FTP Client Access from an ISA Server Network
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Updated : February 20, 2004
On This Page
Overview
Concepts and Procedures
Useful Articles
Overview
To obtain documents or update software, such as antivirus programs, the Microsoft® Internet Security and Acceleration (ISA) Server computer or the internal client computers behind the ISA Server computer may require access to external File Transfer Protocol (FTP) resources. When configuring this type of FTP access, consider these questions:
Are you accessing external FTP resources from an internal computer or from the ISA Server computer?
Is the ISA Server computer configured in integrated mode or cache mode only?
Is the client computer configured as a Firewall client, SecureNAT client, Web proxy client, or a combination?
Are there any limitations for specific FTP clients?
The following sections discuss the methods and configuration instructions for accessing external FTP resources. To help you troubleshoot specific FTP client issues, the section "Useful Articles" later in this document provides links to Microsoft Knowledge Base articles.
Concepts and Procedures
This section includes:
FTP requests from the ISA Server computer
FTP access from an internal client computer
FTP Requests from the ISA Server Computer
To allow requests from the ISA Server computer to external FTP resources, you can:
Send FTP requests through the Web proxy service.
Configure packet filters on the ISA Server computer.
Sending FTP Requests Through the Web Proxy Service
FTP requests can be sent through the Web proxy service on the ISA Server computer, but this is limited to FTP downloads. To do this, configure the FTP client (which could be Internet Explorer, a command-line FTP tool, or a GUI tool) to use the internal IP address of the ISA Server computer as a proxy server. Sending FTP requests through the Web proxy service using a browser is the only option available when ISA Server is installed in cache mode. Note the following issue when using Internet Explorer for FTP requests:
- If you have folder view for FTP sites enabled, the Internet Explorer client bypasses the Web proxy service and tries to send FTP connection requests directly to the Internet. This will be unsuccessful if the client computer is configured only as a Web proxy client. For more details and instructions on disabling folder view for FTP sites in Internet Explorer, see the article 814473, "Internal Clients Cannot Access FTP Sites Through Internet Security and Acceleration Server 2000," in the Microsoft Knowledge Base.
Configuring Packet Filters on the ISA Server Computer
For FTP requests with full functionality from the ISA Server computer, packet filters are required. Note that packet filters are not available when ISA Server is installed in cache mode.
To create a packet filter for outbound FTP
In the Access Policy node of ISA Server Management, right-click IP Packet Filters, point to New, and then click Filter.
In the New IP Packet Filter Wizard, type a name for the packet filter, and then click Next.
In Filter Mode, select Allow packet transmission, and then click Next.
In Filter Type, select Custom, and then click Next.
In Filter Settings, select the following:
In IP Protocol, select TCP.
In Direction, select Outbound.
In Local Port, select Dynamic.
In Remote Port, select Fixed port, and specify port number 21.
Click Next.
In Local Computer, select Default IP address for each external interface on the ISA Server computer, and then click Next.
In Remote Computers, to allow FTP outgoing requests to all destinations, select All remote computers. To restrict FTP requests to a specific destination, select Only this remote computer, and type the IP address of the external FTP server.
To create a packet filter for inbound FTP
To allow inbound access, repeat the preceding procedure, with the following settings:
In Direction, select Inbound.
In Local Port, select Any.
In RemotePort, select Fixed port, and specify port number 20.
FTP Access from an Internal Client Computer
You may want to allow internal client computers, behind the ISA Server computer, to access external FTP servers. FTP functionality depends on the client configuration of the internal computer:
Web proxy client. If the computer is configured as a Web proxy client only, only FTP downloads are possible. You can do FTP downloads through Internet Explorer or through any FTP client software that allows you to specify Web proxy settings. Sending FTP requests through the Web proxy service using a browser is the only option available in cache mode.
Firewall client or SecureNAT client. Requests for external FTP resources from Firewall and SecureNAT clients in the internal network are handled by the Firewall service. To enable such requests from computers configured as Firewall or SecureNAT clients, ensure the following:
The FTP access filter is enabled.
There is a protocol rule allowing the FTP protocol.
There is a site and content rule allowing access to the destination site.
The FTP client application does not have Web proxy settings configured. (You do not need to remove Web proxy settings in Internet Explorer.)
Enabling the FTP Access Filter
The FTP access filter that is provided with ISA Server forwards FTP requests from SecureNAT clients to the Firewall service, and uses the following protocol definitions:
FTP client read-only
FTP client
FTP server
FTP server read-only
Although you could create a protocol definition for FTP, the protocol definition would not offer the full range of capabilities afforded by the FTP filter. A user-defined FTP protocol definition and the FTP access filter are different because:
The FTP filter dynamically opens specific ports for the secondary connection. A custom-created protocol definition would open a range of secondary ports.
The FTP access filter can protect SecureNAT clients by performing the address translation required for the secondary connection. A custom protocol definition cannot perform such address translation.
Because the FTP access filter includes a read-only FTP protocol definition, it can distinguish between read and write permissions, enabling you to fine-tune access permissions.
Note that Firewall clients require the FTP access filter to be enabled because the ISA Server predefined protocol definition only defines the primary FTP connection, and does not define the secondary data connection.
To enable the FTP access filter
In the Extensions node of ISA Server Management, click Application Filters.
In the details pane, right-click FTP Access Filter, and then click Properties.
On the General tab, ensure that Enable this filter is selected.
Creating a Protocol Rule to Allow the FTP Protocol
After the filter is enabled, you need to ensure that there is a rule to allow the FTP protocol for the internal Firewall client or SecureNAT client.
To create a protocol rule
In the Access Policy node of ISA Server Management, right-click Protocol Rules, point to New, and then click Rule.
In the New Protocol Rule Wizard, type a name for the rule, and then click Next.
In Rule Action, select Allow, and then click Next.
In Protocols, in Apply this rule to, select Selected Protocols. In the protocol list, select the FTP protocols that you want to allow:
FTP. TCP Port 21, defined by FTP access filter, used to copy files between hosts.
FTP Download only. TCP Port 21, defined by FTP access filter, used to download files from the FTP server to the client.
Click Next.
In Schedule, select times when the rule should be applied. Then click Next.
In Client Type, select one of the following:
Any request. Apply the rule to all users.
Specific computers. Apply the rule to a particular client address set.
Specific users and groups. Apply the rule to authenticated users.
Click Next.
If you have applied the rule to a client address set, or to a user or group account, specify the settings. Click Finish to complete the wizard.
Notes:
You can configure the protocol rule to limit client access to the FTP protocol definitions. For example, you can select FTP Download only to limit the client to FTP read-only operations.
After you have the FTP access filter enabled, and a protocol rule to allow the FTP protocol definitions for all users or specific users, ensure that there is a site and content rule allowing access to the FTP destination, and that no proxy settings are specified in an FTP client application.
Note that if any rules require authentication by specific user accounts, only Firewall clients are able to authenticate. SecureNAT clients cannot present authentication credentials.
Useful Articles
To help you troubleshoot specific FTP client issues, this table provides a list of Microsoft Knowledge Base articles.
Article number |
Title |
Details |
|---|---|---|
How to Enable External Client Computers Access to a File Transfer Protocol Server |
This article provides instructions for configuring packet filters to enable ISA Server access to external FTP resources. |
|
ISA Server Firewall Chaining Can Cause Problems with FTP Access |
Install ISA Server Service Pack 1 (SP1) to solve this issue. |
|
FTP Client May Not Work When You Enable IP Routing on a Downstream ISA Server |
Install ISA Server SP1 to solve this issue. |
|
Passive Mode FTP May Break with Multiple IP Addresses on External Interface |
SecureNAT and Firewall clients may not be able to open an FTP data connection to an FTP server using passive mode (PASV). This article provides fix details. |
|
Web Proxy Service Returns "The User Name Was Not Allowed" Error Message After the FTP Server Returns the "User Logged In" Message |
A connection to an FTP server through the Web proxy service may fail, because the Web proxy service expects to be prompted for a password, and instead receives a 230 (User logged in, proceed) message from the FTP server. This article provides fix details. |
|
You Cannot Connect to External FTP Sites by Using a WRQ Reflection FTP Client through ISA Server 2000 |
When you use a WRQ Reflection FTP client that is configured to use the SOCKS version 4 protocol, you may not be able to connect to external FTP sites through ISA Server 2000. This article provides fix details. |
|
ISA Server Forces CERN FTP Connections to the Root Directory |
When the browser uses the Web proxy service to connect to an FTP site, a user may be connected to the root directory of the FTP server, or may not be able to access a directory if a URL path is specified. This article provides fix details. |
|
Enable IP Routing on ISA Server to Increase Performance |
This article provides information about enabling IP routing to support secondary connections for SecureNAT clients. |
|
Enable Passive CERN FTP Connections Through Internet Security and Acceleration Server 2000 |
By default, the Web proxy service uses PORT mode for FTP requests. To allow FTP requests through the Web proxy service in PASV mode, follow the instructions in this article. |
|
Internal Clients Cannot Access FTP Sites Through Internet Security and Acceleration Server 2000 |
When you access an FTP server through Internet Explorer, the following error message is displayed: "Windows cannot access this folder." This may occur if folder view for FTP sites is enabled in Internet Explorer, because this causes Internet Explorer to attempt to bypass the Web proxy service. To disable folder view, follow the instructions in this article. |
|
No Links to Navigate Up Through Directory Levels in FTP Sites When Accessed Through Internet Explorer |
When you connect to an FTP server in Internet Explorer using the Web proxy service, there may be no links to navigate up through directory levels to the parent directory. This article provides fix details. |