ISA Firewall Question of the Day — Blocking FTP Connections

By /

QUESTION:

Tom,

We have ISA Server 2004 configured as a “back end” firewall, our front end is a Cisco PIX.

We have no problems blocking Web access (port 80 and 443) based upon Windows userids.
However when we try to block users from FTP it always fails and allows FTP access. We have tried allow rules and deny rules but nothing seems to work.

The only way we found to block FTP was with Microsoft’s new browser IE 7. IE 7 will stop any FTP request and will show the ISA Server message not allowing the FTP protocol.

Bottom line, is there any way to block FTP from client PCs not using IE 7? Thank you

Robert W. Kay – MCP

ANSWER:

One thing you need to keep in mind is that the ISA Firewall will not allow outbound access to protocols unless you give users or machines explicit access. If there is no rule that allows the connection, then the connection is dropped by the ISA Firewall.

The first thing I’d check is the Firewall policy. Do you see a rule that is allowing outbound FTP connections? If so, either disable that rule, or remove the FTP protocol from rule. If the rule is an “all open” rule, you can create a protocol exception in the rule by selecting the “all protocols except” option and exclude the FTP protocol.

If you’re not sure what rule is allowing the outbound FTP connections, then you can use the ISA Firewall’s real time log analyzer and check the FTP connections. The rule that allows the connection will appear on the line representing the outbound FTP connection.

One last thing to consider is to make sure that the ISA Firewall is an inline device. Often, the “network guys” will claim that the ISA Firewall is set in a back-end firewall topology, when in fact the ISA Firewall was placed in the PIX DMZ and both the ISA Firewall and the PIX can provide direct outbound paths to the Internet. This allows users to set a default gateway configuration so that outbound FTP goes through the PIX, instead of the ISA Firewall.

The solution in this case is to correct the network topology and place the ISA Firewall behind the PIX, not adjacent to it. There should be no way for users to bypass the ISA Firewall for outbound Internet access.

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top