I have read Stefan's "FTP protocol challenges Firewall Security" article but am not sure what to do to allow ftp access to remote sites using SBS 2000 / ISA and the firewall client on the workstations ...
Para 4.3 mentions user having access to the predefined FTP protocol definition and making sure that the FTP Application Filter is enabled ...
I can see under Policy Elements for the ISA Server a Protocol definition which under the "defined by" heading has the entry "application filter" and uses port 21 for outbound.
Under Access Policy the only Protocol Rule is for Backoffice Internet Access and there is nothing re FTP under IP Packet Filters ...
But in my case, I have already setup an protocol rule that allows FTP outbound access. Additionally, I have also created a rule that enables all IP traffic. The clients all use Internet Explorer to access external FTP sites, but without success. I have also tried both enabling and disabling the "Enable folder view for FTP sites" option in IE.
I have created a new rule under Protocol Rules and will wait to see if that works when colleague is in the office.
In your FTP Protocol Challenges Firewall Security - you have a description and an image for FTP Client control connection + data connection passive settings (page 9)- what situtation does that apply to? Presumably not what I want which is workstations able to use ws_ftp to access remote servers?
1) configure the internal DNS server as a SecureNAT client. That means his default gateway should point to the ISA internal interface.
2) enable forwarders on your internal DNS server and specify there your ISP DNS servers. Also, make sure you check the ˘Do not use recursion÷ box.
3) create on ISA a client address set containing your internal DNS server.
4) create on ISA a *seperate* protocol rule allowing the protocols DNS Query (UDP port 53 send/receive) *and* DNS Zone Transfer (TCP port 53 outbound) and apply it to the above created client address set.
5) create on ISA a *seperate* site&content rule allowing access to any destination or better to a destination set containing your ISP DNS servers, and apply it to the above created client address set.
Now, thoroughly test the DNS name resolving with the command nslookup. All should work well. Last but not least, never touch the DNS protocol and site&content rule again. You should now have a very stable DNS infrastructure.