FTP Passive Access ISA2000

Posted on 2008-06-18
Last Modified: 2008-06-20
SBS 2003 Premium:
I have setup an FTP site within IIS on our SBS box. I can access it from external if I use the PORT method. However since IE uses PASSIVE method by default I want to allow this. I have followed the instructions in this article but it still won't let me through using IE's FTP folder view if using the passive method.

Interestingly though, I can access the FTP site from an internal source using the passive method.

Question: Does the fact that I can access it fine with PORT method mean that I have ports and packet filters setup correctly in ISA 2000 ?

Question by:realtec
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 11

Accepted Solution

EricTViking earned 500 total points
ID: 21811008
Since PASSIVE FTP uses random data ports, it might be the firewall at the external clients end that is preventing PASSIVE mode from working rather than your ISA server. Passive mode is a complex protocol as your comunications go out on port 21, but your data comes back on a random port - this is difficult to setup securely on a clients firewall.

Also passive mode doesn't work well with some NAT routers, if your client is behind a NAT router you may have trouble using passive FTP.

The fact you have ISA working with PORT (Active) FTP, only proves PORT mode is working. However if you have followed the steps in the kb article you mentioned passive should be working too.

Just remember that the client firewall has to be setup properly too.

Expert Comment

ID: 21815048
Are there any firewalls between ISA and the internet?  Also...have you tried using the firewall client?  

Author Comment

ID: 21817471
Thankyou for your comments Eric, they have re-inforced some of the understandings I hold on FTP stuff. In answer to Nyah's comment, my understanding is that there are no firewalls between ISA and the internet, The SBS box has two NIC's, the second NIC (Internet facing) has been setup via the internet connection wizard in SBS and NAT is running on that interface. I don't believe the firewall client can be run on an external client PC ?, especially one from another company. The SBS box replaces an older SBS Premium box which was a bit flakey. On the old box I setup an FTP site with no problems regarding passive connections from outside. However the old box was on 2k3 SP1 whereas the new box is SP2. I've read about some problems on SBS boxes after installing SP2 but they seem a bit deep. I could just tell my client to tell it's FTP users to untick USE PASSIVE FTP in IE, but when I mentioned that as a solution there was lots of air being sucked in through teeth, they just want it to be 'the same as it was before' - oh the joys of IT...
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

LVL 11

Expert Comment

ID: 21817659
Yes, the tooth-suckers - at least they keep us in business ;-)

here's aanother good article that may be a bit more focussed than the MS one you mentioned - talks plenty about PASV mode so might help to eliminate any issues at the ISA server end.

Don't like to just post links here - but this article looks like it can explain far better than I.

BTW I've seen 2k3 SP2 knock out a few ISA Servers (mainly ISA 2006). Nothing specific but bits of ISA server just stopped workign with it installed. This was some time ago so there's probably a whole load of hotfixes and patches that solve the issues caused. But SP2 definitely did bad things at the time.
LVL 11

Expert Comment

ID: 21817685
Forgot to add: always worth going to the Monitoring -> Logging section of ISA server and starting a log query running. Make sure you enable logging on your firewall rules and see what appears when you try to FTP in PASV mode. If something is blocking your data channels it should become apparent.

Author Comment

ID: 21821076
Ok, I think I now know the reason PASV is not fully working. I refer to this article particularly the common problems with pasv FTP. This describes exactly my situation, i.e I can logon and CWD \ ok but the list command gets blocked on it's way out from the server? back to me by ISA, either that or the firewall on my router or windows firewall is blocking it back in. The thing I've been searching for is a standard set of packet filters for isa server which allow pasv mode. There doesn't seem to be any, maybe there's the clue. Regarding the logging, I can see the ISA logs but can't seem to create a log that tracks the rules, how do I do that ?
LVL 11

Expert Comment

ID: 21821618
In theory with ISA you enable the FTP application filter and it will do all the magic of port shifting and mapping for you.

To allow a firewall rule to show in the logs, open the properties for the rule and tick the "log requests matching this rule" checkbox on the "Actions" tab.

Then select Monitoring, go to the logging tab and select "Start Query".

Author Comment

ID: 21829232
Hi again,

Listen, I read through quite a lot of stuff now about FTP and have landed at a conclusion. Rather than explain it I will paste below the contents of the email I sent to my client. Oh by the way I will credit Eric with the points as he has been the most helpful.

Morning Tracy,
      After 3 weeks of looking at the FTP site situation I finally understand how and why. Ill try to keep the tech blurb down here as I explain things. Firstly as I may have stated earlier there are two type of access for ftp sites, Active and Passive, we know that the active method works fine on your server. The Active method uses designated ports on the server namely ports 20 and 21. These are easily setup on the ISA firewall that your server runs. Passive method is a little more complex in that it uses port 20 and 21 but also uses random ports anywhere between 1000-60000. There lies the problem, it is impossible for the servers firewall to guess which port has been randomly chosen for the users ftp session at that time. The reason the old server worked with this method is because rightly or wrongly Id put a big hole in the firewall to allow these connections to get through. As time goes by and experience is gained I am not really happy about putting such a hole in customers firewalls anymore, primarily because it leaves the door open for hacking attempts. At the end of the day the firewall (and ISA server is one of the best around) is there to protect you from malicious attempts at breaking in to your system, and whacking a big hole in it just so that ftp passive mode works isnt such a great idea. Ok that being said what can we do next ? well there are two straight forward solutions for your clients:
1)      For customers that prefer to use Internet Explorer to FTP, they will have to untick Use Passive Method for FTP in internet options>advanced
2)      For other users including Mac, download a free FTP program such as this one  (taking care to untick use passive mode during the setup)

It can be explained to your customers that this is due to tightened security, Im sure most of them are competent computer users and that this shouldnt create a problem for them. In any case they can always call me with any initial problems. Let me know your thoughts as always.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question