(Listen Up: This material is not included in our book. Therefore, you should print out this article and stick it in your book! -Tom.)
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
Let’s take a look at how we can solve these problems and successfully publish an FTP server that is on the ISA Server itself.
Method One: Creating Packet Filters
If your ISA Server sits at the edge of your network, then you should always have packet filtering enabled. Packet filtering is one of the cornerstones of security for an ISA Server located on the edge of the network. If you have an interface directly exposed to the Internet, you must have packet filtering enabled.
With packet filtering in mind, the first method you can use to make the FTP server available to Internet users is to just create packet filters. The packet filter method does not require that you publish the FTP server. The packet filters will allow or deny access to the required ports on the external interface of the ISA Server.
Perform the following steps to create the packet filters:
Note that by creating these packet filters clients can only use PORT mode to connect to the FTP server. The reason for this is that PASV mode requires that the FTP client be able to connect to any ephemeral port on the ISA Server, which would obviate your packet filtering security mechanism. PASV mode FTP servers they are managed with packet filters are a special problem and they should be located on DMZ segments where low security based on packet filtering is acceptable.
Method Two: Use Server Publishing Rules
The second way you can publish an FTP server is by using Server Publishing or Web Publishing rules. The nice thing about doing it this way is that you can have PASV mode clients connect to the FTP server because the FTP Access Application Filter takes care of connection management issues. Therefore, you don’t have to open a multiplicity of packet filters to allow PASV mode connections.
Step 1: Disable Socket Pooling for the FTP Service
The first thing you need to do is disable Socket Pooling for the FTP Service. Socket Pooling allows an IIS 5.0 service to listen on all IP addresses assigned to a particular server. This happens in spite of you configuring the FTP service to listen only on a single interface.
Perform these steps to disable Socket Pooling for the FTP Service:
Step 2: Configure the FTP Service to Listen Only on the Internal Interface
Now that the dreaded socket pooling feature is disabled for the FTP service, the next step is to configure the IIS 5.0 FTP Service to listen on the internal interface. You will use this interface in your Server Publishing Rule.
Step 3: Disabling the FTP Port Attack Setting
Some implementations of FTP servers allow a PORT command to open a connection between the FTP server and an arbitrary port on another machine. This allows the attacker to establish connections to arbitrary ports on machines other than the actual source machine.
By default, IIS 5.0 prevents this behavior and blocks connections from machines other than the client that initiated the connection. However, since the ISA Server needs to act on behalf of the source host, we have to disable this mechanism.
For more information on the “bounce” attack, check out:
Step 4: Create the Publishing Rule
In this example we’ll use the Server Publishing Wizard.
Your FTP server is now ready to accept connections. One thing you might want to check out if things don’t work is the status of the FTP Access Application Filter. This Filter is enabled by default. However, you might have disabled it and forget to re-enable it. If it is disabled, make sure you enable it.
In this article you learned the steps involved with publishing an FTP server located on the ISA Server itself. You saw that there are four steps:
Of course, the best way to publish an FTP Server is to place the server on the internal network, and not run any IIS services on the ISA Server itself. However, sometimes there just isn’t enough money to do that.
I hope you found this article interesting and/or helpful. If you have any questions on the issues brought up in this article, please post them on the www.isaserver.org message boards. You can also write to me at [email protected] and I’ll get to you as soon as I can. Please put the title of this article in the subject line. Thanks! –Tom.