Passive FTP errors with ISA 2004

  • Article

When you implement ISA Server 2004 on a connection, by default, it blocks all traffic.  Other than the hidden system rules, you’ll see only one firewall access rule and it denies all traffic in either direction.  In order to use a FTP client, you’ll need to create a firewall rule that allows the FTP protocol.  The site I use for storing screenshots and graphic elements requires passive FTP so I obviously needed to create a rule so that BlogJet, WS_FTP and other tools would work correctly.

However, even though I created the rule to allow the traffic from my home office network to the internet, things weren’t working correctly.  I could login to the site, but I could not add a file, rename a file, or delete a file.  Obviously it was time to look more closely at my rule.  I started poking around in the properties and stumbled across the Application Filter section at the bottom of the Parameters tab (see screenshot).  FtpfilterApplication filters are very useful and allow you to extend rules in many ways.  I particularly like the streaming media application filters because it “streamlined” getting all of the ports opended correctly for my streaming server.

So getting back on topic, when I first looked at my rule, the FTP protocol had the “FTP Access Filter” application filter turned on.  At this point I backed out of the properties for the rule and went looking for information on this filter, and what it does.  In the ISA Server 2004 helpfile, I found the following information:

FTP access filter

The FTP access filter that is provided with Microsoft Internet Security and Acceleration (ISA) Server 2004 forwards File Transfer Protocol (FTP) requests from SecureNAT clients to the Microsoft Firewall service. The filter dynamically opens secondary ports, which are required by FTP, and performs necessary address translation for SecureNAT clients.

Although you could create a protocol for FTP, the protocol would not offer the full range of capabilities afforded by the FTP access filter. The following list describes the differences between a user-defined FTP protocol and the FTP access filter:

  • The FTP access filter dynamically opens specific ports for the secondary connection, but the protocol definition opens a range of secondary ports.
  • The FTP access filter can protect clients by performing the address translation required for the secondary connection.
  • Because the FTP access filter includes a read-only FTP protocol definition, it can distinguish between read and write permissions, enabling you to fine-tune access permissions.

The FTP access filter uses the following protocol definitions, which are installed with the filter during the ISA Server installation:

  • FTP client read-only
  • FTP client
  • FTP server

For instructions about applying FTP access filtering to a specific rule, see Configure FTP filtering. By default, the FTP access filter is applied to FTP and FTP server protocols. For more information on protocols, see Protocols. 

This filter has some cool capabilities and I’ll probably take advantage of some of them later when I publish a FTP server.  But at this point I didn’t really see anything that indicated to me how to fix the issue.  So I turned off the filter checkbox and ran some quick test.  Bingo!!!  Now I can access the FTP site, upload files, rename files, delete, etc.