Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

internal clients access an external ftp site

16 views
Skip to first unread message

TK

unread,
Feb 19, 2010, 10:48:35 AM2/19/10
to
I have a Windows 2K3/ISA 2006 ISA box.
I haven't been able to figure out how to allow internal users to access
external FTP sites.
I believe that FTP is sent on port 21 and return on random ports.
I found a great article on ISAServer.org but it is geared to Windows 2008
and I can't find a FTP Firewall Support on Win 2K3 to continue.
Does anyone know any articles on how to configure this for Windows 2003/ISA
2006...?
Thanks,
Tom...

Jens Mander

unread,
Feb 19, 2010, 11:39:59 AM2/19/10
to
hi tom,

> Does anyone know any articles on how to configure this for Windows
> 2003/ISA 2006...?

just create an access rule with the pre-defined protocol-definition for ftp.
http://technet.microsoft.com/en-us/library/bb794766.aspx

--
greets, jens mander...
www.aixperts.de
www.forefront-tmg.de
www.hentrup.net
|<-|

TK

unread,
Feb 19, 2010, 12:22:01 PM2/19/10
to
That did NOT work, from a firewall or secure NAT client- FTP filter enabled
or not...

Tom...

"Jens Mander" <~remove_this*jemand[at]aixperts[dot]de> wrote in message
news:OXaRsIYs...@TK2MSFTNGP06.phx.gbl...

Jens Mander

unread,
Feb 19, 2010, 2:36:44 PM2/19/10
to
hi tom,

> That did NOT work, from a firewall or secure NAT client- FTP filter
> enabled or not...

passive ftp?

TK

unread,
Feb 19, 2010, 3:29:03 PM2/19/10
to
Yes... I am using fileZilla and below is where it is getting stuck...

Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (69,89,31,157,48,149)
Command: MLSD
Response: 550 Access is denied.
Error: Failed to retrieve directory listing

Tom...

"Jens Mander" <~remove_this*jemand[at]aixperts[dot]de> wrote in message

news:#3nsfrZs...@TK2MSFTNGP06.phx.gbl...

TK

unread,
Feb 19, 2010, 3:35:10 PM2/19/10
to
Also, a username and password are required, not anonymous...
Tom...

"TK" <tkarp...@bennettcompany.com> wrote in message
news:#h8SuIas...@TK2MSFTNGP06.phx.gbl...

Jens Mander

unread,
Feb 19, 2010, 5:28:18 PM2/19/10
to
hi tom,

> Also, a username and password are required, not anonymous...

o.k. - so you tried out:
1. filezilla with no proxy-configuration (in filezilla - options -
ftp-proxy) and firewallclient
2. filezilla with proxy-configuration and no firewallclient
3. filezilla without proxy-configuration as secure-nat won't work, 'cause
you require authentication!

Peter Larsen

unread,
Feb 20, 2010, 3:17:30 PM2/20/10
to
TK wrote:

> Also, a username and password are required, not anonymous...
> Tom...

> "TK" <tkarp...@bennettcompany.com> wrote in message
> news:#h8SuIas...@TK2MSFTNGP06.phx.gbl...

>> Yes... I am using fileZilla and below is where it is getting
>> stuck...

>> Command: TYPE I
>> Response: 200 TYPE is now 8-bit binary
>> Command: PASV
>> Response: 227 Entering Passive Mode (69,89,31,157,48,149)
>> Command: MLSD
>> Response: 550 Access is denied.

This is not a broken return-path, the ftp server dislikes what it sees and
complains.

Why no log data for log-on? - did authentication work?

>> Error: Failed to retrieve directory listing

The designer(s) of ISA seems to dislike FTP, it can work, but you really
need to forget about using the firewall client to make it work. Also when
you remove the firewall client you MUST change the proxy-setting in internet
explorer manually. I don't know about filezilla but it is not uncommon that
other clients read the proxysettings that IE uses.

Kind regards

Peter Larsen

Phillip Windell

unread,
Feb 22, 2010, 2:36:23 PM2/22/10
to
"Peter Larsen" <dig...@hotmail.com> wrote in message
news:ersEppms...@TK2MSFTNGP04.phx.gbl...

> The designer(s) of ISA seems to dislike FTP, it can work, but you really
> need to forget about using the firewall client to make it work. Also when
> you remove the firewall client you MUST change the proxy-setting in
> internet explorer manually. I don't know about filezilla but it is not
> uncommon that other clients read the proxysettings that IE uses.

I've experienced the opposite. The Firewall Client always is what made it
work correctly.
The FTP Client has to be configured to be proxy-agnostic,...to be
configiured as it there were no proxy at all.

We use Filezilla and WS_FTP all the time here via the Firewall Client over
an access rule that requires authentication

To run it without the Firewall Client forces the Access Rule to be
anonymous-only.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


TK

unread,
Feb 22, 2010, 4:01:41 PM2/22/10
to

I couldn't get it to work - with or without firewall, with or without FTP
filter, IE or Filezilla, and all combinations.

No problem, this was something for me, not the company... at least for now..

Thanks for all posts... over and out.

Tom...

"Phillip Windell" <philw...@hotmail.com> wrote in message
news:emRnEb$sKHA...@TK2MSFTNGP02.phx.gbl...

Phillip Windell

unread,
Feb 22, 2010, 4:21:34 PM2/22/10
to
"TK" <tkarp...@bennettcompany.com> wrote in message
news:OPIE9IAt...@TK2MSFTNGP02.phx.gbl...

>I couldn't get it to work - with or without firewall, with or without FTP
>filter, IE or Filezilla, and all combinations.
>
> No problem, this was something for me, not the company... at least for
> now..

Eliminate the FTP Server as being the problem.

Use ftp.microsoft.com

Just type that into the Host field and hit the Quickconnect button.

No credentials,...just leave them blank,...FileZilla will automatically fill
in what it needs for that.

Daniel

unread,
Mar 26, 2010, 2:16:53 AM3/26/10
to
Hope this be helpfull:
http://www.elmajdal.net/isaserver/Allowing_FTP_Uploads_Through_ISA_Server_2004_2006.aspx

For troubleshooting this apply to ISA 2006, too:
http://technet.microsoft.com/en-us/library/bb794745.aspx

0 new messages