In your capture, the command same is issued as: "'PORT 172,25,25,2,41,86". This is the same command, but references IP address 172.25.25.2; a non-reachable IP, since it's within the 172.16/12 RFC-1918 subnet.. In my capture, ISA issues the port command thus: "PORT 71,164,21,26,62,27". This translates to "connect to me from your IP address, on TCP:20 to IP address 71.164.21.26, TCP:15899 (62*256 + 27 == 15899). In my tests it fails because ISA web proxy issues a reachable "PORT" command, but the server at ftp.dot.state.tx.us attempts to connect from a source port of 17058, which violates RFC and is properly blocked by ISA. You can work around this particular behavior via http://support.microsoft.com/kb/300641. There is no way to tell ISA to use a non-local IP in the PORT command. Jim ________________________________ From: isapros-bounce@xxxxxxxxxxxxx on behalf of Amy Babinchak Sent: Sat 3/24/2007 9:32 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Texas FTP That's cheating. The end user will be using IE. Since the website is setup the way it is, DOT must assume that folks are going to use IE as well. Amy -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Saturday, March 24, 2007 12:22 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Texas FTP Doesn't work from IE for me, so I used the command line FTP :) Don't know why it doesn't work from IE -- I always jump to the command line when it doesn't. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > Sent: Saturday, March 24, 2007 11:23 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Texas FTP > > OK so how's your configuration different than mine? Which browser are > you using? I'm trying from IE6 on a workstation with the ISA client > installed. > > My FTP rule is wide open: FTP with FTP Filter read only > unchecked, Any, > Internal-Localhost, Any user > > Amy > > > > > > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Saturday, March 24, 2007 12:08 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Texas FTP > > Works fine: > > C:\>ftp > ftp://ftp.dot.state.tx.us/pub/txdot-info/cmd/cserve/notice/apr07.exe > Unknown host > ftp://ftp.dot.state.tx.us/pub/txdot-info/cmd/cserve/notice/apr07.exe. > ftp> open > To ftp.dot.state.tx.us > Connected to ftp.dot.state.tx.us. > 220 "Welcome to TxDOT FTP service." > User (ftp.dot.state.tx.us:(none)): anonymous > 331 Please specify the password. > Password: > 230- License Agreement > 230- > 230- > 230-BY DOWNLOADING FILES FROM THIS FTP SERVICE, YOU ARE > AGREEING TO THIS > LICENSE AGREEMENT > 230- > 230-The Texas Department of Transportation (TxDOT) does not provide > technical support with > 230-respect to these files. You must read the following > disclaimer and > accept its terms > 230-as a prerequisite to the use of these files. > 230- > 230-1. TxDOT makes no warranty of any kind, express or implied, with > respect to any file. > 230- TxDOT makes no warranty that any file is marketable or fit for > any particular purpose. > 230- A description of a file shall not be deemed to create > an express > warranty that the file > 230- conforms to that description. You agree to accept > the files in > the format provided. > 230- > 230-2. You assume all risk and liability for any losses, damages, > claims, or expenses resulting > 230- from the use or possession of any file. > 230- > 230-3. You agree to indemnify, defend, and hold harmless > TxDOT and its > officers, agents, and > 230- employees from and against any and all claims, suits, losses, > damages, or costs, including > 230- reasonable attorney's fees, arising from or by reason of your > use or possession of any file. > 230- This indemnification shall survive your acceptance of > any file. > 230- > 230-4. Revisions or additions may occur at any time. You agree to > indemnify, defend, and hold harmless > 230- TxDOT and its officers, agents, and employees from and against > any and all claims, suits, losses, > 230- damages, or costs, including reasonable attorney's > fees, arising > from the use of outdated files. > 230- This indemnification shall survive your acceptance of > any file. > 230- > 230-5. The files are copyrighted by TxDOT and may not be > resold without > the express written consent of TxDOT. > 230- > 230- > 230 Login successful. > ftp> cd pub > 250- License Agreement > 250- > 250- > 250-BY DOWNLOADING FILES FROM THIS FTP SERVICE, YOU ARE > AGREEING TO THIS > LICENSE AGREEMENT > 250- > 250-The Texas Department of Transportation (TxDOT) does not provide > technical support with > 250-respect to these files. You must reade the following > disclamer and > accept its terms > 250-as a prerequisite to the use of these files. > 250- > 250-1. TxDOT makes no warranty of any kind, express or implied, with > respect to any file. > 250- TxDOT makes no warranty that any file is marketable or fit for > any particular purpose. > 250- A description of a file shall not be deemed to create > an express > warranty that the file > 250- conforms to that description. You agree to accept > the files in > the format provided. > 250- > 250-2. You assume all risk and liability for any losses, damages, > claims, or expenses resulting > 250- from the use or posession of any file. > 250- > 250-3. You agree to indemnify, defend, and hold harmless > TxDOT and its > officers, agents, and > 250- employees from and against any and all claims, suits, losses, > damages, or costs, including > 250- reasonable attorney's fees, arising from or by reason of your > use or possession of any file. > 250- This indemnification shall survive your acceptance of > any file. > 250- > 250-4. Revisions or additions may occur at any time. You agree to > indemnify, defend, and hold harmless > 250- TxDOT and its officers, agents, and employees from and against > any and all claims, suits, losses, > 250- damages, or costs, including resonable attorney's > fees, arising > from the use of outdated files. > 250- This indemnification shall survive your acceptance of > any file. > 250- > 250-5. The files are copyrighted by TxDOT and may not be > resold without > the express written consent of TxDOT > 250- > 250 Directory successfully changed. > ftp> cd txdot-info > 250 Directory successfully changed. > ftp> cd cmd > 250 Directory successfully changed. > ftp> cd cserve > 250 Directory successfully changed. > ftp> cd notice > 250 Directory successfully changed. > ftp> get apr07.exe > 200 PORT command successful. Consider using PASV. > 150 Opening ASCII mode data connection for apr07.exe (139458 bytes). > 226 File send OK. > ftp: 140018 bytes received in 0.05Seconds 2979.11Kbytes/sec. > ftp> bye > 221 Goodbye. > > C:\> > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > Sent: Saturday, March 24, 2007 9:59 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Texas FTP > > > > I have a client that needs to download contractor > > instructions from the > > Texas DOT. Client says that he used to be able to download > > FTP documents > > but that the State says they performed some "upgrades" and > > now he can't > > download FTP documents. "We haven't had many complaints." > --- TX DOT. > > It's a www site. Then you click the link and it attempts to > > download the > > file using FTP in your browser. Which means we're stuck using > > IE as the > > FTP client. > > > > If you'd like to try it for yourself go to: > > http://www.dot.state.tx.us/business/outline.htm > > Under Pre-Letting - Highways, click on Notice to Contractors > > Click on Official Notice for April 2007 Letting (this is the FTP > > download) > > > > > > Firewall client installed on workstation. FTP allow rule in place in > > ISA. Using or not using the FTP filter = no download. This message > > occurs in the browser on the workstation. > > > > ISA Server: extended error message : > > 200 Switching to Binary mode. > > 200 PORT command successful. Consider using PASV. > > 425 Failed to establish connection. > > > > In the ISA logs I have only an FTP Allowed connection to this > > server. No > > denied packets. > > > > In a Network Monitor session from my PC with Firewall Client > > installed I > > only see the HTTP Get command after that nothing. > > > > In a Network Monitor session from my server running ISA, I > have these > > packets: > > > > 96 5.315429 192.168.16.27 192.168.16.4 HTTP > > HTTP: Request, GET > > > ftp://ftp.dot.state.tx.us/pub/txdot-info/cmd/cserve/notice/apr07.txt > > 98 5.315429 172.25.25.2 141.198.136.6 DNS > > DNS: QueryId = 0x3F3C, QUERY (Standard query), Query for > > ftp.dot.state.tx.us of type Host Addr on class Internet > > 99 5.362304 141.198.136.6 172.25.25.2 DNS > > DNS: QueryId = 0x3F3C, QUERY (Standard query), Response - Success > > 100 5.362304 172.25.25.2 ns.dot.state.tx.us > > DNS DNS: QueryId = 0x3F3C, QUERY (Standard query), Query for > > ftp.dot.state.tx.us of type Host Addr on class Internet > > 101 5.424804 ns.dot.state.tx.us 172.25.25.2 > > DNS DNS: QueryId = 0x3F3C, QUERY (Standard query), Response - > > Success > > 102 5.424804 172.25.25.2 ftp.dot.state.tx.us > > TCP TCP: Flags=.S......, SrcPort=10581, DstPort=FTP control(21), > > Len=0, Seq=881058913, Ack=0, Win=65535 (scale factor 0) = 0 > > 103 5.534179 192.168.16.4 192.168.16.27 TCP > > TCP: Flags=....A..., SrcPort=HTTP Alternate(8080), > > DstPort=1482, Len=0, > > Seq=1532377929, Ack=3696189552, Win=65282 (scale factor 0) = 0 > > 106 5.471679 ftp.dot.state.tx.us 172.25.25.2 > > TCP TCP: Flags=.S..A..., SrcPort=FTP control(21), DstPort=10581, > > Len=0, Seq=3243607039, Ack=881058914, Win=5840 (scale factor 0) = 0 > > 107 5.471679 172.25.25.2 ftp.dot.state.tx.us > > TCP TCP: Flags=....A..., SrcPort=10581, DstPort=FTP control(21), > > Len=0, Seq=881058914, Ack=3243607040, Win=65535 (scale factor 0) = 0 > > 108 5.534179 ftp.dot.state.tx.us 172.25.25.2 > > FTP FTP: Response to Port 10581, '220 "Welcome to TxDOT FTP > > service."' > > 109 5.534179 172.25.25.2 ftp.dot.state.tx.us > > FTP FTP: Request from Port 10581,'USER anonymous' > > 110 5.581054 ftp.dot.state.tx.us 172.25.25.2 > > TCP TCP: Flags=....A..., SrcPort=FTP control(21), DstPort=10581, > > Len=0, Seq=3243607077, Ack=881058930, Win=5840 (scale factor 0) = 0 > > 111 5.581054 ftp.dot.state.tx.us 172.25.25.2 > > FTP FTP: Response to Port 10581, '331 Please specify the password.' > > 112 5.581054 172.25.25.2 ftp.dot.state.tx.us > > FTP FTP: Request from Port 10581,'PASS IEUser@' > > 113 5.581054 24.231.162.80 172.25.25.2 SSL > > SSL > > 114 5.627929 24.231.162.80 172.25.25.2 SSL > > SSL > > 115 5.627929 172.25.25.2 24.231.162.80 TCP > > TCP: Flags=....A..., SrcPort=HTTPS(443), DstPort=53299, Len=0, > > Seq=3284276696, Ack=4236227266, Win=65404 (scale factor 0) = 0 > > 116 5.627929 24.231.162.80 172.25.25.2 SSL > > SSL > > 117 5.627929 172.25.25.2 24.231.162.80 SSL > > SSL > > 118 5.627929 ftp.dot.state.tx.us 172.25.25.2 > > FTP FTP: Response to Port 10581, '230 - > > License Agreement' > > 119 5.643554 ftp.dot.state.tx.us 172.25.25.2 > > FTP FTP: Response to Port 10581, '230 - > > ' > > 120 5.643554 172.25.25.2 ftp.dot.state.tx.us > > TCP TCP: Flags=....A..., SrcPort=10581, DstPort=FTP control(21), > > Len=0, Seq=881058944, Ack=3243607186, Win=65389 (scale factor 0) = 0 > > 121 5.706054 ftp.dot.state.tx.us 172.25.25.2 > > FTP FTP: Response to Port 10581, '230 -' > > 122 5.706054 ftp.dot.state.tx.us 172.25.25.2 > > FTP FTP: Response to Port 10581,'230 - damages, or costs, > > including reasonable attorney's fees, arising from the use > of outdated > > files. ' > > 123 5.706054 172.25.25.2 ftp.dot.state.tx.us > > TCP TCP: Flags=....A..., SrcPort=10581, DstPort=FTP control(21), > > Len=0, Seq=881058944, Ack=3243608991, Win=65535 (scale factor 0) = 0 > > 124 5.706054 172.25.25.2 ftp.dot.state.tx.us > > FTP FTP: Request from Port 10581,'CWD > > /pub/txdot-info/cmd/cserve/notice/apr07.txt' > > 125 5.752929 172.25.25.2 24.231.162.80 TCP > > TCP: Flags=....A..., SrcPort=HTTPS(443), DstPort=53299, Len=0, > > Seq=3284276696, Ack=4236227463, Win=65207 (scale factor 0) = 0 > > 126 5.752929 ftp.dot.state.tx.us 172.25.25.2 > > FTP FTP: Response to Port 10581, '550 Failed to change directory.' > > 127 5.752929 172.25.25.2 ftp.dot.state.tx.us > > FTP FTP: Request from Port 10581,'TYPE I' > > 128 5.815429 ftp.dot.state.tx.us 172.25.25.2 > > FTP FTP: Response to Port 10581, '200 Switching to Binary mode.' > > 129 5.815429 172.25.25.2 ftp.dot.state.tx.us > > FTP FTP: Request from Port 10581,'PORT 172,25,25,2,41,86' > > 130 5.862304 ftp.dot.state.tx.us 172.25.25.2 > > FTP FTP: Response to Port 10581, '200 PORT command successful. > > Consider using PASV.' > > 131 5.862304 172.25.25.2 ftp.dot.state.tx.us > > FTP FTP: Request from Port 10581,'RETR > > /pub/txdot-info/cmd/cserve/notice/apr07.txt' > > > > > > The question at hand is, is this a problem with the way ISA > is set up, > > or is the a problem with the FTP site? I have my thoughts > but I would > > like yours. > > > > Thanks, > > > > Amy > > > > > > > > > > All mail to and from this domain is GFI-scanned.