Publishing FTP server on ISA

Use Server Publishing Rules

Step 1 : Disable Socket Pooling for the FTP Service

The first thing you need to do is disable Socket Pooling for the FTP Service. Socket Pooling allows IIS to listen on all IP addresses assigned to a particular server.

You can check this by typing the following command at the command prompt: netstat -na

Perform these steps to disable Socket Pooling for the FTP Service :

1. Open a command prompt and navigate to the \Inetpub\adminscripts\ folder
   
   
2. Type net stop msftpsvc and press [ENTER]
   
   
3. Type the following command:
   cscript adsutil.vbs set msftpsvc/disablesocketpooling true and press [ENTER]
   
4. At the command prompt type net start msftpsvc and press [ENTER]

Check with netstat –na to confirm that TCP port 21 is now listening on one IP address instead of listening on 0.0.0.0.

Step 2 : Configure the FTP service to listen only on the internal interface

1. Open the Internet Information Services console from the Administrative Tools
   
   
2. Right click on the default and click Properties
   
   
3. In the Default FTP Site Properties dialog box, select the IP address where your FTP server must listen on, click Apply and then OK
   

4. After making these changes, restart the FTP Service.

Step 3 : Disabling the FTP Port Attack Setting

Some implementations of FTP servers allow a PORT command to open a connection between the FTP server and an arbitrary port on another machine. This allows the attacker to establish connections to arbitrary ports on machines other than the actual source machine.

To disable the Port Attack Setting, perform the following steps:

1. Open Regedt32 go to following key :
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\
   Default setting is 0
   
2. Change the EnablePortAttack value to 1
   
3. Close Regedt32 and restart the FTP service

Step 4 : Create the Publishing Rule

If you use the Web Publishing Wizard you can publish multiple FTP Servers with the same IP address on the external interface of the ISA Server. If you use the Server Publishing Wizard, you can only publish a single FTP server per IP address.

1. Open the ISA Management console, expand your server and then expand the Publishing node. Click on Server Publishing Rules, click New and then click Rule.
   
   
2. On the Welcome page type a name for the FTP server publishing rule then click Next.
   
   
3. On the Address Mapping page, type in the IP address of the internal interface of the ISA server IP address of internal server text box and the IP address of the external interface in the External IP address on ISA server text box, click Next.
   
   
4. On the Protocol Settings page select FTP Server protocol, then click Next.
   
   
5. On the Client Type page select either Any request or Specific computer option, click Next.
   
   
6. On the last page of the wizard, confirm your settings and click Finish.
   

Secure FTP Server Publishing
When you use the standard ftp.exe program included in Windows 2000, a user has to authenticate against the FTP server. This means a user must enter a username and a password before he or she can access the FTP server. After successfully authenticating, the user can download or upload files.

The problem with FTP server authentication is that anyone with a network sniffer program can capture your authentication request. The username and password are sent in clear text over the Internet. If the files the user downloads are in clear text format, someone with a network sniffer program can capture your files and read their contents. This can be a major security risk.

Since SSL is not supported with this standard tool (ftp.exe), we can use IPSec to encrypt only FTP traffic from the client and to the ISA server.

Step 1: Creating a IP Filter List on the ISA server

1. Open Local Security Policy from the Administrative Tools menu.
   
   
2. Expand IP Security Policies on Local Machine.
   
   
3. You see a list of three default policies, since these policies encrypt some IP traffic specified in this rule, they encrypt too much for our purpose. So, we create a new policy.
   
   
4. Right click on IP Security Policies on Local Machine.
   
   
5. Select Manage IP filter lists and filter actions.

6. On the Manage IP Filter Lists tab, click Add.
   
   
7. In the IP Filter List dialog box, type the name of the filter, example FTP Secure, click Add.
   
   
8. An IP Filter Wizard shows up, click Next.
   
   
9. On the IP Traffic Source Page, Specific IP address from the listbox. In the IP Address text box, type in the external IP address of the ISA server, click Next.
   
   
10. On the IP Traffic Destination Page, select a Any IP Address from the listbox, click Next.
    
    
11. On the IP Protocol Type page, select TCP from the listbox, click Next.
    
    
12. On the IP Protocol Port page, select
    From any port
    To this port : 21
    
    
13. Click Next and Finish.

14. Close and Close again.

We just created a IP Filter List, now it’s time to create the actual policy.

Step 2: Creating a IP Security Policy on the ISA server

1. Right click on IP Security Policies on Local Machine.
   
   
2. Select Create IP Security Policy.
   
   
3. On the Welcome page click Next.
   
   
4. On the IP Security Policy Name page, type in the name of the policy in the text box, example FTP Security Policy, if you want you can add additional comments, otherwise click Next.
   
   
5. On the Request for Secure Communications page, check Activate the default response rule and click Next.
   
   
6. On the Default Response Rule Authentication Method page, choose one of the Authentication methods, but beware. If the target computer (the one you want to set up an IPSec connection) is not part of the domain, you cannot use Kerberos. If you are sure that the target computer has a computer certificate from your CA or a trusted CA, you can use Certificate based authentication. Otherwise select Use this string to protect the key exchange. In my example I use a preshared key.
   
   
7. Enter a string, let’s say protectftp, click Next.
   
   
8. Be sure Edit Properties is checked and click Finish.
   
   
9. A new FTP Secure Wizard dialog box shows up, click Add.
   
   
10. On the Security Rule Wizard dialog box, click Next.
    
    
11. On the Tunnel Endpoint page, select this rule does not specify a tunnel, click Next.
    
    
12. On the Network Type page, select All connections, click Next.
    
    
13. On the Authentication Method page select Use this string to protect the key exchange, choose let’s say the same as above (protectftp), click Next.
    
    
14. On the IP Filter List page, select FTP Secure from the listview, click Next.
    
    
15. On the Filter Action page, select Request Security from the listview, click Next.
    
    
16. Uncheck Edit Properties and click Finish.
    
    
17. Close dialog box.
    
    
18. Right click on the FTP Secure policy and select assign.

19. The policy is not affected immediately, You have to restart the IP Security Policy Agent from the Services console in Administrative Tools.

Step 3: Creating a IP Filter List on the target computer

The target computer is the computer that connects to your ISA server. Actually it is a computer
on the Internet.

1. Open Local Security Policy from the Administrative Tools menu.
   
   
2. Expand IP Security Policies on Local Machine.
   
   
3. You see a list of three default policies, since these policies encrypt some IP traffic specified in this rule, they encrypt to much for our purpose. So, we create a new policy.
   
   
4. Right click on IP Security Policies on Local Machine.
   
   
5. Select Manage IP filter lists and filter actions.
   
   
6. On the Manage IP Filter Lists tab, click Add.
   
   
7. In the IP Filter List dialog box, type the name of the filter, example FTP Secure, click Add.
   
   
8. An IP Filter Wizard shows up, click Next.
   
   
9. On the IP Traffic Source Page, My IP address from the list box, click Next.
   
   
10. On the IP Traffic Destination Page, select a Specific IP Address from the list box. In the IP Address text box, type in the external IP address of the ISA server click Next.
    
    
11. On the IP Protocol Type page, select TCP from the list box, click Next.
    
    
12. On the IP Protocol Port page, select
    From any port
    To this port : 21
    
    
13. Click Next and Finish.
    
    
14. Close and Close again.

Step 4 : Creating a IP Security Policy on the target computer

1. Right click on IP Security Policies on Local Machine.
   
   
2. Select Create IP Security Policy.
   
   
3. On the Welcome page click Next.
   
   
4. On the IP Security Policy Name page, type in the name of the policy in the text box, example FTP Security Policy, if you want you can add additional comments, otherwise click Next.
   
   
5. On the Request for Secure Communications page, check Activate the default response rule and click Next.
   
   
6. On the Default Response Rule Authentication Method page. Select Use this string to protect the key exchange. In my example I use a preshared key.
   
   
7. Enter the same string as you choose on the ISA server, let’s say protectftp, click Next.
   
   
8. Be sure Edit Properties is checked and click Finish.
   
   
9. A new FTP Secure Wizard dialog box shows up, click Add.
   
   
10. On the Security Rule Wizard dialog box, click Next.
    
    
11. On the Tunnel Endpoint page, select this rule does not specify a tunnel, click Next.
    
    
12. On the Network Type page, select All connections, click Next.
    
    
13. On the Authentication Method page select use this string to protect the key exchange, choose let’s say the same as above (protectftp), click Next.
    
    
14. On the IP Filter List page, select FTP Secure from the list view, click Next.
    
    
15. On the Filter Action page, select Request Security from the list view, click Next.
    
    
16. Uncheck Edit Properties and click Finish.
    
    
17. Close dialog box.
    
    
18. Right click on the FTP Secure policy and select assign.
    
    
19. The policy is not affected immediately; you have to restart the IP Security Policy Agent from the Services console in Administrative Tools.

Note: It is important to use the same preshared key on both systems; otherwise a connection couldn’t be established.

Step 5: Testing the connection

1. Open a command prompt and type ftp external_IP_ISA [ENTER]
   
   
2. Login with a valid user account or anonymous and download your files.
   
   
3. If you have network monitor installed you can see that you will find ISAKMP and ESP packets. FTP traffic from your client computer to the ISA server is encrypted. The traffic between ISA server and your internal firewall is unencrypted.

Note: You can only use IPSec on Windows 2000 and Windows XP clients and IPSec is not supported on Windows 9x Family.