Tom Decaluwé

In the first part of this series we saw how the problem towards getting the authentication channel to work when publishing an IIS7 FTP using TLS/SSL encryption.

However every FTP story has two sides, as the authentication channel is only the first part of the connection. Once we are authenticated to an FTP server we want to list directories and transfer files, this is done over a secondary data channel.

As you can see here the authentication process runs well but the system hangs on command 150 Opening Binayr mode data connection, and if we wait long enough we eventually get a time out.

Lets have a look at what’s happening on the wire:

As befor you can see the first 3 handshake packets, then the FTP authentication stream starts and at the end of the trace we can see a number of TCP handshake packets that are building up the data channel.

FTP’s data channel is a second TCP connection that opens. During the authentication process the FTP server send the FTP client a dynamic secondary port, the client then opens a socket on this secondary port and establishes the data connection. It’s important to note that this second port is a random dynamic high port. Up until windows Vista high ports where dynamically choosen starting at port 1024 up untill 65535. But as of windows VISTA microsoft has changed the random port selection, that’s why the random port you are seeing here is set to 49798 TCP. If you want more info on the changes made to random port selector check out http://support.microsoft.com/kb/929851/

PART 2: The data channel

By default ISA servers application filter takes care of this random port secondary connection by dynamically opening ports when clients connect to an FTP publish. However because we needed to disable the application filter to pass the Auth TLS command we will need to manually compensate for this.

Step 1:

The first thing we will want to do is manipulate the way the FTP server allocates random ports. We want to move away from totally random assignment and ensure we know what we are giving out.  As a second setting we will also need to tell the FTPS server what the public ip address is of our firewall.

The place to do this is in the IIS config window. To set the static ports you have to be on the server node not the website level.

You can enter any port range here but for this example well go for 5000-5003 > then press Apply

Step 2:

The second thing we must do is set the ip address on the web site level

enter the PUBLIC ip from your ISA server > then press apply

For some reason my experiance has been that hitting apply does not cause these changes to become active. The best thing to do is restart the Microsoft FTP Service

Step 3:

The last thing we will need to do is configure our FTP publish rule on the ISA server. Here we will add our port range as primary connection ports. When you go to edit the FTP server publish rule you’ll see that you are unable to modify the Paramters. This is because this is a default protocol definition and Microsoft does not allow you to modify these definitions.

To solve this we will create our own SSL publishing protocol. So head back tot he Traffic tab > click new

Step 4:

Head back out to the FTP client and retry the connection, you should see the connection work now.

For those of you that have been installing Windows 2008 IIS7 systems with the new advanced FTP7 server know that one of the big new features is the suport of encrypted FTP through FTP over TLS/SLL

If you want more details on FTP7 you can check out the online tutorials at http://learn.iis.net/page.aspx/305/configuring-ftp-user-isolation/

However when pubulishing FTPS through ISA 2006 you’ll notice you get an error 500 Access denied.

To fully understand what’s happening we need 3 components

- Sniffer on the FTP client

- Monitoring on the ISA server system

- Sniffer on the FTP server

our setup:

In this part well tackle the first issue we run into where the authenticaiton channel fails and we get the 550 Access is denied error.

Step1:

Try to connect to the FTP server from the FTP client and sniff at both ends. when we look at the packets we can clearly see what is happening:

we will first look at the packet trace and then make it easier for us by following the TCP stream.

1.1 packet view

As you can see the FTP client goes through the TCP handshake in the first 3 packets (SYN / SYN ACK / ACK)

Then the actual FTP communication starts, the first FTP command is the server identifying itself as an MS FTP server.

The client responcs to thes by saying AUTH TLS, it’s basically saying hellow friendly FTP server, i would like to start an encrypted TLS session. The clietn tries this twice but gets ACCESS IS DENIED packets back from the server.

When you look at the FTP server packets, ou can see the first 3 handshake packets, then the one packet where the server identifies himself but we never see another FTP packet comming into the FTP server with the AUTH TLS session.

1.2 follow view

If we to a TCP follow we can clearly see the  the client sending the Auth SSL and the server never receiving these packets.

Step2:

Looking at the above information we can clearly see a responce 550 Access is denied being sent to the FTP client, but we can also see the packet did not originate from the FTP server. It’s clear then that not the FTP server but a device in the middle is generating this packet and sending it back to the client.

Using the information we have above lets look at the ISA log and see if we have any deny’s at that level.

At a first glance the traffic seems to be flowing normally, we see the ISA accept the first packet and then close the connection like it would do with any normal TCP connection that ended.

So where is theis Access Denied packet comming from. To find out a bit more we need to add an extra column to the ISA logging window called result code

once we add this column to the view we can see the the full details of what the ISA has been doing. To understand the meaning of each result code you can check out  http://technet.microsoft.com/nl-be/library/bb838824(en-us).aspx

FWX_E_CONNECTION_KILLED => 0x80074E24 => ISA Server killed a connection.

Eventhough this type of end is not unusual it would seem that ISA took an active part in ending the session, and we know the only place the 550 Access is denied packet could have come from was the ISA.

This when we should start to look at the application filter within ISA. As you may know isa server is a layer 7 firewall meaning it does inspection at the application layer for a number of protocols. One of these protocols is FTP. You can view this on the add-ins tab

This means ISA understands the FTP protocol at the application layer and will recognise malformed commands with an FTP communication stream. According to the application filter dll we may or may not have configurable items.

As you can see in the comparison here the smtp filter has a way of adding and removing accepted commands. The FTP filter however does not, and all we can do is enable or disable it ( you can do this here and completely disable the filter for all ISA rules, or you can do it on each rule individually, this is what we will do)

The simple fact is that the FTP app filter in ISA does not support the AUTH TLS command in it’s current version 4.0 and the default reaction of an ISA on this type of fault is to respond with an Access denied. ISA server expects a default FTP command stream as listed below and there is no way for us to add accepted commadns.

It does not say, filterd by ISA as this would give potential hackers info you don’t want them to know.

The only way for us to solve this issue as of today in ISA 2006 will be to disable the FTP application filter on the rule. Traffic > properties > application filter

If we now retry our connection and sniff the traffic on the FTP server we can see the first packet with the identification string, the second packt is the FTP client saying hihg i want to do TLS authentication, the third packet is the server responding and saying ok lets do TLS and from there on the stream goes to an encrypted mode.

Well the next It-Talks event is planned; register asap as places are limited:

You can register for these event by sending an email to tom@decaluwe.eu, include what events you will attend, seats are limited so register ASAP!

Event info

-------------------------------------------

It-Short talk

Date and time: Thursday 26 March 2009 start at 19u00 – 21u30

Speaker: Tom Decaluwé

Location: To be confirmed (Region Gent)

Entry: Free

Focus: During this event we will focus on the theor on sniffing networks using Wireshark an through a number of demo's we will get to know Wireshark, NetCat and Nmap as great network tools.

--------------------------------------

Full day talk

Date and time: Saturday 4 April start at 10u00 – 17u30

Speaker: Tom Decaluwé

Location: Spes Nostra - Koning Albertstraat 50 - 8520 Kuurne

Entry: 15€ for drinks and lunch

Focus: During this event we will focus on hands on practice lab around sniffing networks and using Wireshark, NetCat and Namp on your networks.

(*) Please note that both events are complementary, meaning you can follow one or both events individually and learn great new things each time.

When configuring new server the last thing most of us think of is running out of disk space. However, one of the most promenent problems after having a server in production for a while is running out of disk space. It always happens at the worst possible time and we all wish there would be a quick fix available.

The easiest way to to solve this type of issue is prepare during server setup. A default reflex when installing a news server should be to create a dummy file on each drive allocating / reserving some diskspace.

an easy tool for this is:

Fsutil file createnew <reserfile> <size in bytes>

eg. fsutil file createnew dummy.dat  6710886400

Using this command you can create a 6 GB file, this kind of reservs the space on your disk and when you eventually run out of disk space you just need to delete the file and this will give you some buffer time to figure out how to solve your out of disk space problem.

For those of you that have followed the news you all know about Conficker causing all sorts of problems.

if you run into Conficker here is some very good info http://blogs.technet.com/mathieum/archive/2009/01/12/instructions-pour-la-suppression-de-conficker.aspx

For everyone else it's a great time to double check your patching infrastructure and Anti virus.

Some of you might have thought it's been a bit quiet on my blog but i have been hard at work behind the scene making some chopsticks videos for MS

you can view them all at:

http://www.microsoft.com/belux/technet/nl/chopsticks/default.aspx

here are the direct links:

More to come!

I'm very proud to announce that Microsoft has awarded me with the MVP title "Forefront"! I have enjoyed working with the Belgian It community for many years know and sharing my knowledge.

I can only say a great thank you Microsoft and thank you community for the great times and the great time to come in 2009 and beyond!!!

You can find my profile at:

https://mvp.support.microsoft.com/profile/Decaluwe