Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Mon Feb 05 2001 - 18:37:05 CST
I have a question/problem about/with ISA from
Microsoft, FTP, and the recent ICSA certification
(sounds like a bad book title)...
Here I go... IF I am running an IIS 5.0 FTP server
(required for uploads of data that relates to the ASP
running in the HTTP service - NOT my
architecture)... And I put ISA server on a separate
standalone firewall machine in front of the IIS box
and "publish" the FTP server using their defined
filters... Clients from outside the firewall connect
fine... unless said client is behind a firewall of their
own... then they get a "500 Invalid PORT
Command"... Looking at the logs on the ISA server,
the initial FTP connection was successful and
throughout the process, no packets were blocked by
ISA but the connection results in an error code that
translates, according to Microsoft, to "Unexpected
connection termination". Now, if I switch my firewall
from ISA to another ICSA certified product...
specifically, GNATBOX, the clients behind their own
firewalls connect fine...
Having a general understanding of the difference
between active and passive FTP and the issues
with "Server to Server" FTP connections with IIS's
FTP daemon... I feel like I'm missing something.
According to ICSA's lab 3.0a specifications
a "firewall" must support FTP in Non Passive mode...
So please, someone tell me... IS ISA doing the right
thing and breaking the connection (never do you see
a packet denied in the logs and the problem seems to
be in the FTP service not the firewall [see MS
Q281193])... Or is GNAT BOX allowing PASV
connections even though its certification status says
For what it's worth, BOTH ISA and GNATBOX were
configured following the procedures detailed by ICSA
on each of their lab reports. I'm stumped... I'm
guessing this has something to do with the NAT
translation of the "port h1, h2, h3, h4, p1, p2" string
through NT's IP stack vs. the BDS IP stack in
GNATBOX... But I can't believe that Microsoft with
their track record would build a product that stops
their FTP service from being accessible by all the
other firewalled clients on the internet.
Thanks for taking the time to read through this. Any
information emailed to me would be greatly