Step 1 : Disable Socket Pooling for the FTP Service
The first thing you need to do is disable Socket Pooling for the FTP Service. Socket Pooling allows IIS to listen on all IP addresses assigned to a particular server.
You can check this by typing the following command at the command prompt: netstat -na
Perform these steps to disable Socket Pooling for the FTP Service :
Check with netstat –na to confirm that TCP port 21 is now listening on one IP address instead of listening on 0.0.0.0.
Step 2 : Configure the FTP service to listen only on the internal interface
Step 3 : Disabling the FTP Port Attack Setting
Some implementations of FTP servers allow a PORT command to open a connection between the FTP server and an arbitrary port on another machine. This allows the attacker to establish connections to arbitrary ports on machines other than the actual source machine.
To disable the Port Attack Setting, perform the following steps:
Step 4 : Create the Publishing Rule
If you use the Web Publishing Wizard you can publish multiple FTP Servers with the same IP address on the external interface of the ISA Server. If you use the Server Publishing Wizard, you can only publish a single FTP server per IP address.
Secure FTP Server Publishing
The problem with FTP server authentication is that anyone with a network sniffer program can capture your authentication request. The username and password are sent in clear text over the Internet. If the files the user downloads are in clear text format, someone with a network sniffer program can capture your files and read their contents. This can be a major security risk.
Since SSL is not supported with this standard tool (ftp.exe), we can use IPSec to encrypt only FTP traffic from the client and to the ISA server.
Step 1: Creating a IP Filter List on the ISA server
We just created a IP Filter List, now it’s time to create the actual policy.
Step 2: Creating a IP Security Policy on the ISA server
Step 3: Creating a IP Filter List on the target computer
The target computer is the computer that connects to your ISA server. Actually it is a computer
Step 4 : Creating a IP Security Policy on the target computer
Note: It is important to use the same preshared key on both systems; otherwise a connection couldn’t be established.
Step 5: Testing the connection
Note: You can only use IPSec on Windows 2000 and Windows XP clients and IPSec is not supported on Windows 9x Family.