FTP problem behind ISA

[rocketphoenix]

Regarding our FTP problem behind ISA, here are the details of our
configuration:

1. We use WS_FTP software to connect to the FTP server outside our
organization.
2. We configured ISA server to allow FTP connection using Access Policy IP
Packet Filters

FTP IN:
Protocol: TCP
Direction: Inbound
Local Port: All ports
Remote Port: 20

FTP OUT
Protocol: TCP
Direction: Outbound
Local Port: Dynamic
Remote Port: 21

NOTE: As a test, we tried to configure the RULE "Allow ALL" on IP Packet
Filter and Protocol Rules Access Policy but same problem occured.

3. When trying to connect to the remote FTP server using WS_FTP software
behind ISA, the error dictates "Connection Failure"

4. As a test, we telnet to port 80 and 443 on ISA server and it went out
fine. But when we telnet to port 21, it doesn't push thru, which implies
that the port 21 on the ISA server is closed even though the appropriate
configuration on the management console is applied.

 

[Knutern]

Why don't you use protocol rules instead, if you only want to allow inhouse users to acces outside FTP-sites?

Cheers
Knutern

 

[Knutern]

On another note: this is how FTP works.

Active FTP (all ports are TCP):
[tt]FTP Client <-> FTP Server
--------------------------
>=1024 -> 21 (Control, SYN)
>=1024 <- 21 (Control)
>=1024 -> 21 (Control, PORT Request, Port 3197, for example)
>=1024 <- 21 (Control)
3197 <- 20 (Data, SYN)
3197 -> 20 (Data)
[/tt]

Passive FTP (more secure):
[tt]FTP Client <-> FTP Server
--------------------------
>=1024 -> 21 (Control, SYN)
>=1024 <- 21 (Control)
>=1024 -> 21 (Control, PASV request)
>=1024 <- 21 (Control, OK, use port 45333 for example)
>=1024 -> 45333 (Data, SYN)
>=1024 <- 45333 (Data)
[/tt]


Cheers
Knutern