No Way Out
ISA Server seems to be preventing outbound traffic to an external FTP server.
Writer, technology maven and Microsoft MVP Zubair Alexander answers this week's question on an issue having to do with allowing outbound traffic through ISA Server. To get your Windows, Exchange, security and virtualization questions answered by Zubair, Chris Wolf, or any number of our resident IT experts, send your questions to firstname.lastname@example.org with "Tech Line" on the subject line of your message.
Zubair: I’ve configured our ISA Server 2004 as an edge firewall with one of the rules permitting all outbound traffic. Everything works exactly the way I want, except for one thing. I'm unable to upload files from internal clients to an FTP server on the Internet.
I’ve tried with or without Linksys hardware firewall, a BEFSX41 behind ISA Server. I’ve tried using PASV, PORT, EPSV, and EPRT with different FTP software, such as IE, WS_FTP, CuteFTP and others. I’ve even set up another protocol definition that allows port 21 out with a secondary connection for port 20, as per CuteFTP’s knowledge base.
I'm convinced it’s something on the ISA Server firewall because, if I disable the firewall, I can upload files. In case you're wondering, I’ve also tried disabling ISA Firewall Client, but nothing seems to work. The error I get is "550. Access is denied".
— Name withheld
Answer: Well, I’ve seen a lot of people run into the same problem you’ve described. First, let me give you a little bit of background on how FTP works and talk briefly about the FTP Access Filter in ISA Server 2004 to help you understand the entire process.
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column; MCPmag.com
baseball caps go to the published submitter.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
As far as the FTP session, the FTP client first creates a connection to an FTP server on TCP port 21. At that time, the client also tells the server on which port it’s going to listen for a response from the server. The response from the server is always on a random port number above 1023. The FTP server responds and the client and server perform a three-way handshake.
Next, the FTP server initiates a connection on TCP port 20. This is the port that's eventually used to transmit the data. The server also tells the client on which port the client should respond to. Again, the port number will be above 1023. The client and server perform a three-way handshake and now they are ready to transmit data over TCP port 20.
You may have noticed that the first three-way handshake is nothing more than the traditional handshake that we know and love, but here’s the catch: Because the second connection on TCP port 20 was initiated by the FTP server, which is not on the internal network, the connection should be blocked. Since the internal client didn’t initiate that connection, and it wasn’t part of any existing TCP session, that connection should not be allowed by the ISA firewall. Lucky for us, all this complexity is handled by the FTP Access Filter on the ISA Server 2004.
You can configure FTP filter either for incoming or outgoing traffic, and either for read-only or full access. You have a choice to either disable the FTP filter for all the rules (found at Configuration, Add-ins, FTP Filter), or disable it for individual rules on the General tab. By default, if an FTP filter is enabled, the filter is configured to allow read-only access. Now let’s talk about your specific situation.
Although you’ve configured a rule to allow all outbound traffic, which includes FTP, the problem is that the FTP filter only allows read-only access by default. As a result, your clients cannot upload files to an FTP server, even though they seem to have no problem downloading files.
|Configure FTP filter so that it's no longer "Read Only" and your uploads will work.
To allow clients to upload, you need to configure the FTP filter (see Figure). Right-click the firewall rule that allows unrestricted outbound traffic and select Configure FTP. Uncheck the box that says Read Only. Notice that it says "When Read Only is selected, FTP uploads will be blocked." Apply the changes to your ISA Server. Now, your clients can upload files without restriction.
Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at email@example.com.