Reverse FTP proxy on Primary FTP address not working

I am using Border Manager 3.6 Sp2a and placed all the reverse proxy 
filters in from Craig Johnsons Filter book for FTP (Great book!).  Our 
ISP had moved our FTP address to another IP address and I had them put it 
back only after screwing with many different settings, to many to 
remember. If I use the reverse proxy from a secondary Public IP Address 
it works fine without filters loaded. If I reverse proxy from the primary 
address without filters it does not work.

Anyway, this is how I would like for the system to be setup.  Let me know 
if it is wrong.

Server "A" Border Manager Settings:
66.xxx.xxx.100 - Primary IP Address
66.xxx.xxx.17 - .22 Secondary Addresses
192.xxx.xxx.16 Private Address

Server "B" FTP Server 
192.xxx.xxx.22 Host IP Address (FTP and GroupWise WebAccess loaded on 
this IP Address)
192.xxx.xxx.25 Secondary Address 

I have setup all the FTP Filters per Craig Johnson book for Reverse Proxy 
using the 66.xxx.xxx.100 address

I have set the reverse FTP for 192.xxx.xxx.22 and 66.xxx.xxx.100

FTP directly in the office such as ftp://ken@192.xxx.xxx.22 works fine.

I have no idea what I have screwed up.

Any help would be greatly appreciated.
Ken@rlmrlm.com
0
ken
3/2/2006 8:54:14 PM
novell.bordermanager.proxies 3217 articles. 0 followers. Follow

10 Replies
471 Views

Similar Articles

[PageSpeed] 47

Ken,

do you have error messages in the proxy configuration screen of BM when 
it comes up? I wonder if you've a port conflict on that address.

-- 
Cat
NSC Volunteer Sysop
0
Caterina
3/2/2006 9:02:27 PM
> Ken,
> 
> do you have error messages in the proxy configuration screen of BM when 
> it comes up? I wonder if you've a port conflict on that address.
> 
> -- 
> Cat
> NSC Volunteer Sysop
I have bounced the server but do not see any errors. Can I find a log of 
errors somewhere?

I am just wondering if I should have the ISP switch the domain back to 
the secondary IP address and call it a day.

Just wondering,
Ken@rlmrlm.com

0
ken
3/2/2006 9:17:54 PM
Ken,

I'm talking to the "novell Bordermanager PRoxy cache server" screen at 
the server. That screen shouldn't go away.

the one you mentioning is a solution, but I wouldn't want to have a 
server that does something I don't understand :-)

-- 
Cat
NSC Volunteer Sysop
0
Caterina
3/2/2006 9:29:37 PM
> Ken,
> 
> I'm talking to the "novell Bordermanager PRoxy cache server" screen at 
> the server. That screen shouldn't go away.
> 
> the one you mentioning is a solution, but I wouldn't want to have a 
> server that does something I don't understand :-)
> 
> -- 
> Cat
> NSC Volunteer Sysop
I bounced the server and there are no errors listed in that screen.  i 
looked in the TCPCON program to see what ports are being used and it 
showed both public and private addresses using the ftp port so I shut 
each one down.  The FTP proxy is bound to the Private IP address 
(192.xxx.xxx.16)and the Reverse FTP proxy is bound to the Public 
(66.xxx.xxx.100) address.

I just dont know,
Ken@rlmrlm.com
0
ken
3/2/2006 9:42:01 PM
> > Ken,
> > 
> > I'm talking to the "novell Bordermanager PRoxy cache server" screen at 
> > the server. That screen shouldn't go away.
> > 
> > the one you mentioning is a solution, but I wouldn't want to have a 
> > server that does something I don't understand :-)
> > 
> > -- 
> > Cat
> > NSC Volunteer Sysop
> I bounced the server and there are no errors listed in that screen.  i 
> looked in the TCPCON program to see what ports are being used and it 
> showed both public and private addresses using the ftp port so I shut 
> each one down.  The FTP proxy is bound to the Private IP address 
> (192.xxx.xxx.16)and the Reverse FTP proxy is bound to the Public 
> (66.xxx.xxx.100) address.
> 
> I just dont know,
> Ken@rlmrlm.com
Never mind, I went home and tried the FTP from there and everything seems 
fine.  When I came back to work and used the test computer outside the 
Firewall again, still nothing.  So I know its not Proxies, but now I am on 
to why I can't use my test computer for this.

Thanks for all you help.
Ken@rlmrlm.com
0
ken
3/3/2006 1:39:50 PM
> Never mind, I went home and tried the FTP from there and everything seems 
> fine. 

OK!

> When I came back to work and used the test computer outside the 
> Firewall again, still nothing.  So I know its not Proxies, but now I am on 
> to why I can't use my test computer for this.

What's the network configuration of this box? I wonder if either you're 
using an address that isn't in the right subnet or if the computer has 
some strange routing issue, or - simply - that you have a windows 
firewall or another type of personal firewall that is blocking FTP.
-- 
Cat
NSC Volunteer Sysop
0
Caterina
3/3/2006 3:30:04 PM
> > Never mind, I went home and tried the FTP from there and everything 
seems 
> > fine. 
> 
> OK!
> 
> > When I came back to work and used the test computer outside the 
> > Firewall again, still nothing.  So I know its not Proxies, but now I 
am on 
> > to why I can't use my test computer for this.
> 
> What's the network configuration of this box? I wonder if either you're 
> using an address that isn't in the right subnet or if the computer has 
> some strange routing issue, or - simply - that you have a windows 
> firewall or another type of personal firewall that is blocking FTP.
> -- 
> Cat
> NSC Volunteer Sysop
The border Manager server is setup like this
Netcard #1: 66.xxx.xxx.100 Subnet:255.255.255.240 (Dynamic NAT)
Secondaries: 66.xxx.xxx.17 - 22 Subnet:255.255.255.248 (Static Nat)

Netcard #2: 192.xxx.xxx.16 Subnet: 255.255.255.0 (NAT Disabled)

Default Route 0.0.0.0 to 66.xxx.xxx.110

As far the windows firewall, I have disabled it.

Any thoughts?
Ken@rlmrlm.com        
0
ken
3/3/2006 7:20:32 PM
> The border Manager server is setup like this
> Netcard #1: 66.xxx.xxx.100 Subnet:255.255.255.240 (Dynamic NAT)
> Secondaries: 66.xxx.xxx.17 - 22 Subnet:255.255.255.248 (Static Nat)

I'm not sure I understand your configuration here.
The first subnet you mention (66.x.x.100/255.255.255.240) has valid 
addresses from 66.x.x.97 to 66.x.x.110, with .111 as broadcast address.
The secondary IP addresses should belong to this range.
If you've another subnet (as it looks like), from .17 to .22, these do 
NOT belong to the primary subnet.

In which subnet is your workstation connected? If it's connected to the 
..17-.22 range it will need to have its default gateway to be set to 
66.x.x.17 (assuming .17 is bound to the BM server) to be able to reach 
anthing in the .97-.110 subnet.
-- 
Cat
NSC Volunteer Sysop
0
Caterina
3/3/2006 9:14:46 PM
> 
> > The border Manager server is setup like this
> > Netcard #1: 66.xxx.xxx.100 Subnet:255.255.255.240 (Dynamic NAT)
> > Secondaries: 66.xxx.xxx.17 - 22 Subnet:255.255.255.248 (Static Nat)
> 
> I'm not sure I understand your configuration here.
> The first subnet you mention (66.x.x.100/255.255.255.240) has valid 
> addresses from 66.x.x.97 to 66.x.x.110, with .111 as broadcast address.
> The secondary IP addresses should belong to this range.
> If you've another subnet (as it looks like), from .17 to .22, these do 
> NOT belong to the primary subnet.
> 
> In which subnet is your workstation connected? If it's connected to the 
> ..17-.22 range it will need to have its default gateway to be set to 
> 66.x.x.17 (assuming .17 is bound to the BM server) to be able to reach 
> anthing in the .97-.110 subnet.
> -- 
> Cat
> NSC Volunteer Sysop
Im sorry it took so long to get back but things have not been going so 
well here.  Anyway,  the workstation I was testing the FTP site with was 
connected to a hub before the firewall.  I had the workstation set to 
66.xxx.xxx.20/255.255.255.248.  I made sure that this address was not 
loading on the BorderManager server before connecting the workstation.

As for the configuration of the network:

255.255.255.0 is the subnet for all workstations inside the firewall.

Thanks for the reply,
Ken@rlmrlm.com
0
ken
3/8/2006 7:43:09 PM
hi Ken,

probably I wasn't clear in my message. The point is that from what you 
described you cannot have secondary IP addresses in the range you're 
mentioning, and things shouldn't be working at all.
Also, please read the note on the routing configuration of the workstation.
-- 
Cat
NSC Volunteer Sysop
0
Caterina
3/8/2006 8:32:58 PM
Reply: