OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: jesterROCHESTER.RR.COM
Date: Mon Feb 05 2001 - 18:37:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I have a question/problem about/with ISA from
    Microsoft, FTP, and the recent ICSA certification
    (sounds like a bad book title)...

    Here I go... IF I am running an IIS 5.0 FTP server
    (required for uploads of data that relates to the ASP
    running in the HTTP service - NOT my
    architecture)... And I put ISA server on a separate
    standalone firewall machine in front of the IIS box
    and "publish" the FTP server using their defined
    filters... Clients from outside the firewall connect
    fine... unless said client is behind a firewall of their
    own... then they get a "500 Invalid PORT
    Command"... Looking at the logs on the ISA server,
    the initial FTP connection was successful and
    throughout the process, no packets were blocked by
    ISA but the connection results in an error code that
    translates, according to Microsoft, to "Unexpected
    connection termination". Now, if I switch my firewall
    from ISA to another ICSA certified product...
    specifically, GNATBOX, the clients behind their own
    firewalls connect fine...
    Having a general understanding of the difference
    between active and passive FTP and the issues
    with "Server to Server" FTP connections with IIS's
    FTP daemon... I feel like I'm missing something.
    According to ICSA's lab 3.0a specifications
    a "firewall" must support FTP in Non Passive mode...
    So please, someone tell me... IS ISA doing the right
    thing and breaking the connection (never do you see
    a packet denied in the logs and the problem seems to
    be in the FTP service not the firewall [see MS
    Q281193])... Or is GNAT BOX allowing PASV
    connections even though its certification status says
    it shouldn't?!
    For what it's worth, BOTH ISA and GNATBOX were
    configured following the procedures detailed by ICSA
    on each of their lab reports. I'm stumped... I'm
    guessing this has something to do with the NAT
    translation of the "port h1, h2, h3, h4, p1, p2" string
    through NT's IP stack vs. the BDS IP stack in
    GNATBOX... But I can't believe that Microsoft with
    their track record would build a product that stops
    their FTP service from being accessible by all the
    other firewalled clients on the internet.

    Thanks for taking the time to read through this. Any
    information emailed to me would be greatly
    appreciated.

    Sincerely,
    Andy Prior