP from external interface?
>
> http://www.ISAserver.org
>
> Hi Tom,
>
> I know, that's why I'm struggling... hehe Don't you just love it that
it
> is now possible to ask the question: "What version of ISA are you
> running...?" - it's beautiful I tell you.
>
> Anyway, I'm sorry to say that I am still running ISA 2000 :(
>
> I want to basically dump the config's of my external routers to the
TFTP
> server running on my internal workstation, so I somehow need to let
ISA
> know how to authenticate the inbound request so I though a Packet
Filter
> would be required, but that didn't work (to say the least...)
>
> Thanks
> William R.
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: 07 September 2004 02:44 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: TFTP from external interface?
>
> http://www.ISAserver.org
>
> Hi William,
>
> The ISA firewall isn't a simple packet filter firewall like so-called
> 'hardware firewalls'.
>
> What version of the ISA firewall are you using?
>
>>From your ISA firewall configuration experience, do you ever recall
> creating a simple packet filter to allow inbound access?
>
> Thanks!
>
> Tom
> www.isaserver.org/shinder
> Get the book!
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> Sent: Tuesday, September 07, 2004 6:40 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] TFTP from external interface?
>
>
> http://www.ISAserver.org
>
> Hi there
>
> Anyone know how I can allow TFTP access from an outside router to a
TFTP
> Server sitting inside my corporate network?
>
> I tried creating a packet filter for UDP:69 but this didn't work...
>
> Any and all ideas appreciated.
> Thanks
> William R.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> robertson.william@xxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> shawn.quillman@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> robertson.william@xxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> shawn.quillman@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> robertson.william@xxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> robertson.william@xxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:

> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




Other related posts: