Publishing Secure FTP Servers behind ISA Firewalls
Part One: Non-SSL FTP publishing with FTP application filter
As something different between ISA 2000 and ISA 2004, MS provides a FTP Server protocol in ISA 2004. It’s easy for people who want to publish FTP servers to the public. You don’t have to perform extra steps configuring your FTP server. Just install and publish. Here are the ports’ properties for FTP Server protocol. You can change your FTP port to any one you want. You can follow the Server Publish wizard to do it. And do not forget to apply ISA 2004 Service Pack 1!
You may have another issue about uploading files onto the FTP server. Make sure you clear the read-only box and it will be OK.
Remember, you have to select the FTP Access filter. ISA uses the FTP Access filter to monitor the PASV port information and also change the internal IP address to external IP address for FTP Server.
Only if you select the FTP Access filter will you be able to configure the FTP protocol policy.
Part Two: Publish Non-SSL PASV FTP Server Without FTP Application Filter
Maybe you want to create your own protocol to publish your FTP server - you can do that. But remember, there are certain things you have to do with the ISA firewall configuration before it will work.
Now, let's see how to publish a FTP Server using PASV mode. You can run the FTP server at 21 or non-standard port.
First of all, we have to configure the FTP server to support PASV mode. The reason we do this is because FTP server dynamically opens PASV port for connection. We have to specify the port range on the FTP server so we can setup the rule on the ISA firewall. We then make these ports available on the ISA firewall so that the PASV FTP clients can access the PASV FTP server site.
Without the FTP application filter, the ISA firewall will not monitor the data during the FTP transfer. Based on that reason, ISA won’t open the PASV port for FTP Server. That will cause the PASV mode to fail. When the data portion or the communications are encrypted, the ISA firewall’s FTP filter cannot monitor the PASV mode communications to dynamically open the correct ports.
Here we are using the Serv-U 6. The PASV port range is from 2000 to 2010. Serv-U can’t detect the internet IP address I have , so I have to put it in myself. If you do not have a static IP address, you may go to www.serv-u.com and search their FAQ for Ref 1242. That reference shows you how to use Serv-U with a dynamic IP address. The URL for this reference at the time of writing is http://www.rhinosoft.com/KBArticle.asp?product=rs&RefNo=1242.
Use any FTP client to login your FTP server locally, make sure the PASV setup is correct. The log may vary. But you will find the same information as below:
[R] 227 Entering Passive Mode (xxx,xxx,xxx,xxx,7,209)
[R] Opening data connection IP: xxx.xxx.xxx.xxx PORT: 2001
[R] LIST -al
[R] 150 Opening ASCII mode data connection for /bin/ls.
[R] 226 Transfer complete.
That shows the PASV mode on the FTP server is working properly. The FTP client is told by the FTP server to do the data transfer at port 2001. That’s the port we defined earlier.
The FTP Server side is done. Let’s take a look at ISA 2004 firewall configuration.
Unlike the default FTP Server protocol in the ISA firewall, the new protocol I created doesn’t discover the PASV port. When creating a new Server Publishing Rule for the internal FTP server, the most important thing is publishing the PASV port (2000~2010). This makes the ISA firewall accept the connection request from the external FTP client.
After everything, apply the change. Test the FTP Server from external FTP client.
When the FTP Access Filter is disabled, the ISA firewall doesn’t monitor the FTP application layer negotiations. That’s why you don’t have to configure the FTP protocol policy. But remember, users may have access to upload files to your FTP server. Make sure these accounts are secure and that you have configured the FTP server to require authentication.
If you only publish the FTP port, the external FTP client log may look like this:
After we open the PASV port on the ISA firewall, the PASV port will open. The external FTP client gets folder list successfully.
You may use another kind of FTP Server, such as ioFTPD or RaidenFTPD. The important things to remember when publishing FTP server with PASV mode is to define the PASV port and publish.
Part Three: Publish a Secure FTP Server Behind the ISA Firewall
Why do I need to publish a FTP server without using FTP Server Protocol that comes with ISA 2004?
The reason is because I also need to publish a secure FTP server. Since the transfer between client and server will be encrypted, the default FTP server protocol can’t get the PASV port information and failed at PASV step.
Before we setup the secure FTP server, there are two words we need to understand:
Explicit SSL and Implicit SSL
Explicit SSL uses an explicit command (such as AUTH SSL or AUTH TLS) to ask a FTP Server initiating a secure control connection. The FTP server must support AUTH, PBSZ, and such kinds of commands.
Implicit SSL uses SSL socket to connect to the FTP server from the beginning. Today, most FTP servers can support this mode.
To see the difference between Explicit SSL and Implicit SSL, we can look at how they make the connection.
Explicit SSL mode: FTP Client sends AUTH SSL command to FTP Server, then the FTP Server initializes the SSL connection.
Implicit SSL mode: FTP client uses sslconnect to make the connection with FTP Server. It encrypts the information from the beginning.
You can setup your FTP server to support non-SSL FTP and SSL FTP at the same time by choosing Allow SSL/TLS Session and regular sessions. But to be more secure, here we will only allow the SSL/TLS sessions on the FTP Server. Select the security option at Domain properties and apply the changes.
Here we are using 4000-4010 as PASV ports on this secure FTP server. If you forget how to setup the PASV port on the FTP server, go back and see Figure 5.
Follow the other setup we used to publish the FTP server using new FTP server protocol. Remember, you can not use the FTP Access filter that comes with ISA 2004. Because the FTP Access filter can’t get the connection information since the data has been encrypted.
After you apply the change on the ISA firewall, login to the FTP server from a remote client. You will get the following messages on your FTP client. The first one will ask you to see whether you accept the certificate from the FTP server.
Negotiating SSL/TLS session...
SSL/TLS negotiation successful...
SSL/TLS connection using cipher IDEA-CBC-SHA (128 bits)
After the SSL connection has been created, all the transfers will be encrypted, even the username and password.
From an Ethereal trace, you will see the difference. Without using SSL session, I can find the username and password as clear text during the transfer. After the SSL session, they are all encrypted.
In the Explicit SSL mode, information will not be encrypted before AUTH SSL command.
In this article we examined how the ISA firewall can be used to publish conventional PASV FTP sites and the mechanics behind publishing those sites. We also discussed the procedures required to publish secure FTP sites. One of the key concepts regarding publishing secure FTP sites is that the ISA firewall’s FTP Access application filter cannot perform stateful application layer inspection on these communications because the application layer information the FTP Access filter uses is encrypted by SSL. Keep this security limitation in mind whenever allowing any encrypted communications through your ISA firewall.
Checked by Dr Tom Shinder.