I'm having an issue getting propper access to FTP sites. I can log in fine but every time I do I get read only access.
Our set up is this. Win2K3 ISA 2006 Server connecting to a hardware firewall (netscreen 5 XP). This acts as router connecting our two networks and the internet together. I aslo have a second "back door" fire wall plugged into the network I am on that only I know about that's plugged into the internet.
Everyone's default gateway is the ISA server and the ISA server's default gateway in the firewall.
When people try and connect to an FTP site they can read from it even if it requires a log in and does not support anonymous access. However every time they try and write/delete they are greated with an 550 error, access denied. If I alter my default gateway to my back door firewall I connect and can write/delete fine. This leads me to believe that the issue is with the config on my ISA server or the firewall.
When normal users try and connect through Windows explorer you get an warning message that the "Proxy is not configured to allow full access". However I don't get this message as I am using a different proxy and can't get access. I still have our ISA server as the default gateway. That would imply the issue is ont he ISA server. And it was a while ago but I think this started when I put in the ISA server...
I've attached the ISA firewall policy. I know it's rubbish but I had to set it up in a rush and haven't had the opportunity to correct it (or lear how to use it properly). However the hardware firewall is actually protecting my network so I'm relatively happy for the ISA to pass all traffic through. As far as I understand I've got it to allow all traffic, from any source to any destination.
The worse (infact stupid) news is that I can't currently get into my hardware firewall admin :doh:. Whilst I think I know what I need to do people get a bit shirty if I disconnect the internet, however briefly which is what I need to do to resolve. However I am 95% sure that the outgoing rule on the firewall is to allow all traffic out.
So why the heck can't I connect to FTP sites properly?
My next test will be to insert a computer between the ISA and the firewall (when I can disconnect them) and see if I can get access to FTP sites thus testing if it's the ISA server or the firewall. Hopefully at the same time I can get access to the firewall admin. However I won't have oportunity to do that for a week or so if I'm lucky so I was wondering if anyone might have any pointers in the mean time...
By default the FTP access filter is set to read only. See this document for information on changing the setting FTP Client Access from an ISA Server Network. Oops, that's ISA 2000 - try Enabling Secure FTP Access Through ISA 2006 Firewalls (Part 1)
Thanks for the quick response, if I could just ask for a bit more help.
Assuming that I can overcome my own stupitidy and read this correctly...
Given that i don't have a specific "Allow FTP access" rule I'm allowing everything. Also given that I'm not hosting the FTP site I just want to get on other FTP site's on the internet from here... I would open the firewall policy tab, using the toolbox on the right hand side expand the "all protocols'" section find FTP and untick "FTP Access Filter". This should allow proper authentication?
Second question is what is the downside to doing this? i.e am I going to cock anything else up?
In an allow rule for FTP, goto the protocols tab, select FTP then click the 'Filtering' button, now untick the 'Read Only' box. This should only affect FTP and nothing else.
Ah, found that. Cheers... I'll think I'll wait for a quite time next week when I can give it a go with a minimum of risk and disruption. Thanks for that. I'll post back next week with an update of how I got on.