Go Premium for a chance to win a PS4. Enter to Win


FTP Passive Access ISA2000

Posted on 2008-06-18
Medium Priority
Last Modified: 2008-06-20
SBS 2003 Premium:
I have setup an FTP site within IIS on our SBS box. I can access it from external if I use the PORT method. However since IE uses PASSIVE method by default I want to allow this. I have followed the instructions in this article http://www.microsoft.com/technet/archive/isa/2000/maintain/isaftpci.mspx?mfr=true but it still won't let me through using IE's FTP folder view if using the passive method.

Interestingly though, I can access the FTP site from an internal source using the passive method.

Question: Does the fact that I can access it fine with PORT method mean that I have ports and packet filters setup correctly in ISA 2000 ?

Question by:realtec
  • 4
  • 3
LVL 11

Accepted Solution

EricTViking earned 2000 total points
ID: 21811008
Since PASSIVE FTP uses random data ports, it might be the firewall at the external clients end that is preventing PASSIVE mode from working rather than your ISA server. Passive mode is a complex protocol as your comunications go out on port 21, but your data comes back on a random port - this is difficult to setup securely on a clients firewall.

Also passive mode doesn't work well with some NAT routers, if your client is behind a NAT router you may have trouble using passive FTP.

The fact you have ISA working with PORT (Active) FTP, only proves PORT mode is working. However if you have followed the steps in the kb article you mentioned passive should be working too.

Just remember that the client firewall has to be setup properly too.

Expert Comment

ID: 21815048
Are there any firewalls between ISA and the internet?  Also...have you tried using the firewall client?  

Author Comment

ID: 21817471
Thankyou for your comments Eric, they have re-inforced some of the understandings I hold on FTP stuff. In answer to Nyah's comment, my understanding is that there are no firewalls between ISA and the internet, The SBS box has two NIC's, the second NIC (Internet facing) has been setup via the internet connection wizard in SBS and NAT is running on that interface. I don't believe the firewall client can be run on an external client PC ?, especially one from another company. The SBS box replaces an older SBS Premium box which was a bit flakey. On the old box I setup an FTP site with no problems regarding passive connections from outside. However the old box was on 2k3 SP1 whereas the new box is SP2. I've read about some problems on SBS boxes after installing SP2 but they seem a bit deep. I could just tell my client to tell it's FTP users to untick USE PASSIVE FTP in IE, but when I mentioned that as a solution there was lots of air being sucked in through teeth, they just want it to be 'the same as it was before' - oh the joys of IT...
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 11

Expert Comment

ID: 21817659
Yes, the tooth-suckers - at least they keep us in business ;-)

here's aanother good article that may be a bit more focussed than the MS one you mentioned - http://www.isaserver.org/tutorials/Publishing-Secure-FTP-Servers.html talks plenty about PASV mode so might help to eliminate any issues at the ISA server end.

Don't like to just post links here - but this article looks like it can explain far better than I.

BTW I've seen 2k3 SP2 knock out a few ISA Servers (mainly ISA 2006). Nothing specific but bits of ISA server just stopped workign with it installed. This was some time ago so there's probably a whole load of hotfixes and patches that solve the issues caused. But SP2 definitely did bad things at the time.
LVL 11

Expert Comment

ID: 21817685
Forgot to add: always worth going to the Monitoring -> Logging section of ISA server and starting a log query running. Make sure you enable logging on your firewall rules and see what appears when you try to FTP in PASV mode. If something is blocking your data channels it should become apparent.

Author Comment

ID: 21821076
Ok, I think I now know the reason PASV is not fully working. I refer to this article http://support.microsoft.com/kb/283679 particularly the common problems with pasv FTP. This describes exactly my situation, i.e I can logon and CWD \ ok but the list command gets blocked on it's way out from the server? back to me by ISA, either that or the firewall on my router or windows firewall is blocking it back in. The thing I've been searching for is a standard set of packet filters for isa server which allow pasv mode. There doesn't seem to be any, maybe there's the clue. Regarding the logging, I can see the ISA logs but can't seem to create a log that tracks the rules, how do I do that ?
LVL 11

Expert Comment

ID: 21821618
In theory with ISA you enable the FTP application filter and it will do all the magic of port shifting and mapping for you.

To allow a firewall rule to show in the logs, open the properties for the rule and tick the "log requests matching this rule" checkbox on the "Actions" tab.

Then select Monitoring, go to the logging tab and select "Start Query".

Author Comment

ID: 21829232
Hi again,

Listen, I read through quite a lot of stuff now about FTP and have landed at a conclusion. Rather than explain it I will paste below the contents of the email I sent to my client. Oh by the way I will credit Eric with the points as he has been the most helpful.

Morning Tracy,
      After 3 weeks of looking at the FTP site situation I finally understand how and why. Ill try to keep the tech blurb down here as I explain things. Firstly as I may have stated earlier there are two type of access for ftp sites, Active and Passive, we know that the active method works fine on your server. The Active method uses designated ports on the server namely ports 20 and 21. These are easily setup on the ISA firewall that your server runs. Passive method is a little more complex in that it uses port 20 and 21 but also uses random ports anywhere between 1000-60000. There lies the problem, it is impossible for the servers firewall to guess which port has been randomly chosen for the users ftp session at that time. The reason the old server worked with this method is because rightly or wrongly Id put a big hole in the firewall to allow these connections to get through. As time goes by and experience is gained I am not really happy about putting such a hole in customers firewalls anymore, primarily because it leaves the door open for hacking attempts. At the end of the day the firewall (and ISA server is one of the best around) is there to protect you from malicious attempts at breaking in to your system, and whacking a big hole in it just so that ftp passive mode works isnt such a great idea. Ok that being said what can we do next ? well there are two straight forward solutions for your clients:
1)      For customers that prefer to use Internet Explorer to FTP, they will have to untick Use Passive Method for FTP in internet options>advanced
2)      For other users including Mac, download a free FTP program such as this one http://www.coffeecup.com/free-ftp/download.php?getFile  (taking care to untick use passive mode during the setup)

It can be explained to your customers that this is due to tightened security, Im sure most of them are competent computer users and that this shouldnt create a problem for them. In any case they can always call me with any initial problems. Let me know your thoughts as always.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question