Announcement

Collapse
No announcement yet.

Isa 2006 FTP access problemsq

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Isa 2006 FTP access problemsq

    Hi guys,

    For some reason, I can't manage to open the ISA for outbound FTP-traffic.

    I have a rule called "Internet Access", with HTTP, HTTPS, and those common protocols. FTP is mentioned in the rule, but i can't enter an external FTP site.

    It is an ISA 2006, fully patched

    Any good ideas?

    EDIT:
    Found this solution, posted by Dumber, in another thread. - Could't this solve the problem? (I noticed the last line)

    Backup or export ISA settings.
    Uninstall ISA server.
    Make ISA member of the domain.
    Reinstall ISA
    Restore ISA settings.

    Takes up a about an half an hour.

    edit: when you don't have a lot of rules then backup every rule one by one.
    It can save you a lot of time if you have some problems with restoration.

    One of the issues you currently have is that the system policy blocks quite a lot. If you do a full restore of ISA, the system policies are also restored.
    Attached Files
    Last edited by cs.dk; 20th October 2008, 10:36. Reason: Problem solved
    Best regards,
    Carsten.

  • #2
    Re: Isa 2006 FTP access problems

    What do you see in the Monitoring tabs?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Isa 2006 FTP access problems

      Originally posted by Dumber View Post
      What do you see in the Monitoring tabs?
      Nothing unusual i think. Something speciel I should notice?

      Tried the Traffic Simulator;

      Allowed Traffic
      Denied Traffic - destination URL host name could not be resolved
      Rule Name: Internet Access
      Rule Order: 7

      Additional information
      From: Internal
      To: External
      Network Rule Name: Internet Access
      Network Relationship: NAT
      Protocol: FTP
      Rule Application Filter:


      Traffic allowed by firewall policy rules may be blocked by Web or Application filters.

      What I miss here is, the traffic is allowed, i just can't enter a FTP-site.
      Best regards,
      Carsten.

      Comment


      • #4
        Re: Isa 2006 FTP access problemsq

        How about removing ftp from your internet access rule and creating a new rule for it.

        ftp access
        action: allow
        Protocols: ftp
        From: Internal
        To: external
        Condition: All users.
        Please remember to award reputation points if you have received good advice.
        I do tend to think 'outside the box' so others may not always share the same views.

        MCITP -W7,
        MCSA+Messaging, CCENT, ICND2 slowly getting around to.

        Comment


        • #5
          Re: Isa 2006 FTP access problems

          Originally posted by cs.dk View Post
          Allowed Traffic
          Denied Traffic - destination URL host name could not be resolved
          Rule Name: Internet Access
          Rule Order: 7
          Well this one is interesting:
          destination URL host name could not be resolved

          In my opinion you either have a DNS problem or the site doesn't exist.

          @UK_network..
          This isn't needed but it is handy to find out what is happening based on rule number.
          However I think he is better of to make a query based on the protocol FTP.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Isa 2006 FTP access problems

            Originally posted by Dumber View Post
            Well this one is interesting:
            destination URL host name could not be resolved

            In my opinion you either have a DNS problem or the site doesn't exist.
            Thank you for the answer

            I fully agree - Though I can resolve ie. www.hp.com, but when i select to download a driver, i get a timeout. This happen with all FTP servers i have tried.

            Normally there is no problems with resolving hostnames. (I'm "behind" the ISA now, and it works great for HTTP, HTTPS, RDP, VPN, etc.)
            Best regards,
            Carsten.

            Comment


            • #7
              Re: Isa 2006 FTP access problemsq

              Originally posted by uk_network View Post
              How about removing ftp from your internet access rule and creating a new rule for it.

              ftp access
              action: allow
              Protocols: ftp
              From: Internal
              To: external
              Condition: All users.
              Thanks - I'll try..

              Posting back, when I know something new
              Best regards,
              Carsten.

              Comment


              • #8
                Re: Isa 2006 FTP access problemsq

                Is the ISA server pointing to the Internal DNS servers without External DNS servers?
                A common mistake is that many administrators are using both Internal as External DNS servers.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Isa 2006 FTP access problemsq

                  Originally posted by Dumber View Post
                  Is the ISA server pointing to the Internal DNS servers without External DNS servers?
                  A common mistake is that many administrators are using both Internal as External DNS servers.
                  I named adapter 1 and 2 as Internal and External, to get a better overview. - Here is the settings for them.

                  Internal LAN Connection:
                  IP: 192.168.1.1
                  Subnet: 255.255.255.0
                  Gateway: --
                  Primary DNS: 192.168.1.4 (PDC/DNS Server)

                  External LAN Connection
                  IP: 10.0.0.2
                  Subnet: 255.255.255.0
                  Gateway: 10.0.0.1 (Sonicwall)
                  Primary DNS: --

                  The PDC is forwarding requests to my ISP, and the port is open in ISA. (Guess i'll not bere here, if it was closed?)
                  Best regards,
                  Carsten.

                  Comment


                  • #10
                    Re: Isa 2006 FTP access problemsq

                    Well, it can give you some weird problems if you use External DNS servers in the ISA server.
                    It might work, but it can gives a real headache

                    I would start by using the monitoring tabs.
                    Start filtering on the FTP protocol to see what is happening.
                    Btw, you are using passive FTP don't you
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Isa 2006 FTP access problemsq

                      Originally posted by Dumber View Post
                      Well, it can give you some weird problems if you use External DNS servers in the ISA server.
                      It might work, but it can gives a real headache
                      Correct me, if i'm wrong - But i don't use external DNS, or am i missing something? (I am aware of the PDC DNS is forwarding unknown-resquests, i guess that is "normal" in the AD-structure?)

                      Originally posted by Dumber View Post
                      I would start by using the monitoring tabs.
                      Start filtering on the FTP protocol to see what is happening.
                      Btw, you are using passive FTP don't you
                      Thanks, i'll try that.. Posting more info, when it is tested..

                      I haven't any clue, what FTP ie. HP uses.
                      Best regards,
                      Carsten.

                      Comment


                      • #12
                        Re: Isa 2006 FTP access problemsq

                        Might be a daft question but are you using a Sonicwall Firewall product???

                        Yes, then you may need to add a rule in your Sonicwall to allow FTP as well.

                        No, i'll crawl back into my corner and not talk again lol.

                        Comment


                        • #13
                          Re: Isa 2006 FTP access problemsq

                          Originally posted by wullieb1 View Post
                          Might be a daft question but are you using a Sonicwall Firewall product???

                          Yes, then you may need to add a rule in your Sonicwall to allow FTP as well.

                          No, i'll crawl back into my corner and not talk again lol.
                          Yes, i'm using a sonicwall firewall firewall product, in front of the ISA. (You really don't wanny know why)

                          Okay, i'll tell you. - I have a notebook hooked up in the Sonicwall, I really need FTP, sometimes

                          Sonicwall'en is open for all outbound traffic. At least, FTP works, when I hook directly up in it.
                          Best regards,
                          Carsten.

                          Comment


                          • #14
                            Re: Isa 2006 FTP access problemsq

                            Originally posted by cs.dk View Post
                            Yes, i'm using a sonicwall firewall firewall product, in front of the ISA. (You really don't wanny know why)

                            Okay, i'll tell you. - I have a notebook hooked up in the Sonicwall, I really need FTP, sometimes

                            Sonicwall'en is open for all outbound traffic. At least, FTP works, when I hook directly up in it.
                            Ahh well it was worth a try.

                            Comment


                            • #15
                              Re: Isa 2006 FTP access problemsq

                              I haven't read the thread so please excuse me if this has already been suggested... on your internal clients do you use the Microsoft ISA Client? I don't know if it's by default or whether we configured it this way; but in our organisation if an internal user uses the ISA Client he can get to FTP sites; without it he can't.


                              Tom
                              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                              Anything you say will be misquoted and used against you

                              Comment

                              Working...
                              X