TMG initiates active FTP connections to external servers even though it's configured for passive FTP - a problem with FTP over HTTP
In this blog post, I’ll be talking about another TMG problem where FTP over HTTP was failing through TMG server.
Let me first summarize the scenario:
- Internet Explorer clients need to connect to an external FTP site through TMG server
- Due to some other requirements, this FTP site needs to be accessed passively
FTP filter in TMG server already uses passive FTP when connecting to external FTP sites:
(Note: And this is the default behavior, please see http://blogs.technet.com/b/yuridiogenes/archive/2010/03/16/error-502-active-ftp-not-allowed-when-trying-to-list-files-in-a-ftp-session-behind-forefront-tmg-2010.aspx for more information.
That was also the case in my customer’s scenario but passive FTP connection to the target FTP server was still failing. After some troubleshooting, we found out that TMG server was trying to connect to the target FTP site actively even FTP filter was configured as above.
Normally, when you type ftp://target-FTP-Server-FQDN in the IE address bar and IE is configured to use a Proxy server, the connection request will be sent as an HTTP request to the Proxy server (and the FTP GET request will be inside that HTTP request), this is also called FTP over HTTP. So the request flow will be similar to below:
a) Client sends the request via FTP over HTTP to the Proxy server
b) Proxy server connects to the target FTP server via FTP procotol
After some further troubleshooting with TMG data packager and the network trace analysis, I found out that FTP filter wasn’t involved in when Proxy server receives FTP over HTTP traffic from clients and hence FTP filter setting doesn’t apply to FTP over HTTP requests.
The resolution was to set the NonPassiveFTPTransfer registry key on the TMG server and restart the firewall service:
Note: You can find more information about that registry key at http://support.microsoft.com/kb/300641 How to enable passive CERN FTP connections through ISA Server 2000, 2004, or 2006
As mentioned above, after the registry key is created, you’ll need to stop and then start firewall service from an elevated command prompt:
net stop fwsrv
net start fwsrv
To summarize; even though “NonPassiveFTPTransfer” registry key shouldn’t be needed for TMG server, the exact requirements are as follows:
a) If the internal client sends the FTP request directly through FTP procotol, there’s no need to change anything on TMG server side as the FTP filter will kick in and the FTP connection to the external FTP server will be initiated passively (Examples: Command prompt FTP client, 3rd party FTP client applications, IE which isn’t configured to use a Proxy server etc)
b) If the internal client sends the FTP request through FTP over HTTP procotol, then the changes mentioned above needs to be implemented on TMG server side in order for TMG server to initiate the outbound FTP connection passively (Example: IE which is configured to use a Proxy server)
Hope this helps