ISA Firewall Question of the Day — Blocking FTP Connections
QUESTION:
Tom,
We have ISA Server 2004 configured as a “back end” firewall, our front end is a Cisco PIX.
We have no problems blocking Web access (port 80 and 443) based upon Windows userids.
However when we try to block users from FTP it always fails and allows FTP access. We have tried allow rules and deny rules but nothing seems to work.
The only way we found to block FTP was with Microsoft’s new browser IE 7. IE 7 will stop any FTP request and will show the ISA Server message not allowing the FTP protocol.
Bottom line, is there any way to block FTP from client PCs not using IE 7? Thank you
Robert W. Kay - MCP
ANSWER:
One thing you need to keep in mind is that the ISA Firewall will not allow outbound access to protocols unless you give users or machines explicit access. If there is no rule that allows the connection, then the connection is dropped by the ISA Firewall.
The first thing I’d check is the Firewall policy. Do you see a rule that is allowing outbound FTP connections? If so, either disable that rule, or remove the FTP protocol from rule. If the rule is an “all open” rule, you can create a protocol exception in the rule by selecting the “all protocols except” option and exclude the FTP protocol.
If you’re not sure what rule is allowing the outbound FTP connections, then you can use the ISA Firewall’s real time log analyzer and check the FTP connections. The rule that allows the connection will appear on the line representing the outbound FTP connection.
One last thing to consider is to make sure that the ISA Firewall is an inline device. Often, the “network guys” will claim that the ISA Firewall is set in a back-end firewall topology, when in fact the ISA Firewall was placed in the PIX DMZ and both the ISA Firewall and the PIX can provide direct outbound paths to the Internet. This allows users to set a default gateway configuration so that outbound FTP goes through the PIX, instead of the ISA Firewall.
The solution in this case is to correct the network topology and place the ISA Firewall behind the PIX, not adjacent to it. There should be no way for users to bypass the ISA Firewall for outbound Internet access.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
phane Says:
December 14th, 2006 at 1:35 am
Dear Sir
I would like to know how to block FTP download only in ISA 2004.
Best regreds;
Phane
Phil Says:
September 11th, 2007 at 9:03 am
Folks,
I would like to approach this issue from the other side. What is blocking FTP from our ISA server? We need for business units to be able to interact with vendors and service providers. Right now when we attempt to FTP via IE 7 we are either blocked by ISA or internally, we are blocked from writing to the FTP site.
Any help would be appreciated.
Thanks
Phil
Rupesh Says:
November 13th, 2007 at 6:53 am
Tom,
I did not have any rule which mentions FTP explicitly, still I had the same problem. The clients were able to access FTP sites. I created a rule which denies all FTP traffic (both inbound and outbound), still no luck. Any ideas?
Thanks and Regards,
Rupesh