Access to remote FTP server through TMG 2010 may fail with error 550 (Access Denied)

Hi everybody!

In this article we will see how to troubleshoot an issue with accessing an FTP server behind TMG 2010.

Imagine we have the following situation: a client PC on an internal corporate network want to access a remote FTP server through TMG 2010 using an FTP client such as, for example, FileZilla.

clip_image002[7]

The way the FTP is configured (authentication, encryption, ecc…) is out of interest for this case.

On the TMG server, we’ve created an access rule allowing “Read-Only” outbound requests for the FTP protocol:

clip_image004

clip_image006

When we try to connect to our remote FTP server using, for example, FileZilla, we may face the following error:

clip_image008

FTP connection issues through ISA/TMG could be related to many different aspects.

In the following article it’s possible to find a resolution for many of the most common problems:

http://technet.microsoft.com/en-us/library/bb794745.aspx

The problem we’re focusing on in this article, however, is not included in the above troubleshooting guide and depends on a specific by-design behavior of TMG server.

Basically, in our case we see that the connection attempt is failing due to a “550-Access Denied” error after having performed a MLSD command.

What is MLSD exactly ?

Here we can find a description of what MLSD is used for:

http://tools.ietf.org/html/draft-ietf-ftpext-mlst-16#section-7

As we can see from the above:

The MLST and MLSD commands are intended to standardize the file and directory information returned by the Server-FTP process. These commands differ from the LIST command in that the format of the replies is strictly defined although extensible.

In the default configuration of the TMG FTP Access filter in “Read-Only Mode”, the filter will only allow a specific subset of FTP commands. The MLSD command is not included in this set of “Read-Only” commands. FTP clients using LIST command will not experience this problem, since LIST is an allowed command.

Its easy to resolve the problem by allowing write-permissions in the FTP-Filter advanced properties of our access rule:

clip_image010

Now, granting write rights is not always a good choice, and most of the times this is not allowed nor suggested.

Nevertheless, a workaround exists for this situation: in fact, it’s possible to add the MLDS command in the “allowed-commands list” of the “Read-only” TMG FTP filter.

The following MSDN article explains how to configure add-ins:

http://msdn.microsoft.com/en-us/library/dd435753.aspx

Specifically:

FTP Access Filter

FTP Access Filter is an application filter that is installed with Forefront TMG. It enables FTP protocols. When running in read-only mode, FTP Access Filter blocks all commands in the control channel except the following commands: ABOR, ACCT, CDUP, CWD /0, FEAT, HELP, LANG, LIST, MODE, NLST, NOOP, PASS, PASV, PORT, PWD /0, QUIT, REIN, REST, RETR, SITE, STRU, SYST, TYPE, USER, XDUP, XCWD, XPWD, SMNT. This should block any writing to the server side. The default list of allowed commands can be replaced by a customized list that is written to the collection of vendor parameters sets (FPCVendorParametersSets) associated with the filter. The Firewall service must restarted for the new settings to take effect.

The above article provides a script example through which it is possible to customize FTP filter list. This way, it will be possible to keep the filter configured in Read-Only mode, and also allow the FileZilla connection to work as expected.

Hope this can be useful!

Let's see you back with the next topic!!

Author:
Daniele Gaiulli

Support Engineer – EMEA Forefront Edge

Reviewer:
Philipp Sand

Support Escalation Engineer – EMEA Forefront Edge