In my article How the FTP protocol Challenges Firewall Security I explain thoroughly how the FTP protocol works and how ISA server supports the FTP protocol. Although that article was written with ISA 2000 in mind, most of the stuff is still valid for ISA 2004, especially the behavior of the different ISA client types. It is crucial that you make yourself familiar with the three different ISA client types and how they interact with the ISA server. For more info about them, check out Jim Harrison’s excellent articles over at http://www.isaserver.org/Jim_Harrison/ and my blog A different look at the ISA Clients.
For SecureNAT and Firewall clients, ISA server supports fully the FTP protocol including active and passive FTP mode. Keep in mind that the FTP mode active or passive is determined by the FTP client itself. For Web Proxy clients, that means FTP over HTTP, ISA is CERN Proxy compatible what means that only FTP download is supported and that active or passive FTP mode is determined by a global configuration setting on the ISA server itself. By default the Web Proxy component on ISA will use active mode FTP. You can alter this behaviour by editing the registry on the ISA server to allow FTP requests made through the Web Proxy component to use passive mode. Check out the KB article HOW TO: Enable Passive CERN FTP Connections Through Internet Security and Acceleration Server 2000 for more info. Although it is not listed in the KB article, I can assure you that the NonPassiveFTPTransfer registry key is also valid on ISA 2004.
I strongly suggest that you test first your full FTP access with the standard Microsoft FTP command line client. If you can login and do a dir command, you have tested the FTP control and data connection. Take note that the Microsoft FTP command line client does not support passive mode. If you need to test passive mode too, use the free FTP command line client MoveIt Freely from Standard Networks. It support Secure FTP too. Once it is working with one of those clients, you can start to play with IE as FTP client.
The most important IE setting regarding the FTP protocol is the setting Enable folder view for FTP sites (Internet Options -> tab Advanced):
- If the IE setting Enable folder view for FTP sites is not checked and you have a rule allowing the FTP protocol, then you will be able to connect to the FTP server with the URL syntax ftp://username:[email protected] but you will only be able to download files, not upload files. In other words, with this configuration setting IE is acting as a Web Proxy client.
- If the IE setting Enable folder view for FTP sites is checked and you have a rule allowing the FTP protocol, then the client must also be configured as a Firewall or a SecureNAT client, depending if you require authentication on the FTP rule or not. In both cases you will be able to connect to the FTP server with the URL syntax ftp://username:[email protected] and you will be able to download and upload files, assuming the Read Only flag on the FTP rule is cleared. If the Firewall client is installed and enabled, this request is intercepted and handled by the Firewall Client. However, if the Firewall client is disabled or not installed, the request is sent as from a SecureNAT client. Which FTP mode active or passive IE will use is determined by the setting Use Passive FTP (for firewall and DSL modem compatibility).