Clicky

I have searched and read many articles and posts about this but nothing seems to answer my specific question/issue.

I have ISA Server 2006 and all clients are set up to use the ISA’s internal network interface IP address as the default gateway – SecureNAT clients.

With this setup none of the clients can access FTP sites using passive mode. Active FTP mode works fine. This isn’t a problem for desktops and laptops since we can just tell the FTP program (Internet Explorer, FileZilla, WA_FTP, etc.) to use active mode.

But the problem comes when closed-box type systems (server appliances, VoIP phones) need to access FTP sites for updates and such. These types of devices default to passive and the mode cannot be changed; consequently the updates/configurations always fail. I have to temporarily place the devices on a separate network that does not use ISA and then the FTP updates work fine.

I have the ISA FTP Access Filter enabled and I have created an FTP Access Rule above the general Internet Access Rule. I have tried various combinations of disabling the access filter and/or the FTP rule but in all cases the result is the same.

Looking at the connection log in FileZilla it appears that the FTP clients can connect to the external FTP server and authenticate but timeout on the directory listing. This is consistent no matter what FTP site I try to access.

Any help would be greatly appreciated.

asked 11/17/2011 03:07

MosaicRP's gravatar image

MosaicRP ♦♦


11 Answers:
In passive mode, the client (filezilla or phone) opens a data channel by sending the PASV command to the server and the server responds with an IP and port number on which it will be listening for incomming connections.  This works better with MOST security because most shops are more likely to allow internal devices to make connections OUT to the internet than they are to allow computers out in the wild to initiate connections back INTO the network.  

Contact the administrator of the remote FTP sites and ask "what is your passive port range" ... don't worry if this sounds strange, they'll know what you are asking.  You need to make sure devices on your network can make outbound connections to the remote servers on every port in that range.
link

answered

AlexPace's gravatar image

AlexPace

Thanks for the reply Alex.

We don’t have any restrictions on outbound connections.

If I monitor the traffic between the client and the FTP server via live logging in ISA server I see that the initial connection is established on port 21. This is captured by the FTP Traffic rule.

Then another connection is initiated on port 50768. This is captured not by the FTP rule but by the default outbound rule. The default outbound rule is completely unrestricted and allows all connections on any port.

But then that is it. No further traffic is logged and after about 30 seconds both connections are closed.

This is only a problem with ISA server. With the client behind any other firewall FTP in passive mode is no problem. But won’t allow it.
link

answered 2011-11-17 at 11:20:21

MosaicRP's gravatar image

MosaicRP

Correction to the last line of previous comment: But ISA won't allow it.
link

answered 2011-11-17 at 17:05:15

MosaicRP's gravatar image

MosaicRP

That other connection is the FTP data channel and the exact port number will change within a range of ports... each FTP site chooes its own range.  The only standard is that it be north of 1024.

Do you see individual packets in your log?  Do you see the outgoing SYN, the incomming SYN-ACK from the server, and then the outgoing ACK that make up the complete 3 way handshake opening the connection?
link

answered 2011-11-17 at 17:06:22

AlexPace's gravatar image

AlexPace

ISA Server doesn’t get that granular in the logs – at least not at the default settings. There may be a way to turn on more verbose logging but I don't know how to do that.

But here is a copy of the log from the FTP client (FileZilla).

Status:      Connecting to [removed IP]:21...
Status:      Connection established, waiting for welcome message...
Response:      220 Microsoft FTP Service
Command:      USER [removed username]
Response:      331 Password required for [removed username].
Command:      PASS ********
Response:      230-FTP-SSL (AUTH TLS, Explicit FTPS or FTPES) security is available
Response:      230 User logged in.
Command:      SYST
Response:      215 Windows_NT
Command:      FEAT
Response:      211-Extended features supported:
Response:       LANG EN*
Response:       UTF8
Response:       AUTH TLS;TLS-C;SSL;TLS-P;
Response:       PBSZ
Response:       PROT C;P;
Response:       CCC
Response:       HOST
Response:       SIZE
Response:       MDTM
Response:       REST STREAM
Response:      211 END
Command:      OPTS UTF8 ON
Response:      200 OPTS UTF8 command successful - UTF8 encoding now ON.
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I.
Command:      PASV
Response:      227 Entering Passive Mode ([removed IP],198,38).
Command:      LIST
Response:      150 Opening BINARY mode data connection.
Error:      Connection timed out
Error:      Failed to retrieve directory listing
link

answered 2011-11-18 at 09:46:30

MosaicRP's gravatar image

MosaicRP

The client log just confirms what we were discussing... it was unable to open the passive mode data channel... this time the server told the client to connect to port 50726

To decode the destination port, take the 5th number from the server's PASV response multiplied by 256 then add the 6th number:
(198 * 256) + 38 = 50726
link

answered 2011-11-18 at 10:59:44

AlexPace's gravatar image

AlexPace

This is strange.

From everything I have read, ISA should handle both passive and active FTP outbound connections just fine as long as an FTP access rule is set up using the built-in FTP protocol which in turn uses the FTP Access Filter. All this was indeed setup.

So just for grins I deleted the FTP access rule and recreated it. After doing that I could connect to the same FTP site that I couldn’t connect to before and get a directory listing. But only using passive mode. Now it’s active mode that won’t work.

But here is something else strange. To verify that I had write access I created a directory, which worked fine. But after creating the directory I was not longer able to navigate the FTP folders and got the same error as I did before. I disconnected from the FTP server and tried to re-connect and its back to its old ways.

Once again I verified that I could access the FTP site from another computer that was behind a different non-ISA firewall and all worked perfectly. It’s just ISA server that is being a pain. This inability of ISA server to properly handle FTP traffic sue has caused me a ton of grief.
link

answered 2011-11-18 at 11:19:17

MosaicRP's gravatar image

MosaicRP

Wow it sounds like there is a ghost in your machine.  Most firewalls are more friendly to passive mode than to active mode data channels. What if you don't make it an FTP-specific rule .. just a generic rule to allow anything to this particular destination server?  Maybe it is trying to read the FTP control channel in real time and getting confused somehow.
link

answered 2011-11-18 at 13:04:07

AlexPace's gravatar image

AlexPace

I rebooted the ISA server last night to see if that would help. No joy. I sitll cannot access any FTP sites. The docs say that the FTP Access Filter is supposed to handle all this but since its not working I am wondering if somehow the FTP filter on my ISA has been corrupted.

Does anyone know how to re-install or re-setup these access filters? I can't find any info on that at all.
link

answered 2011-11-18 at 14:26:52

MosaicRP's gravatar image

MosaicRP

I finally gave up and called MS (paying the single incident support fee) and worked for several hours with a support agent. He tried all the same things that I already tried but no joy.

But then he asked a very simple question. Something that I couldn’t believe I forgot about. He asked if there were any other routers or firewalls between ISA and the internet. As soon as he said that the light bulb came on.

We have a load balancing router that allows us to have two ISP’s at the same time. The load balancer has two WAN ports – one connected to each ISP’s router.

I disabled one of the WAN ports on the load balancer and FTP worked like a champ for all client/devices in both active and passive modes.

So now I just need to work with the load balancer tech support to get FTP to work when both WAN ports are active.

Live and learn....
link

answered 2011-11-22 at 16:20:48

MosaicRP's gravatar image

MosaicRP

It ended up having nothign to do with ISA Server.

link

answered 2011-12-08 at 16:47:58

MosaicRP's gravatar image

MosaicRP

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1
×33
×1
×1
×2
×2

Asked: 11/17/2011 03:07

Seen: 875 times

Last updated: 12/12/2011 05:19