Forefront Server Security TechCenter >
Forefront Server Security Forums
>
Forefront Security for Office Communications Server
>
OCS File Transfers across firewalls
OCS File Transfers across firewalls
- Hi
I thought that forefront would facilitate file transfers across firewalls since its not TFTP TCP 6891-6900 peer 2 peer anymore.
But I'm somewhat confused:
Test Setup:
User A at home office connects to OCS 2007 R2 Edge remotely, User B in office is connected to OCS frontend server
B sends file to A -> Forefront on Edge detects it, ok (note: A downloads the file from Edge on TCP 6891)
A sends file to B -> transfer does not work. It seems that the Edge server tries to download the file from the home user A but fails since
A sits behind a NAT router).
So sending out files to remote access users and federated users works, but not sending in files from remote access users or
between such users with NATting firewalls between.
Is this supposed to be so?
Andreas
Answers
- Andreas,
Yes, this is expected behavior. While Forefront does proxy file transfers through the Edge server, it does not guarantee that it can successfully facilitate file transfers across the Edge. If the sender is an external user behind a NAT, Forefront would be unable to retreive the file data for scanning. This scenario is not different if Forefront is not installed in the sense that typically the receiving client would have to make a TCP connection to the sender behind the NAT firewall.
In general, Forefront attempts to facilitate file transfers, however the it does not do anything to increase the likelihood of a file transfer succeeding if the file transfer would not have succeeded without Forefront installed. In the case where an internal user is sending a file to an external recipient, the fact that transfers are proxied through the edge may provide administrators a way to allow outbound file transfers without having to allow inbound connections to ports 6891-6900 to individual client machines. In this scenario, the firewall exceptions could be applied to the FSOCS server instead.
HTH.
ShreyS [MSFT]- Marked As Answer byJim MoliniMSFT, OwnerSunday, April 26, 2009 10:46 PM
- Proposed As Answer byShreyS [MSFT] Thursday, April 23, 2009 2:25 PM
All Replies
- Andreas,
Yes, this is expected behavior. While Forefront does proxy file transfers through the Edge server, it does not guarantee that it can successfully facilitate file transfers across the Edge. If the sender is an external user behind a NAT, Forefront would be unable to retreive the file data for scanning. This scenario is not different if Forefront is not installed in the sense that typically the receiving client would have to make a TCP connection to the sender behind the NAT firewall.
In general, Forefront attempts to facilitate file transfers, however the it does not do anything to increase the likelihood of a file transfer succeeding if the file transfer would not have succeeded without Forefront installed. In the case where an internal user is sending a file to an external recipient, the fact that transfers are proxied through the edge may provide administrators a way to allow outbound file transfers without having to allow inbound connections to ports 6891-6900 to individual client machines. In this scenario, the firewall exceptions could be applied to the FSOCS server instead.
HTH.
ShreyS [MSFT]- Marked As Answer byJim MoliniMSFT, OwnerSunday, April 26, 2009 10:46 PM
- Proposed As Answer byShreyS [MSFT] Thursday, April 23, 2009 2:25 PM
- Hi
Thanks for your answer. I see that this is by design. Reading the technical descriptions I thought that the communication patttern would be
changed like the A/V streams or Desktop sharing. We worked hard here to open the ways for the media streams (we were in the TAP/RDP programms for OCS 2007 R1 and R2). We realized that FT were different and we had to give up on them in many situations.
Internal transfer with FFOCS should now be possible at least.
I think that there are better ways to handle FT:
- make a rendez vous at the Edge exactly as with A/V streams (ICE, STUN etc.). Reuse the technology as fas as possible.
or
- integrate it into the media streams like Desktop sharing (preferred)
Generally we should only have 1 signaling path (SIP) and 1 media stream. Every content should travel in the latter, maybe with a different port range.
Thats one suggestion for Wave 14 OCS!
Regards
Andreas Bieri
Swisscom IT Services
Swittzerland Hi,
Is it possible to change he file transfer ports from (TCP 6891-6900 ) to normal range, so that will make possible to transfer files for external users?- Ahmed,
As far as I know, the port range for Office Communicator cannot be changed; thus inbound connections to individual client machines need to be open for this range.
If you're looking to change the port range that FSOCS uses to accept inbound connections for file transfers, this is something that can be configured. By default, FSOCS utilizes the same port range that Communicator uses (i.e. 6891-6900) since this is a well known set of ports. If you require a different port range, specify the following two DWORD values in the FSOCS registry key:
FileTransferStartPortRange [default 6891] - specify the first port in the range
FileTransferMaxPorts [default 10] - specify the number of ports to use starting with the port specified by FileTransferStartPortRange
Note that you'll need to re-cycle services for this change to take affect.
HTH,
ShreyS [MSFT] - Hi Dear all:
My environment is OCS 2007 R1 and we want to build the ForeFront to solve the user can't use file transfer between the external and internal network.
the our Access Edge has a public ip, like 210.1.1.1 but our Front End Server has a private ip, like 10.1.1.1
These server can connect each other because we have ip mapping and set the router
If the user A in the external network and not on the NAT, he has a 210.2.2.2 IP. the user B in the internal network and he has a 10.2.2.2 IP
My Question is
Can the user A can send the file to the user B?
Can the user B can send the file to the user A?
Regards
mslin
