(Listen Up: This material is not included in our book. Therefore, you should print out this article and stick it in your book! -Tom.)
ISA Server makes it easy to publish servers on your internal network. If you want to publish a web or FTP server on the internal network, you can use either the Web Publishing Wizard or the Server Publishing Wizard. Depending on what it is you want to accomplish, either wizard will help you get the job done.
However, if you’re interested in publishing an FTP server that exists on the ISA Server itself, life isn’t always so easy. There are a couple of reasons for this:
- Socket Pooling whacks publishing services on the ISA Server itself
- The FTP “Bounce” or “Port” attack prevents the ISA Server itself from making a request from a local resource such as an FTP server
By Deb and Tom ShinderAmazon.com
Let’s take a look at how we can solve these problems and successfully publish an FTP server that is on the ISA Server itself.
Method One: Creating Packet Filters
If your ISA Server sits at the edge of your network, then you should always have packet filtering enabled. Packet filtering is one of the cornerstones of security for an ISA Server located on the edge of the network. If you have an interface directly exposed to the Internet, you must have packet filtering enabled.
With packet filtering in mind, the first method you can use to make the FTP server available to Internet users is to just create packet filters. The packet filter method does not require that you publish the FTP server. The packet filters will allow or deny access to the required ports on the external interface of the ISA Server.
Perform the following steps to create the packet filters:
- Open the ISA Management console. Expand your server and then expand Access Policies. Right click IP Packet Filters, click New and then click Filter
- In the Welcome page of the Wizard, name the filter FTP Port 21 and click Next.
- On the Filter Mode page, select the Allow packet transmission option and click Next.
- On the Filter Type page, select the Custom option and click Next.
- On the Filter Settings page, match the settings as seen the figure below. Then click Next.
- On the Local Computer page, select either the Default IP addresses for each external interface on the ISA Server computer option, or select the This ISA Server’s external IP address option, depending on whether you have more than one IP address bound to the external interface of the ISA Server. Then click Next.
- On the Remote Computers page, select the All remote computers option if you want all computers to be able to access the FTP server, or select the Only this remote computer option if you want only a single external computer to access the FTP server. Then click Next.
- On the final page of the wizard you confirm your settings. If everything looks good, click Finish.
- Repeat the process. However, for step 1 call it FTP Port 20 and for step 5 you should make the selections as seen in the figure below.
Note that by creating these packet filters clients can only use PORT mode to connect to the FTP server. The reason for this is that PASV mode requires that the FTP client be able to connect to any ephemeral port on the ISA Server, which would obviate your packet filtering security mechanism. PASV mode FTP servers they are managed with packet filters are a special problem and they should be located on DMZ segments where low security based on packet filtering is acceptable.
Method Two: Use Server Publishing Rules
The second way you can publish an FTP server is by using Server Publishing or Web Publishing rules. The nice thing about doing it this way is that you can have PASV mode clients connect to the FTP server because the FTP Access Application Filter takes care of connection management issues. Therefore, you don’t have to open a multiplicity of packet filters to allow PASV mode connections.
Step 1: Disable Socket Pooling for the FTP Service
The first thing you need to do is disable Socket Pooling for the FTP Service. Socket Pooling allows an IIS 5.0 service to listen on all IP addresses assigned to a particular server. This happens in spite of you configuring the FTP service to listen only on a single interface.
Perform these steps to disable Socket Pooling for the FTP Service:
- Open a command prompt and navigate to the \Inetpub\Adminscripts\ folder
- Type net stop msftpsvc and press [ENTER]
- Type in the following command:cscript adsutil.vbs set msftpsvc/disablesocketpooling true
and then press [ENTER]
- You should see what appears below.
- At the command prompt type net start msftpsvc and press [ENTER].
- Now let’s run netstat -na again. You should see what appears below.
- Notice that TCP port 21 is now listening on 192.168.1.186 and is no longer listening on 0.0.0.0. No more socket pooling for Port 21! Now you can publish the FTP service on the internal interface (almost, you actually have to make a registry change too).
Step 2: Configure the FTP Service to Listen Only on the Internal Interface
Now that the dreaded socket pooling feature is disabled for the FTP service, the next step is to configure the IIS 5.0 FTP Service to listen on the internal interface. You will use this interface in your Server Publishing Rule.
- Open the Internet Information Services console from the Administrative Tools menu.
- Right click on the default FTP site and click Properties.
- In the Default FTP Site Properties dialog box you will see what appears below. Actually, you won’t see what appears below until you click the down-arrow in the drop-down list box for TCP Port. Note that I have two IP addresses on this particular computer. I will select 192.168.1.186 with the intent of having the FTP service listen on that IP address only. After making the selection, click Apply and then OK.
- After making these changes, stop the FTP Service and restart it.
Step 3: Disabling the FTP Port Attack Setting
Some implementations of FTP servers allow a PORT command to open a connection between the FTP server and an arbitrary port on another machine. This allows the attacker to establish connections to arbitrary ports on machines other than the actual source machine.
By default, IIS 5.0 prevents this behavior and blocks connections from machines other than the client that initiated the connection. However, since the ISA Server needs to act on behalf of the source host, we have to disable this mechanism.
For more information on the “bounce” attack, check out:
- Change the EnablePortAttack value to 1
- Close Regedt32 and restart the FTP service.
Step 4: Create the Publishing Rule
The last step is to create the publishing rule. You can use either the Web Publishing Wizard or the Server Publishing Wizard. The advantage of the Web Publishing Wizard is that you can publish multiple FTP servers using the same IP address. If you use the Server Publishing Wizard, you can only publish a single FTP server (using TCP Port 21) per IP address.
In this example we’ll use the Server Publishing Wizard.
- Open the ISA Management console, expand your server and then expand the Publishing node. Right click on Server Publishing Rules, click New and then click Rule.
- On the Welcome page type a name for the FTP server publishing rule then click Next.
- On the Address Mapping page, type in the IP address of the internal interface of the ISA Server in the IP address of internal server text box and the IP address of the external interface in the External IP address on ISA Server text box, as seen below. Then click Next.
- On the Protocol Settings page select the FTP Server protocol, then click Next.
- On the Client Type page select either the Any request or the Specific computers option, depending on whether you wish to limit access to a specific set of computers. In this example, we’ll choose the Any request option. Click Next.
- On the last page of the Wizard, confirm your settings and click Finish.
Your FTP server is now ready to accept connections. One thing you might want to check out if things don’t work is the status of the FTP Access Application Filter. This Filter is enabled by default. However, you might have disabled it and forget to re-enable it. If it is disabled, make sure you enable it.
In this article you learned the steps involved with publishing an FTP server located on the ISA Server itself. You saw that there are four steps:
- Disable Socket Pooling
- Disable the FTP Attack Mechanism
- Configure the FTP Service to use the internal interface of the ISA Server
- Publish the FTP server on the internal interface of the ISA Server
Of course, the best way to publish an FTP Server is to place the server on the internal network, and not run any IIS services on the ISA Server itself. However, sometimes there just isn’t enough money to do that.
I hope you found this article interesting and/or helpful. If you have any questions on the issues brought up in this article, please post them on the www.isaserver.org message boards. You can also write to me at [email protected] and I’ll get to you as soon as I can. Please put the title of this article in the subject line. Thanks! –Tom.