Welcome to ISAserver.org

Passive FTP - FTP Access filter problem

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Server Publishing >> Passive FTP - FTP Access filter problem

Page: [1]

Message

<< Older Topic Newer Topic >>

Passive FTP - FTP Access filter problem - 28.May2007 7:34:29 PM

khowlette

Posts: 33
Joined: 21.May2003
Status: offline

Hi

I'm having problems with Passive FTP and the FTP access filter. I've googled around and not found a solution.

I have to publish my FTP site with port 6370 for the control port (normally port 21) and ports 32000-32500 for the data connections in passive mode (usually ports above 1024-5000. My ftp server is windows 2003 and sits behind and ISA 2004 standard edtion.

If I enable the access filter it defaults back to the standard ports for the data connections even though my FTP server is configured to use 32000-32500. If I remove the filter the correct ports are displayed in my FTP client but it then shows the internal address of the FTP server. 10.154.132.14 for the data connection and not the public address e.g. 195.x.x.x

I've set up 2 server publishing rules.
Rule 1 listen on port 6370 (inbound) but maps to port 21 on my FTP server 10.154.132.14
Rule 2 listens on 3200-32500 (inbound) and maps to the same ports on my FTP server 10.154.132.10.

I've disabled socket pooling.

It appears the FTP access filter is overiding the passive ports configured on the ftp server.

Does anyone know how to fix this.

Thanks

Keith

Post #: 1

Featured Links*

RE: Passive FTP - FTP Access filter problem - 30.May2007 10:43:39 AM

khowlette

Posts: 33
Joined: 21.May2003
Status: offline

I beleive there is is a bug in the FTP Access filter. I've tried to report this to MS but can't seem to find a way, anyone know how.

(in reply to khowlette)

Post #: 2

RE: Passive FTP - FTP Access filter problem - 30.May2007 3:04:45 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Keith,

this won't work the way you expect! With ISA 2006 you can customize the FTP TCP port used for the control connection on a per rule base, but not the TCP port used for the data connection. The reason is that the data connection is *dynamically* assigned by he ISA server out of the list of the free port numbers on that specific moment.

HTH,
Stefaan

(in reply to khowlette)

Post #: 3

RE: Passive FTP - FTP Access filter problem - 31.May2007 4:57:54 PM

khowlette

Posts: 33
Joined: 21.May2003
Status: offline

Thanks Sefaan

It does seem a bit of an oversight by MS. KB Article http://support.microsoft.com/?id=555022 explains how to set the passive port range on a IIS ftp servers. If the FTP access filter can't be set to match or read the port setting that are sent back to the client then I think MS have made a wrong assumption. Is there any way to feed this back to them

Thanks for the reply anyway. I thought I was going mad with this one. Still think its a great product

Keith

(in reply to khowlette)

Post #: 4

RE: Passive FTP - FTP Access filter problem - 31.May2007 5:32:02 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Keith,

there is nothing wrong with the FTP application filter and Microsoft have not made a wrong assumption. You seems to forget that ISA is doing 1:N NAT and therefore, dynamically assigning TCP/UDP ports is a basic requirement in such a scenario. What you want is that ISA server allocate beforehand a port range for the FTP data connection. This is a pure waste of resources!

However, if you badly need that behavior you can enforce it by defining a custom FTP Server protocol, similar to what is needed for publishing an FTPS Server (FTP over SSL). Check out Publishing Secure FTP Servers behind ISA Firewalls for more information. However, be aware that no filtering is done on all those sockets!