Publishing FTP Sites on an Alternate Port Number.
What ISA Server mystery do you think is the most difficult to solve? Publishing OWA using SSL? Making Conferencing Server work behind the ISA Server? Getting your warez app's like Morpheus and Kaaza to work? Judging by how often the question is asked, I figure the greatest ISA Server mystery is how to publish an FTP server using an alternate port number.
The reason why publishing an FTP using an alternate port number is a problem is because ISA Server publishing works differently than the Proxy Server 2.0 method. For those of you used to working with Proxy Server 2.0, you know what a pain in the arse it was to do Server Publishing. You had to install the Winsock Proxy client on the FTP server, and then configure a cryptic wspcfg.ini file and place it in the proper directory.
Publishing an FTP server on the default port (TCP 21) is easy because the FTP Access Application Filter does most of the footwork for you. But when you want to publish an FTP site on an alternate port, the FTP Access Application filter isn't going to help you a bit. You're going to have to do the footwork you did in the bad, old days of Proxy Server 2.0.
There are just a few steps required:
- Disable the FTP Access Application Filter
- Change the FTP Site's Listening Port
- Install the Firewall client on the FTP Server
- Place a wspcfg.ini file in the appropriate folder
- Use the credtool.exe file to provide credentials to the Firewall service
- Create an "All Open" Protocol Rule that can be used by the account
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
That's all there is to it. Frankly, I see no reason to publish FTP sites on alternate ports (unless you actually believe in security through obscurity), but you can use this method to publish an FTP site using an alternate port number.
Disable the FTP Access Application Filter
First disable the FTP Access Application Filter:
- Open the ISA Management console, expand your server or array name, and then expand the Extensions node in the left pane of the console.
- Click on the Application Filters node in the left pane of the console.
- In the right pane of the console, right click the Ftp Access Filter entry and click Disable. Choose the option to restart the Firewall Service and click OK.
It might take a few moments for the Firewall service to restart. That's not a problem because you've got a few more things to do before publishing starts to work.
Change the FTP Site's Listening Port
Next step is to change the port number the FTP site is listening on.
- On the FTP server, open the Internet Information Services console from the Administrative Tools menu.
- Expand your server name and right click on Default FTP Site. Click the Properties command.
- On the FTP Site tab, type the alternate port number you want to use for the site in the TCP Port text box. In this example we'll use port number 12345. Click Apply and then click OK.
- Stop and restart the FTP service by clicking on the Stop and Start control buttons on the Internet Information Services button bar.
At this point the FTP server is listening on TCP port 12345. You can confirm this by doing a netstat -na | find ":12345" from the command prompt.
Install the Firewall Client
Proxy Server 2.0 used the Winsock Proxy client. Since ISA Server is new, they decided to rename the Winsock Proxy client and call it the Firewall client. The Winsock Proxy client and the Firewall client are interchangeable, and you can use either one to access both an ISA Server and a Proxy Server 2.0 machine.
- Log on as an Administrator on the FTP Server.
- Click the Start button and then click the Run command.
- At the Run dialog box, type \\<ISASERVERNAME>\mspclnt\setup.exe. Be sure to put in the appropriate name for your ISA Server. Click OK.
- Follow the instructions to install the Firewall client.
- After the Firewall client is successfully installed, restart the FTP Server.
You don't have to restart the FTP Server after the Firewall client software is installed, but I always feel better when I do.
Place a Wspcfg.ini File in the Appropriate Folder
In order to bind the appropriate ports on the external interface of the ISA Server, you have to create a wspcfg.ini file. I realize configuration of the Firewall client configuration files is somewhat of a black art. But Jim Harrison has gone a long way at providing insight into exactly how these Firewall client configuration files work. Check out Jim's fantastic article on this subject at http://www.isaserver.org/authors/harrison/tutoials/isa-clients-part3.htm.
- Open the Windows Explorer and navigate to \WINNT\System32\inetsrv folder.
- Right click on an empty area in the right pane of the Explorer, point to New and click Text Document.
- Double click on the New Text Document.txt file.
- Type into notepad the text that appears in the figure. Replace the 12345 entry with the port number you want to use to publish the FTP server on.
- Save the file with the name wspcfg.ini as seen in the figure below. Its important that you put the quotes around the name. If you don't, notepad will append the ".txt" file extension at the end of the file name. Click Save.
Use the Credtool.exe Utility to Send Credentials
If you're using outbound access controls based on user/group membership, you need a way to send credentials to the ISA Server Firewall Service. This is an issue because a server is usually not going to have a logged on user. You need a way for the FTP service (inetinfo.exe) to send credentials to the ISA Server without a logged on user. You could use client address sets to do this, but the credtool method is a bit cleaner, since you're going to have to create an "All Open" Protocol Rule to make this work.
First, create an account with a complex password that can be used by FTP server to authenticate against the ISA Server. After you create the account using Active Directory Users and Computer console, open a command prompt and enter the following information:
C:>\Program Files\Microsoft Firewall Client\credtool.exe -w -n inetinfo -c ftpservice INTERNAL mypassword
Make sure that you replace ftpservice with the name of the account you created for the FTP Service to use. Replace the INTERNAL entry with the NetBIOS name of your Active Directory domain. Replace mypassword with the password that you gave to the FTP Service's domain account. If you entered everything in right, you should see something like what you see below:
Create an All Open Protocol Rule
The FTP Service's user account must have access to all protocols. This is just part of the inherent nature of how the FTP protocol works. This will allow outbound access to all outbound port numbers to the inetinfo service when creating secondary connections. Make sure to keep that FTP Service account password secure!
- Open the ISA Management console, expand your server or array name, and expand the Access Policy node.
- Right click on Protocol Rules, point to New and click Rule.
- On the first page of the Wizard, type in the name of the Rule. I usually call it All Open and click Next.
- Set the Rule Action as Allow and click Next.
- Set the Protocols for All IP traffic and click Next.
- Set the Schedule for Always and click Next.
- For the client type, select the Specific users and groups and click Next.
- In the Users and Groups page, click the Add button.
- Select your domain name in the Look in drop down list box. Then double click on the user name in the list box. Click OK, then click Next.
- Click Finish on the last page of the Wizard.
That's it! Restart the FTP Server and let's start having some fun.
Testing the Configuration
After restarting the FTP server, go to the ISA Server and run a netstat -na | find "12345" at the command prompt. You should see something like this:
Now we know that the FTP server was able to bind TCP 12345 on the ISA Server. Looks like its bound that port on all interfaces. Oh well, you weren't planning on using that port number for anything else anyway!
Go to an external network client and open up an FTP session using the Windows 2000 command line ftp application. You should be able to connect using PORT mode and get a directory listing.
How about some big fun? Configure Internet Explorer to use PASV mode. In IE 6.0 you have to configure the browser's Advanced Properties to use PASV mode and you should also configure it to use Folder View.
Now enter the FTP site info into the address bar, and you should be able to access the site using PASV:
Tips on Configuring FTP Publishing
From what you've read here, publishing an FTP server on an alternate port might sound easy. We'll, it's sort of easy, but nothing comes both fast and easy in the computer business. When testing your configuration, you might want to reset the communication between the FTP server and the ISA Server. You don't need to restart the FTP server to reset the Firewall client connection. Try this:
- Stop the Firewall service
- Restart the Firewall service
- Stop the FTP service on the FTP server
- Restart the FTP service on the FTP server
- Confirm that the FTP server is communicating with the ISA Server by using the ISA Management console's Sessions node:
You should see SYSTEM as the account name and the name of the computer in the Firewall Session entry. Note that the user name and the computer name show up correctly because the Firewall client is correctly communicating this information to the ISA Server.
This is the last word on publishing FTP servers using an alternate port number. If you have another way of doing this, let me know, and then this won't be the last word! Note that this method will not work for publishing an FTP server on the ISA Server itself (you can't install the Firewall client on the ISA Server). If you have any problems with getting this to work, or questions on the technique, let me know at [email protected].