Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

ISA 2004: FTP Uploads are off by default. Mostly.

Something I ran across before work: With ISA 2004, the FTP filter is a slightly different beast from ISA 2000.

In ISA 2000, the FTP Application Filter added two distinct protocol definitons: FTP, and FTP Download Only. You could assign permissions to either to allow a user to upload, or not.

With ISA 2004, there’s only one FTP client protocol, and left alone it defaults to read-only (eg, PUTs and DELETEs won’t work, they won’t make it to the FTP server).

This comes up in what I like to call the “gaming configuration” of ISA, where all IP traffic is allowed without being specified. It’s a no-mess, low-fuss configuration. So, the question becomes how to configure the FTP filter?

It’s easy, just hidden out of view – in Firewall Policy, get the properties of your Allow Everything rule.

Allow Everything? Why not!

Go to the Protocols tab, hit the Filtering button, and pick Configure FTP from the list.

Clicking Configure FTP

Untick “Read Only”, OK lots, Apply, you’re done. No exploding keyboards.

Dialog Envy

It’s the type of dialog that makes me glad we don’t make them from paper.

If you upgraded from ISA 2000, the filter settings are translated based on your old settings:

Q.Are application filters migrated?
A.Yes, as follows:
FTP Access filter. Protocol rules for FTP, and protocol rules applying to FTP Server are migrated to access rules with read-only disabled. Protocol rules applying to FTP download are migrated to access rules with read-only enabled.

Pasted from <>

And that’s it…

[Updated 6 Jun 2005] Kevin Weilbacher notes that this happens when you upgrade SBS 2003 Premium to SP1, which includes ISA 2004 as one of its components.