ISA 2004 won't allow FTP

Posted on 2006-03-20
Last Modified: 2013-11-16
I'm running ISA server 2004 on a Windows 2003 server. I don't have much experience with ISA 2004. I setup an ISA firewall rule as follows:

Name: Internet Access
From: Internal
To: External
Condition: Allow Internet Access (AD group), System and Network Service

I'm not running the firewall client and have unchecked the Enable folder view for FTP sites.

I need to limit FTP, HTTP, and HTTPS access to only the permitted users in the AD group.

Internet is working correctly using this rule but FTP is not. I'm receiving an error on the client... Error code: 502 Proxy Error. When I look at the ISA monitoring the request is being blocked by the rule mentioned in this post, Internet Access.

Does anyone have a suggestion other than installing the firewall client or permitting all user access?

Question by:JimRoth
    LVL 6

    Expert Comment

    After this rule there should be a rule which disallows everyone else I think. I had this problem, and messed around some with the rules until it worked, I did NOT use the client. I did however use the ISA server as proxy (in internet explorer settings). However, from what i've noticed it's not 100% reliable, sometimes people will still get out, sometimes they get stopped without reason. Which is probably why they made the client, but I didn't really agree with that and deleted ISA.

    I can understand you really need this in your case though, so, make sure going through the settings of the ftp protocol in ISA as well. Configure proxy use on clients, and create a rule below this one that blocks unauthorized users.

    you could also look for a tutorial on

    Author Comment

    I already have the client setup to use the isa server as the proxy, local host on port 8080 for all protocals, and the rule after is the default deny all. According to the isa monitoring, the allow rule in the original post is the one blocking the FTP access not the deny rule after it. Do you have the url to the specific tutorial... I couldn't find one for this situation.
    LVL 6

    Accepted Solution

    Yes, when I configured my ISA server I used this article:

    Also because I had an ftp server running on my network which had to be accessible by both local and external clients.

    I wish it wasn't so long ago, or I'd have written down a quick guide for you, I just don't know the exact steps and problems I had back then anymore :(

    Good luck man :) Fiddle with the settings, and make sure you let the server load the new rules each time. Also make sure the ftp server you try to visit is actually online (that was something I did wrong first time hehe....typical mistake).

    LVL 6

    Expert Comment

    Oh, another question, can you connect to ftp sites with a specific ftp client? (like

    Don't forget ftp is port 21 instead of 8080 btw.
    LVL 6

    Expert Comment

    I also reread your question (and it's morning this time, clear mind :)), since the rule is blocking your request, and the rule checks if clients are authorized, I fear it may also be possible your clients aren't authorized.

    But let me know what you've done so far and if it worked :)
    LVL 5

    Expert Comment

    try to create arule for ftp that allows all then...other rules that deny some....
    LVL 26

    Assisted Solution

    by:Leon Fester
    Can you confirm if your AD user group is accessing the HTTP traffic via the Rule mentioned above? It may be that your rule is not working correctly with the AD user groups.

    Also, if I'm not mistaken, your problem could be that the ISA server is not picking up the AD username but instead is using the username/password provided in the FTP request.

    Try running FTP from the command line and then see what it does. Make sure that you've identified the correct rule.

    Another thing to consider, when do you get the error? When connecting to the FTP site? or when you try to upload/download? By default, ISA will only allow read-only FTP requests. No uploads are possible until you've changed the settings in the FTP protocol. Simply right-click your rule, then click on 'Configure FTP protocol' and clear the checkbox next to  "Read Only"

    Author Comment

    Thanks for the comments. Azhrei1's link to was the most helpful. The issue is with logon to some ftp sites... some require the Enable folder View to get to the logon screen. All other ftp sites are working fine without the firewall client. It just happened to be the case that the 3 ftp sites we use most required this setting. The only way I found around this was to use the firewall client on the clients that actually use the sites. Thankfully this was only a handful.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now