RE: TFTP from external interface?

• From: "Thor" <thor@xxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 7 Sep 2004 13:12:23 -0700

I have not been able to get tft working from an external client to a ISA server hosting TFTP services with a single UDP packet filter. Even with local 69 and all remote ports, as well as "Receive Send" and/or "Both" directions set up, it required 2 different filters- one "Receive Send" local 69 remote all, and one "Send Receive" local all/remote 69. You would obviously limit the remote address to the single client you wish to support, and ensure that your permissions on the TFTP server you are using are set properly.

t

----- Original Message ----- From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, September 07, 2004 11:27 AM
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

<light bulb on>
Aaaahhhh
<light bulb off>

Thanks Tom, forgot that Packet Filters were for explicit access to ISA
alone... Would that imply that if I recreate my packet filters, and then try
to connect from the ISA itself with a TFTP server it may in fact work?

Regarding Secondary connections... I dunno actually. There is a TFTP
protocol definition within ISA, and I see it does have a secondary
connection... does that imply I would need to setup a 2nd Packet Filter
maybe? (I cannot see that I can setup secondary connections within the same
Packet Filter rule)

Thanks
William R.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: 07 September 2004 07:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

Hi William,

Packet filters don't control inbound access except to the ISA firewall
itself.

You'll need to use Server Publishing Rules. I haven't studied the TFTP
protocol lately (mainly because I always explicitly block it as it's a
favorite of blended worm writers), but IIRC, doesn't it require
secondary connections?

HTH,

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: Tuesday, September 07, 2004 12:28 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

PFilter:
Allow custom protocol
UDP-Receive Send
Local Port=Dynamic
Remote Port=FixedPort 69
Applied to this isa's ext interface
For only 1 remote computer (IP address of external device)

I allowed logging of ALLOW rules on Packet Filter, but still all I got
was
the following:
9/7/2004, 19:22:58, <External Device>, <Internal Workstation>, Udp,
12345,
69, -, BLOCKED, <ISA External NIC>, -, -

Your comments/thoughts?

Thanks
William R.

-----Original Message-----
From: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx]
Sent: 07 September 2004 04:48 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

Yeah, you're right.  My bad (only one cup of coffee so far this
morning...)  How did you create the packet filter?

-Shawn

-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CSA1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-6969 (F)
shawn.quillman@xxxxxxxxxxxx

-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: Tuesday, September 07, 2004 10:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

No, just did UDP 'cause as I understand it TFTP is a UDP protocol???

-----Original Message-----
From: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx]
Sent: 07 September 2004 04:14 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

Did you also create one for tcp/69?

-Shawn

-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CSA1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-6969 (F)
shawn.quillman@xxxxxxxxxxxx

-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: Tuesday, September 07, 2004 10:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

Hi Tom,

I know, that's why I'm struggling... hehe Don't you just love it that it
is now possible to ask the question: "What version of ISA are you
running...?" - it's beautiful I tell you.

Anyway, I'm sorry to say that I am still running ISA 2000 :(

I want to basically dump the config's of my external routers to the TFTP
server running on my internal workstation, so I somehow need to let ISA
know how to authenticate the inbound request so I though a Packet Filter
would be required, but that didn't work (to say the least...)

Thanks
William R.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: 07 September 2004 02:44 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TFTP from external interface?

http://www.ISAserver.org

Hi William,

The ISA firewall isn't a simple packet filter firewall like so-called
'hardware firewalls'.

What version of the ISA firewall are you using?

From your ISA firewall configuration experience, do you ever recall

creating a simple packet filter to allow inbound access?

Thanks!

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: Tuesday, September 07, 2004 6:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] TFTP from external interface?

http://www.ISAserver.org

Hi there

Anyone know how I can allow TFTP access from an outside router to a TFTP
Server sitting inside my corporate network?

I tried creating a packet filter for UDP:69 but this didn't work...

Any and all ideas appreciated.
Thanks
William R.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?
• » RE: TFTP from external interface?

1. Home
2. isalist
3. Archive
4. 09-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---