Troubleshooting Outbound FTP Access in ISA & TMG Server


Internal networks protected by Microsoft ISA or TMG may require access to FTP sites on the Internet. ISA/TMG Server support for outbound FTP access depends on a number of factors, including:

  • Type of client request.
  • Limitations of the FTP client application.

ISA Server provides support for three types of clients:

  • Firewall clients   Client computers with Firewall Client for ISA Server software installed and running have full support for complex protocols with secondary connections, such as FTP.
  • SecureNAT client computers that use ISA Server in their route to the Internet   In a simple network, these SecureNAT clients have a default gateway pointing to the ISA Server computer. ISA Server provides application filters to handle complex protocols for SecureNAT. FTP support is provided by the FTP access filter.
  • Web proxy clients   Web proxy clients make CERN proxy requests to FTP servers on the Internet. When an FTP client application is configured to use ISA Server as a Web proxy, FTP requests are handled by ISA Server Web Proxy Filter, and passed over Hypertext Transfer Protocol (HTTP) between the client and ISA Server. The FTP client application can be an Internet browser, such as Microsoft Internet Explorer®, or a command-line or graphical user interface (GUI) FTP tool (CuteFTP or WS_FTP).

Client support can be summarized as follows:

  • For Web proxy client requests, ISA Server does not support FTP uploads. FTP requests are passed over HTTP, and support for Active or Passive mode is a global ISA Server setting.
  • For non-Web proxy requests from Firewall clients or SecureNAT client computers, read/write FTP access is supported. The default setting for the ISA Server FTP access filter is read-only. Either Active or Passive FTP mode can be used, according to communications with the FTP server.
  • For more information about having more granular control of client FTP commands, see the topic “FTP Access Filter” in “Configuring Add-Ins” in the ISA Server SDK at Microsoft MSDN.

The following sections describe common troubleshooting issues.

Web proxy clients cannot upload to an FTP site
  • Symptom: Web proxy clients cannot upload to an FTP site. The following message may appear: “The folder FTP_Name is read-only because the proxy server is not set up to allow full access.”
  • Issue: When a client computer makes a request as a Web proxy client, FTP requests are passed over HTTP, and only FTP downloads are supported.
  • Solution: Install Firewall Client for ISA Server software to configure the computer as a Firewall client, or configure the computer as a SecureNAT client. For more information about client configuration, see “Internal Client Concepts in ISA Server 2006” at the ISA Server TechCenter. You may not have to remove Web proxy settings on the client. For example, a browser such as Internet Explorer will try to make a SecureNAT client request before making a Web proxy request. Success is dependent on the ability of the browser to resolve the FTP server name to an IP address.
Web proxy clients cannot download from an FTP server using PASV mode
  • Symptom: Attempts by Web proxy clients to download from a PASV mode FTP server fail.
  • Issue: By default, FTP traffic handled by Web Proxy Filter uses Active mode.
  • Solution: Set the DWORD value NonPassiveFTPTransfer to 0 in the registry on the ISA Server computer, which sets the mode to Passive. The default value is 1, indicating that Active mode is used. For information about setting this registry key, see the Microsoft Knowledge Base article 300641 “How to enable passive CERN FTP connections through ISA Server 2000 or ISA Server 2004 Standard Edition.” The registry instructions in this article also apply to ISA Server 2006 and ISA Server 2004 Enterprise Edition.

How to ensure that FTP requests are not proxied over HTTP

  • Symptom: Outbound FTP requests from internal clients are being proxied over HTTP and are thus read-only.
  • Issue: FTP over HTTP is limited to read-only.
  • Solution: If you are using Internet Explorer, you can configure the browser to access FTP servers directly. Alternatively, you can configure client computers as SecureNAT clients, or install Firewall Client software. ISA Server will detect these settings, and FTP traffic will be handled by the Microsoft Firewall service and will not be proxied. For information about configuring Internet Explorer to make a direct FTP request, see the section “How to enable Internet Explorer to make a request directly to the FTP server,” later in this topic.
How to enable Internet Explorer to make a request directly to the FTP server
  • Symptom: By default, Internet Explorer make a direct request to an external FTP server, instead of making the request over HTTP.
  • Issue: You can specify a setting in Internet Explorer so that requests are made directly.
  • Solution: Specify the appropriate setting in Internet Explorer by doing the following.

To proxy an Internet Explorer FTP request

  1. Start Internet Explorer.

  2. On the Tools menu, click Internet Options.

  3. Click the Advanced tab.

  4. In the Settings list, do the following:

Note that when you select the Enable folder view for FTP sites check box, Internet Explorer behaves as a standard FTP client and uses Active mode, even if the Use Passive FTP check box is enabled.

image image

How to configure Passive and Active mode in Internet Explorer

Issue: Internet Explorer needs to be configured to use Passive or Active mode.

Solution: Before configuring Passive or Active mode, it is useful to understand the implications for each mode, as follows:

  • In Active mode, the FTP client uses a PORT command to inform the server that it should connect to a specific IP address and port, and then send the data. This requires that the firewall allows inbound access from port 20 on the FTP server to all high-number ports for the client.
  • In Passive mode, the FTP client uses a PASV command to request that the server tells the client to which IP address and port it should connect to, to send and receive data. This requires that the firewall allows outbound access to all high-number TCP ports on the FTP server, and to inbound high-number TCP ports for the client.

ISA Server supports both modes. To configure Internet Explorer in Active or Passive mode, do the following:

To configure Internet Explorer 7 to use Passive mode

  1. On the Tools menu of Internet Explorer, click Internet Options.
  2. Click the Advanced tab.
  3. In the Browsing section of the Settings list, do the following:

To configure Internet Explorer 7 to use Active mode

  1. On the Tools menu of Internet Explorer, click Internet Options.
  2. Click the Advanced tab.
  3. In the Browsing section of the Settings list and follow steps steps in above pictures.

How to access an FTP site that is not anonymous using Internet Explorer

  • Symptom: Internet Explorer cannot access FTP sites requiring credentials.
  • Issue: When FTP requests are sent over HTTP for Web proxy clients, only anonymous access is allowed. To use Internet Explorer as an FTP client when an FTP server requires authentication, you must configure Internet Explorer for direct FTP access.
  • Solution: Enable the Enable folder view for FTP sites check box in Internet Explorer. This causes Internet Explorer to prompt for credentials. Then specify credentials in the following format: ftp://username:password@ftp.usdirectcom.net/. Alternatively, configure the client as a SecureNAT or Firewall client and access the FTP server using an alternative FTP client.
HTTP 502 Proxy Error – The login request was denied
  • Symptom: When accessing an external FTP site that requires authentication, the following error is received: “HTTP 502 Proxy Error – The login request was denied.”
  • Issue: Web proxy normally sends anonymous authentication information to an FTP site in the first request. If the FTP site rejects and closes the connection at the first try, this error is issued. If you monitor the FTP traffic, you will see a log entry similar to: “Port: 21 FTP failed connection attempt user: anonymous request: Get ftp://FTPServer/.”
  • Solution: When accessing an external FTP site that requires authentication from a Web proxy client, provide credentials in the URL, in the following format: ftp://username:password@FTPServerName.

This issue does not occur in the following circumstances:

  • SecureNAT clients or Firewall clients make the FTP request.
  • The Enable folder view for FTP sites check box is selected in Internet Explorer. With this setting enabled, Internet Explorer sends the request directly to the FTP site if it can resolve the remote host name, ignoring browser settings. If the host name cannot be resolved, the browser is used.
Firewall client computers require the FTP access filter for outbound FTP access
  • Symptom: An access rule to allow Firewall client computers outbound FTP access must use the FTP access filter.
  • Issue: Even though Firewall client computers can handle complex secondary protocols such as FTP, the FTP access filter is required.
  • Solution: Although the FTP access filter is not required for Firewall clients to handle the complex FTP protocol, the FTP access filter defines and dynamically opens the secondary connections required for FTP. ISA Server provides a predefined FTP protocol, but the protocol definition only includes the primary connection.
Permissions error message when Firewall clients access an Active mode FTP server using ISA Server 2004

Symptom: Client computers running Firewall Client for ISA Server software receive an error message when accessing an external FTP server. Clients using Internet Explorer receive the following error message: “Windows cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder.” Clients using other FTP client applications may receive the following message: “425 Can’t open data connection.”

Issue: The problem is the handling of the TCP connection in the following circumstances:

  • ISA Server 2004 Firewall Client software is used.
  • ISA Server 2004 Standard Edition is installed.
  • When using Internet Explorer, the Enable folder view for FTP sites check box is selected.
  • When using Internet Explorer, the Use Passive FTP check box is cleared.

Solution: Check that you have the hotfix installed that is described by the Microsoft Knowledge Base article 884580 “Active mode FTP client programs cannot access an FTP server from behind Internet Security and Acceleration Server 2004.” This hotfix is included in ISA Server 2006 and ISA Server 2004 Enterprise Edition.

SecureNAT clients cannot access external FTP servers

Symptom: Computers configured as SecureNAT clients (with their default gateway pointing directly or indirectly to the ISA Server computer for Internet access) cannot access external FTP servers.

Issue: There may be an issue with protocol definitions, access rules, or client settings.

Solution: Check the following:

  • SecureNAT clients must be able to resolve the FTP server name themselves. Ensure that name resolution is working correctly for SecureNAT clients.
  • SecureNAT clients require the FTP access filter for FTP communications. To check that the filter is enabled, do the following.

To verify that the FTP access filter is enabled

  1. In ISA Server Management, expand the Configuration node, and then click Add-ins.

  2. On the Application Filters tab, right-click FTP Access Filter, and then click Properties.

  3. On the General tab, ensure that Enable this filter is selected.

image image

4. Click OK. Note: Do NOT allow active FTP access box ticked. This will potentially an unsafe feature to activate.

5. When using ISA Server Enterprise Edition, if this filter is enabled at the enterprise level, it is enabled for all arrays, and it cannot be disabled at the array level.

image

image image

  • Check that an access rule is configured to allow outbound FTP access. For example, to allow access to all users, the following rule would be configured:
  • Selected protocols: FTP
  • From: Internal
  • To: Create a computer set with the address of the FTP server
  • User sets: All Users
  • We recommend that the rule destination is limited to the FTP server. Create a computer set containing the IP address of the FTP server. The rule should be applied to all users. SecureNAT clients cannot use access rules requiring authentication. The predefined FTP protocol is bound by default to the FTP filter.
  • Check that the predefined FTP protocol used in the rule has the correct ports enabled. If you want to access an FTP server on an alternate port, you cannot access it using a SecureNAT client. Instead, you must install Firewall Client for ISA Server software on the client, and then create a custom FTP protocol definition with the alternative port. Note that the FTP access filter only listens on the standard FTP control port, TCP port 21. You cannot modify the port settings for the FTP access filter.
  • If you are using a non-browser FTP client application, ensure that it does not have Web proxy settings configured.
FTP upload is not available in a single network adapter configuration
  • Symptom: Internal clients are not able to do FTP uploads when ISA Server is installed with a single network adapter.
  • Issue: In a single network adapter scenario, FTP requests are handled by Web Proxy Filter, as FTP over HTTP requests. Web Proxy Filter supports FTP download only.
  • Solution: Verify the limitations of a single network adapter configuration. For more details, see the following documents at the ISA Server TechCenter at Microsoft TechNet:

Troubleshooting Unsupported Configurations in ISA Server and Configuring ISA Server 2004 on a Computer with a Single Network Adapter (Note that the information in this document also applies to ISA Server 2006.)

ISA Server does not support outbound secure FTP connections
  • Symptom: Clients require access to FTP servers over Secure FTP (FTPS).
  • Issue: ISA Server does not support outbound FTP over SSL/TLS (FTPS) connections. FTPS uses an encrypted control channel. For standard FTP traffic, ISA Server uses the FTP filter to monitor FTP communication. Outbound Secure Sockets Layer (SSL) connections cannot be seen by ISA Server, and therefore ISA Server cannot adjust traffic policy in reaction to PASV and PORT FTP commands.
  • Solution: Although there may be a workaround by installing Firewall Client software and creating a custom FTP protocol definition that is not bound to the FTP application filter, this is not supported.

share Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s