Publishing FTP Sites with an Alternate Port using ISA Server 2004 Firewalls

One of the most common requests seen on the Web boards here at www.isaserver.org is for instructions on how to publish an FTP site on an alternate port. There are a number of reasons why someone might want to publish an FTP site on an alternate port. For example, some ISA admins feel that they’ll benefit from a measure of security through obscurity if FTP access is enabled using a port other than TCP 21. Other ISA admins, believe it or not, actually want to publish an FTP site on an alternate port in order to violate their ISP’s Terms of Service policy.



Whatever the reason, ISA Server 2000 did not support publishing FTP sites on an alternate port. The reason for this was that FTP is a complex protocol which requires an application filter on the ISA Server 2000 firewall to support it. While it is possible to publish an FTP site on an alternate port using ISA Server 2000, you have to use the Firewall client on the FTP server and then create a wspcfg.ini file and place that in the FTP server’s application directory. While it worked, it was cumbersome and not altogether reliable.



While I don’t have an application filter to give you for ISA Server 2000, I do have something better: ISA Server 2004. ISA Server 2004’s Server Publishing Feature allows you to customize the ports used by any protocol you use in a Server Publishing Rule, even Protocols that have been installed by application filters, like the FTP protocol. This increased flexibility over Server Publishing allows you to publish FTP servers using an alternate port number without creating error prone config file or needing to install the Firewall client on the published server.


The procedure is very straightforward. In this article we’ll cover the following steps that are required to publish the FTP server on an alternate port:



  • Install and Configure the FTP Site
  • Create the FTP Server Publishing Rule
  • Make the Connection

The figure below shows the basic network topology for this example.



Install and Configure the FTP Site


The first step is to install and configure the FTP site on the Server on the internal network. In this example, we will install the FTP site on a Windows Server 2003 machine. We will cover the following steps:



  • Install the FTP Server Service
  • Configure the Default FTP Site

Perform the following steps to install the FTP Server service on the Windows Server 2003 computer:



  1. Click Start and point to Control Panel. In the Control Panel menu, click the Add or Remove Programs entry.
  2. In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.
  3. In the Windows Components dialog box, click the Application Server entry in the Components list, then click the Details button.
  4. In the Application Server dialog box, click the Internet Information Services entry and click Details.
  5. In the Internet Information Servers (IIS) dialog box, put a checkmark in the File Transfer Protocol (FTP) Service checkbox and click OK.
  6. Click OK in the Application Server dialog box.
  7. Click Next on the Windows Components page.
  8. In the Insert Disk dialog box, click OK. In the Files Needed dialog box, point the installer to the location of the i386 folder of the Windows Server 2003 CD in the Copy files from text box. Click OK in the File Needed dialog box.
  9. Click Finish on the Completing the Windows Components Wizard page.
  10. Wait for the installation to finish and then close the Add or Remove Programs window.

The next step is to configure the IIS FTP service. Perform the following steps to configure the IIS FTP service on the Windows Server 2003 machine:



  1. Click Start and point to Administrative Tools. Click on Internet Information Services (IIS) Manager.
  2. In the Internet Information Services (IIS) Manager console, expand your server name, then expand the FTP Sites node.
  3. Right click on the Default FTP Site node and click Properties.



  1. In the Default FTP Site Properties dialog box, click on the FTP Site tab. In the IP address list, select the actual IP address of the FTP site.



  1. Click on the Messages tab. Enter a banner entry in the Banner text box. Enter a welcome statement in the Welcome text box. Enter an exit message in the Exit text box. Enter a statement to be returned to users when the FTP site has reached it maximum number of connections in the Maximum connections text box.



  1. Click on the Home Directory tab. Make a note of the default local path for the FTP directory structure. In this example we will use the default path, which is c:\interpub\ftproot. Put a checkmark in the Write checkbox so that we can test FTP upload capabilities. Note that you do not want to enable write access to your FTP site without creating strong NTFS permissions on the FTP directories.



  1. Click Apply and then click OK in the Default FTP Site Properties dialog box.
  2. Stop and restart the FTP site using the stop and start buttons in the MMC button bar.



Create the FTP Server Publishing Rule


We’re ready to create the FTP Server Publishing Rule now that the FTP site is ready. This FTP Server Publishing Rule will demonstrate the flexibility you have in protocol behavior in Server Publishing using ISA Server 2004 firewalls.


Perform the following steps to create the FTP Server Publishing rule that will publish the FTP site on the alternate port of TCP 99:



  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand your server name. Click on the Firewall Policy node.
  2. Right click on the Firewall Policy node, point to New and click Server Publishing Rule.
  3. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the Server Publishing Rule in the Server publishing rule name text box. In this example we will name the rule FTP Server TCP Port 99. Click Next.



  1. On the Select Server page, enter the IP address of the FTP server on the internal network in the Server IP address text box. Click Next.



  1. On the Select Protocol page, select the FTP Server protocol from the Selected protocol list. After selecting the FTP Server protocol, click the Ports button.



  1. In the Ports dialog box, select the Publish on this port instead of the default port option in the Firewall Ports frame. In the Port text box, enter the value 99. Click OK.



  1. Click Next on the Select Protocol page.
  2. On the IP Addresses page, put a checkmark in the External checkbox. Then click the Address button.



  1. In the External Network Listener IP Selection dialog box, select the Selected IP addresses in this network option. Select the IP address on the external interface of the ISA Server 2004 firewall that you want to listen to the incoming FTP connections in the Available IP Addresses list, then click Add. The IP address then appears in the Selected IP Addresses list. Click OK.



  1. Click Next on the IP Addresses page.
  2. Click Finish on the Completing the New Server Publishing Rule Wizard page.
  3. Click the Apply button to save the changes and update the firewall policy.
  4. You now see the FTP Server Publishing Rule in the Details pane.


The next step is to create the connection to the alternate FTP site. Pay very close attention to the steps in the next section, as the initial connection attempt will fail. I want you to see the failure message so that you recognize it when you encounter it on your production networks.



Make the Connection


Now we’re ready to make the FTP connection using an alternate port number. In this example I have copied the contents Deploy folder that contains the Windows Server 2003 deployment tools in it to the FTP site. I have also create a file named ftplog that will be used to upload to the FTP site.


Perform the following steps to test the connection:



  1. Open a command prompt window. At the command prompt enter ftp and press ENTER. Next, at the FTP command prompt, enter open 192.168.1.70 99 (which is the IP address on the external interface of the ISA Server 2004 firewall in this example) and press ENTER. Enter the user name anonymous at the FTP command prompt and press ENTER, then enter a password (the password does not matter because this is an anonymous connection. After logging on enter dir. A list of files appears at the command prompt. Use the get command to download a file. The download will be successful. Next, use the put command to upload a file to the site. You will see an error message saying that Access Denied. Your ISA Server denied this operation.


The figure below shows each of these steps and the results of each step.




  1. The FTP protocol used in the Server Publishing Rule should have allowed us to upload and download to and from the FTP site. The problem with the upload was that we did not configure the FTP policy to allow uploads. We can fix this problem by going back to the Server Publishing Rule. Return to the ISA Server 2004 firewall computer and right click on the Server Publishing Rule, then click the Configure FTP command.



  1. In the Configures FTP protocol policy dialog box, remove the checkmark in the Read Only checkbox. Click Apply and then click OK.



  1. Click Apply to save the changes and update the firewall policy.
  2. Return to the Command Prompt on the external client computer. Repeat the upload attempt. You’ll see that you are now able to upload to the FTP site.



  1. If you observe the connection in the real time log monitor on the ISA Server 2004 firewall machine, you will see something interesting. Even though the external client is actually connecting to TCP port 99, the real time log monitor shows an inbound connection to TCP 21 on the internal network computer directly from the external client. You can see examples of this in the log file entries below that indicate they are associated with the FTP Server TCP Port 99 rule.



  1. Close the Microsoft Internet Security and Acceleration Server 2004 management console.


Conclusion


In this article we went over the procedures required to publish an FTP site on an alternate port. Unlike ISA Server 2000, which required an application filter or a special config file to make this work, ISA Server 2004 allows you to publish an FTP site on an alternate easy and quickly with a simple Server Publishing Rule.


I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=22;t=000008 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top