This document is Copyright by Hadyn-wang. Redistribution of this document is permitted as long as the content remains completely intact and unchanged. In other words, you may reformat and reprint or redistribute only. If you have some problem or puzzle, please contact me.
Now, Let’s talk about how to install an FTP server behind Microsoft Internet Security and Acceleration Server 2000 with non-standard port.
As we know, Microsoft Internet Security and Acceleration Server 2000 is a new firewall product. It provides excellent security and reduced total cost of ownership. We can place our servers, such as Web Servers, Exchange Servers and others behind the ISA server and keep them safe from Internet intruders. At the same time, ISA server can work as a Firewall mode and some kinds of Hardware Firewall properties.
This document will help all of you who want to install an FTP server behind ISA server with any non-standard port. This is very easy to do. I think after you read this article, you can publish virtually any service to the Internet with any port you like.
A Sample Network Topology
Ok, Let’s begin.
To help in visualizing our publishing scenario, we will look at how “company A” has set up its network infrastructure. We have an internal network with two gateways. The staff in the company can access the Internet through a 2M DDN or an ADSL interface. The network infrastructure looks like below.
The Network Client IP range is:
These IP addresses should be included in the LAT.
The Network Subnet Mask is 255.255.255.0 for all networks. ISA Server is installed on the server 10.0.0.2 and the FTP server installed on the client 10.0.0.50.
First of all, let’s install the ISA Server on the Server 10.0.0.2, and install the FTP server on the client 10.0.0.50. The Firewall Client software must be installed on the FTP server. Ok, after doing this, we have finished our preparation for publishing the FTP server.
Before you publish your FTP server, make sure that the alternative port you wish to use isn’t being used by another service. Port typically already in use by your system or other services, include port 443, 53, 8080, or others like this. For example, you can use the port 65535, the last port in windows systems.
In this example we use the Serv-U FTP server for our FTP service. The FTP Server’s configuration as below:
After you finish making the change, click OK. In this example, Serv-U is listening to port 65535. Then add some users who you want to access your ftp server.
The next step requires that you create an wspcfg.ini file, which you will place in the Serv-U’s folder. The file contents should look like this:
ServerBindTcpPorts=65535 ßThis number is the port number which you want to use
LocalBindTcpPorts=20 ß Rember,don’t change this number
KillOldSession=1 ß If you have some problems, try to change “1” to”0″
Save the file and close it.
Using the CREDTOOL.EXE Application at the FTP Server
Now, let’s turn to your Firewall Client software folder on the FTP server. You should find the file credtool.exe and use this command with some parameters to add the security information to the client pc’s registry. For example:
CREDTOOL [-r|-w|-d] -n appname [-c User Domain Password]
-r reads the credentials
-w writes, or stores the credentials
-d deletes the credentials
-n appname specifies the name of the application executable
file without the extension
-c user domain password specifies the account credentials
This command should be used only when your ISA server outbound access controls are configured to require authentication. In many companies, the network administrator will use access controls to restrict employees accessing the Internet. Each person who wants to access the Internet must have the valid user name and password. The staff will have all kinds of rights, such as upload, download, listen to the online music, visit the specified web site, and so on.
If you want the FTP server to work correctly through your ISA server, you must do some configuration using credtool.exe to add the security information in your PC’s registry. The FTP server will be asked the valid user name and password when it’s running. Don’t worry about it. This information is only passed through the internal network.
You see, we have finished the configuration of the FTP server on the ISA Server client PC. Let’s turn to ISA server.
Creating a Protocol Definition
At this time, if you want to publish a server to the Internet using ISA server, you must have a protocol definition with its primary connection set for inbound access. You will have to create a custom FTP server Protocol Definition that uses the alternate port number. Let’s go through the process.
For example, we add a new protocol which definition name is “new service”, then click Next to continue.
On the Primary Connection Information page, you should edit the port number to 65535 (or whatever alternate port number you wish to use), the protocol type is TCP. Make sure no other service is using this port! Then select the Direction as Inbound. After doing this, click Next.
The Secondary Connections page asks you whether you want to use the secondary connections when you publish this service. Since you don’t require secondary connections, just click Next.
On Completing the New Protocol Definition page, you will see all of your settings for the Protocol Definition. You can review it now. If you find something wrong, you could click the Back button to correct it.
Click Finish to save it when you have no doubts about your settings.
Creating the Publishing Rule
After we create the new Protocol Definition named new service, we can create a Server Publishing Rule that uses this Protocol Definition. We must create the Publishing Rule because we know that ISA will refuse each connection from any port, if they have not been published or have a static packet filter in place. So we must let ISA know which port it can use to accept inbound connections to our FTP server that uses an alternate port number.
Ok, take it easy; let’s see what will happen.
At the ISA Management console, expand your server, expand the Publishing node, and right click Server Publishing Rules to publish your internal service.
On the Server Publishing Rules, click right, then click New and then click Rule.
We can use the same name, new service, to publish our FTP server.
Click Find to find the FTP server on your internal network, or just type in the IP address. Click Browse to select the Internet IP address, which is used by ADSL line in this example. If the xDSL modem hasn’t dial up to Internet, please do it manually.
You must have an external IP address when you make configuration changes on this page because the external IP address will not show up on dial-up connections until the dial-up connection has been established and an IP address has been assigned to the external interface. Note that while this rule will work with dial-up connections that use static IP addresses, the rule will fail if you use dynamic IP addresses. The reason for this is that the Server Publishing Rule will not automatically change the external IP address to match the new one assigned to the external interface.
Remember: If you don’t have a static Internet IP address, you must change this option manually each time you IP address changes.
Select the protocol new service (or whatever name you assigned to your Protocol Definition) to apply this rule, click Next again.
If you want everyone to access your service, please select Any request. If you want to use it with some restrictions, select specific computers and confirm the client IP address setting. If you wondering how to do it , please refer to the ISA Server Help File.
At last, review your configuration. If everything is ok, click finish to save it.
Congratulations! We have finished the configuration of FTP server Publishing Rule. You have succeeded in publishing an FTP server behind ISA Server using non-standard ports. Make sure to restart your FTP server and enjoy your new service now.
You can modify the configuration for any service that you want to publish to the Internet. More important of all, ISA Server is the upgrade version of MS Proxy Server 2.0; many functions are inherited from MS Proxy Server 2.0. So if you have some question about ISA, try to use the same way in MS Proxy Server 2.0,maybe you will obtain the new discovery, good luck.