Video Screencast Help

Setup FTP access using Network Threat Protection

Created: 01 Feb 2008 • Updated: 21 May 2010 | 8 comments
I am setting up an FTP server with SAV11 (Symantec Endpoint Protection 11) on our public (unprotected) segment of our network.  I am trying to make the box as safe as possible and would like to use the Network Threat Protection (NTP) to limit traffic to the box, similar to a firewall.
 
But if NTP is on, no FTP traffic can go to the box, but it works with NTP off.   I have created an FTP rule which allows FTP traffic in and out.
 
Any ideas why? 

Comments 8 CommentsJump to latest comment

SKlassen's picture
Can you list the settings for the rule you've made in the firewall policy?
 
Another thing to look for, do you also have windows firewall enabled at the same time?
GranholmK's picture
How the rule is setup in Endpoint:
 
General Tab - Allow this Traffic, All network Adapters, Apply while the screensaver is on or off
Host Tab - All hosts
Port and Protocals Tab - Protocal/TCP, Remote Ports: 20/21, Local Ports: 20/21, Traffic Dir: Both
Applications and Scheduling are not setup
 
Windows Firewall is on, but a rule exists for FTP Port 21
 
But if I turn off Symantec and leave on Windows Firewall FTP works.  If Symantec is on, FTP fails.
Paul Murgatroyd's picture
so a couple of things come to mind here:
 
1. is this a passive or active FTP connection, one allocates a random port for the communication after first negotiating on 20/21, I can't at the moment remember which way round it is
 
2. please try disabling the windows firewall when NTP is enabled - two firewalls enabled on one box is not a good thing and can cause all sorts of funny problems
 
3. do you see anything being blocked in the SEP log?
 
4. have you considered allowing all traffic to and from the APPLICATION that is hosting FTP?  unless its MS FTP of course, in which case I don't think you can as its part of IIS
 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

GranholmK's picture
To answer your questions:
 
1. Active/Passive Don't know, I just have been using Filezilla with it's quick connect feature.
 
2. I originally had the Windows FireWall disabled, I only enabled it when I could not get the Symantec one working.
 
3. I have many entries in the log, but I am having a bit of trouble reading it or understanding what it is telling me.
 
4. We are using the MS FTP via IIS.   Not my favorite FTP server, but this is a low profile, on the cheap, public access ftp.   If you know of a good FTP server that is commerical quality and free/opensource, I would provide it as an option to our network admin as a product of choice to switch to.
 
 
 
Paul Murgatroyd's picture
1. ok, no problem.. I'm sure we can sort it...
 
2. ok
 
3. ok, happy to take a look at the log for you, can you upload to https://fileshare.symantec.com?
 
u: symc_sep_troubleshooting
 
4. ah right, ok.  have you tried FileZilla's server counterpart?  I believe thats pretty good...
 
Hopefully though, with some luck we can get MS FTP working for you
 
 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

GranholmK's picture
Sorry about the delay in getting back to this.
 
I have uploaded both the tralog.log and syslog.log files.
 
I have looked the the FileZilla Server piece, but have not tried it yet.
Paul Murgatroyd's picture
so your logs definitely show you are trying to communicate in PASV mode (the first allowed connection is on port 21, followed by the next on 5001 - this is blocked).  There isn't much you can do with a firewall and PASV FTP, however:
 
There are serveral options:
 
1. Tell the connecting client not to use PASV mode
2. Limit the number of ports IIS can use for PASV mode and allow these local ports in the firewall rule (http://support.microsoft.com/?id=555022)
3. Allow all traffic to and from inetinfo.exe (this should in theory work, not 100% sure though as it doesn't seem to be detecting an application in the block rule)
 
hth, let us know how you get on
 
 
 
 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint