SFTP through TMG 2010 RRS feed

  • Question

  • hi! we have a problem with WinSCP application. we are trying to connect to Internet to transfer some files but TMG 2010 is blocking it. It worked just fine with isa server 2006. The error code on tmg 2010 is:  0x80090308 

    the weird thing is that we are using port 443.

    The app settings to connect are these:

    IP: 190.x.x.x

    PORT: 443

    PROTOCOL: SFTP - Enable SCP Delay

    we have the tmg client installed on that machine.

    Any ideas? we have already tried everything and nothing works. That error code description is:“This happens when the published port is not used for listening to SSL.”  but as i said, we are using port 443.

    The only thing i can think of is that port 443 has the "web proxy filter" enabled by default (on the https protocol). This wasn't like that on isa server 2006. But i can't think of a way to tell tmg "don't apply the filter to port 443". If we create another rule with a new protocol on 443 without the filter, tmg just ingores it.

    Well, any help is welcome, we are out of ideas....

    Thanks for your time!



    Friday, January 27, 2012 3:13 PM


All replies

  • I use it with TMG 2010 without issue.  I have an access rule called "PERMIT SSH FROM Select TO External" with just the SSH protocol added, and the "From" and "To" fields filled in accordingly.  If you don't have an explicit rule like this, I'd create one, then turn on the logging while you make your next attempt.  When/if it fails, look at which rule it is using.  It might very well be using a rule before the explicit SSH rule. 


    Friday, January 27, 2012 3:53 PM
  • the problem with our winscp is that this conection is using port 443 and not SSH (22). We have other conections that use 22 and work OK. The issue here is the https...

    Friday, January 27, 2012 5:59 PM
  • Ah... thanks for pointing that out.  Sorry about that.  So I'm assuming to get WinSCP to use 443 versus port 22, were you just overriding it in the WinSCP settings, correct?  Version of WinSCP being used?  Is the client running the TMG Firewall Client?  Not sure if your topology lends to the experiment of trying a test to another segment where it is a route instead of a NAT relationship, just to see how that works.

    I think your suspicions might be correct, as I know this scenario can come up when dealing with things in the opposite direction (publishing rules).  This is because the HTTPS publisher's job is to protect by inspection, so it terminates the session, decrypts, inspects, then repackages and sends it on its way.  This is fine for many protocols such as http, but something like RDP over SSL typically does not like that.  The work around in that kays is to manual "server publishing rule" instead, and including 443. 

    With that in mind, have you turned off or provided an override for HTTPS inspection?  Have you provided an override for Malware inspection?  (I've had this mess up a few workflows on occasion).


    - Sketchy
    Saturday, January 28, 2012 1:00 AM
  • Hi,


    Thank you for the post.


    Please run ISA Tunnel Port tool to extend the SSL tunnel port range on the TMG server to allow TCP Port 22 outbound (http://isatools.org/tools/isa_tpr.js).



    Nick Gu - MSFT
    Thursday, February 2, 2012 9:59 AM
  • Dear Sir,

    I am facing issue while connect Sftp behind the TMG2010 Firewall. You can see the exact issue in this screen shot.


    Shakeel Shahid.

    Monday, March 11, 2013 6:48 AM