Stefaan Pouseele Blog RSS

All Blogs  »  Stefaan Pouseele Blog  »  ISA Corner  »  Blog article: Solving the Secure FTP dilemma with ISA Server 2004 and 2006

Solving the Secure FTP dilemma with ISA Server 2004 and 2006

When you have to support the Secure FTP protocol (aka FTPS or FTP over SSL/TLS) with ISA Server 2000 you have to take some tough decisions, especially if you have to allow Explicit Security. In that case, the Secure FTP protocol uses the default FTP control connection (TCP port 21). Because the FTP Application Filter can’t and will never understand the Secure FTP protocol, and this is by design, you have to unbind the FTP Application Filter from the FTP protocol in order to support Secure FTP in Explicit Security mode. Of course this breaks the normal FTP support. For more information, check out my FTP article How the FTP protocol Challenges Firewall Security, section ‘5. What about Secure FTP’.  

With ISA Server 2004 and 2006 we can solve that Secure FTP dilemma by applying what is explained in the recent ISA Server Product Team Blog article Why do I need a deny rule to make an allow rule for a custom protocol work correctly?. As with HTTP, the binding of the FTP Application Filter to the FTP protocol is a global setting. Moreover, the default FTP protocol definition only specifies the FTP Control connection (primary connection) because the FTP Application Filter handles the Data connections (secondary connections). In other words, unbinding the FTP Application Filter will only allow the FTP Control connection but not the Data connections. So, in order to solve the Secure FTP dilemma we will have to do some more work.

First of all we have to create a custom protocol definition for the Secure FTP protocol (FTPS) as shown in the figure below:

Some important characteristics of the FTPS protocol definition are:

  • The FTPS Control connection (Primary Connections) uses TCP port 21 for the Explicit Security mode and TCP port 990 for the Implicit Security mode.
  • The FTPS Data connection (Secondary Connections) should be defined as Outbound because only FTPS passive mode can work with a NAT relationship. It is also recommended that the Port Range is specified as exactly as possible. If you don’t know on which ports the Secure FTP server will listen for the data connection, you can specify all unprivileged ports > 1023 (1024 - 65534).
  • With the above protocol definition, only Firewall clients will be able to connect to the Secure FTP server due to the secondary connections. If you have to support SecureNAT clients too, you need to adjust the above protocol definition by moving the FTPS Data connection from the Secondary Connections to the Primary Connections section. However, be aware of the security risk associated with specifying such a large port range in the  Primary Connections section.

Next, to allow the FTPS traffic, you need to create two access rules:

  • An access rule that uses the custom FTPS protocol and allows traffic from the source network to the computer objects representing the Secure FTP servers.
  • An access rule that uses the predefined FTP protocol and denies traffic from the source network to the computer objects representing the Secure FTP servers.

Finally, the new allow rule must come before your original rule that allows the normal FTP traffic from the same source network in the ordered list of policy rules, and the new deny rule should be placed immediately after the new allow rule as shown in the figure above.

HTH,
Stefaan

This entry was posted on Sunday, October 8th, 2006 at 8:11 am and is filed under ISA Corner. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “Solving the Secure FTP dilemma with ISA Server 2004 and 2006”

  1. Simon Coughlan Says:

    December 14th, 2006 at 1:21 pm

    Stefaan,

    Your article on Solving the Secure FTP dilemma with ISA Server 2004 and 2006 was a massive help to me.

    Thank you and keep up the good work.

    Simon Coughlan

  2. Richard Stevens Says:

    March 23rd, 2007 at 8:30 am

    Me too - many thanks.

  3. Ron Dittmann Says:

    June 3rd, 2007 at 1:54 am

    Stefaan,
    Mega Ditto’s from Ditty on this solution!
    Thanks,
    Ron Dittmann

  4. Neal Says:

    February 5th, 2008 at 8:12 am

    Great stuff , worked first time - seems to be a rare thing nowadays :)

  5. Andreas Wehmeier Says:

    February 7th, 2008 at 6:42 am

    Hi. Absolutely great. Solves a big problem at a customer for me.

  6. Brian Says:

    February 26th, 2008 at 2:30 pm

    Worked great once I saw that the firewall client must be running, but has to be set manually.

  7. Bhavin Patel Says:

    March 1st, 2008 at 11:01 am

    Hi Stefaan,
    With the configuration as explained in the articled will internet user able to connect to FTPS server from internet if I allow connection from External network to FTP Server?

  8. Stefaan Pouseele Says:

    March 1st, 2008 at 12:01 pm

    Hi Patel,

    if you want to publish a secure FTP server, you should check out the article “Publishing Secure FTP Servers behind ISA Firewalls” at http://www.isaserver.org/tutorials/Publishing-Secu...s.html.

    HTH,
    Stefaan

  9. Iain Says:

    May 1st, 2008 at 10:08 am

    Perfect!! This solved my problem trying to connect to secureftp.dell.com used a domain set in case Dell changed IP. 11/10

Leave a Reply

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 6 chars within 0..9 and A..F, and submit the form.

  

If CAPTCHA image is missing or you cannot read the characters above, please generate a




Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center