Let us begin…
Publishing a FTP service with ISA Server 2006 is very simple. ISA Server has a built-in wizard to publish the FTP Server, but what about security? FTP is a very unsecure protocol which transfers data without encryption so it might be dangerous to use this protocol. A better way is to use the FTPS (FTP over SSL) protocol which provides protocol encryption for transferred data. Configuring ISA Server 2006 for FTP publishing is a little bit more complicated because you have to manually create a protocol definition for FTPS and the port range used for the FTPS connection.
Let us start with the configuration of the ISA Server 2006 publishing rule. Start the ISA Server 2006 MMC, navigate to the Firewall policy node and create a new Server publishing rule.
You should give the rule a name like FTPS-Server.
Figure 1: FTPS Protocol rule name
Enter the IP address of the FTP Server you want to publish. The published FTP Server has to be a Secure NAT client.
Figure 2: IP address of the Server to publish
Because ISA Server 2006 has no built-in protocol definition for the required FTPS protocol, we have to manually create the protocol definition. We need a protocol defintion for the standard FTP protocol port and a port range for the FTP connection which must be the same port range configured at the Firewall protocol support setting on the FTP Server.
Figure 3: Protocol selection
Click New to create the required protocol definition and give the new protocol definition a name.
Figure 4: new FTPS protocol definition
The protocol type is FTP, the direction is Inbound and the port definition is from 21 to 21.
Figure 5: FTPS Protocol port range
As a second protocol range enter the same IP range for the port range specified in the Firewall properties of the FTP Server configuration.
Figure 6: The entire protocol definition
You do not have to specify a secondary connection.
Specify the Listener for the network on which ISA Server 2006 should listen for FTP traffic. This is typically the external network definition. If there are more than one IP addresses bound to the External network interface, you have to explicitly enter the IP address on which ISA Server should listen for traffic.
Figure 7: Select the ISA Server Listener
Click Next, than Finish and Apply.
The FTP-Filter does not have to be enabled for the new FTPS protocol definition so you have to make sure that the option is unchecked in the protocol definition.
After we have finished all settings on ISA Server site, it is now time to configure the FTP Server part for the Firewall configuration.
I already assume that you have configured the required parts of the FTP Server two use the FTPS protocol. For more information how to configure FTPS on the FTP Server I give you a link at the end of this article.
If you use Windows Server 2008 you have to manually download and install the Microsoft FTP service from the following website: http://www.iis.net. The built-in FTP service with the Windows Server 2008 Standard installation comes with nearly the 7
Windows Server 2008 R2 comes with the correct FTP Server version which is built into the Windows Server 2008 R2 Server Manager Roles configuration as you can see in the following screenshot.
Figure 8: Installing the FTP service
Because we want to use FTPS (FTP over SSL) on our FTP Server, we have to specify the port range for the FTP Data channel. The port range you enter here must be identical with your protocol definition at ISA Server site. You must also specify the external IP address of the Firewall which is typically the IP address from the Firewall which is directly connected to the Internet. Click Apply to activate the new configuration settings in the IIS configuration.
Figure 9: FTP Firewall support
Now you should be able to connect from the Internet to your internal FTPS server through ISA Server 2006 with your favorite FTP client application which supports FTP over SSL (FTPS). If your connection is unsuccessful first double check the FTP client connection settings with the FTP configuration in IIS and if a secure FTP connection is still not possible, you should have a look in the ISA Server 2006 real time monitoring to see if something gets blocked.
In this article, I tried to show you how to securely publish an FTP Server running on Windows Server 2008 with ISA Server 2006. ISA Server 2006 has built-in capabilities to publish a FTP Server but per default no wizards for publishing the more secure FTPS protocol. To publish a Microsoft FTPS-Server you have to configure some additional settings on the Windows Server 2008 and some settings at ISA Server 2006 site.