• RSS
  • Twitter
  • FaceBook

Microsoft ISA Server 2006 - Secure FTP Server (FTPS) publishing with Windows Server 2008

How to securely publish an FTP Server running on Windows Server 2008 R2 with ISA Server 2006.
Marc Grote photo

Let us begin…

Publishing a FTP service with ISA Server 2006 is very simple. ISA Server has a built-in wizard to publish the FTP Server, but what about security? FTP is a very unsecure protocol which transfers data without encryption so it might be dangerous to use this protocol. A better way is to use the FTPS (FTP over SSL) protocol which provides protocol encryption for transferred data. Configuring ISA Server 2006 for FTP publishing is a little bit more complicated because you have to manually create a protocol definition for FTPS and the port range used for the FTPS connection.


Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

Let us start with the configuration of the ISA Server 2006 publishing rule. Start the ISA Server 2006 MMC, navigate to the Firewall policy node and create a new Server publishing rule.

You should give the rule a name like FTPS-Server.


Figure 1: FTPS Protocol rule name

Enter the IP address of the FTP Server you want to publish. The published FTP Server has to be a Secure NAT client.


Figure 2: IP address of the Server to publish

Because ISA Server 2006 has no built-in protocol definition for the required FTPS protocol, we have to manually create the protocol definition. We need a protocol defintion for the standard FTP protocol port and a port range for the FTP connection which must be the same port range configured at the Firewall protocol support setting on the FTP Server.


Figure 3: Protocol selection

Click New to create the required protocol definition and give the new protocol definition a name.


Figure 4: new FTPS protocol definition

The protocol type is FTP, the direction is Inbound and the port definition is from 21 to 21.


Figure 5: FTPS Protocol port range

As a second protocol range enter the same IP range for the port range specified in the Firewall properties of the FTP Server configuration.


Figure 6: The entire protocol definition

You do not have to specify a secondary connection.

Specify the Listener for the network on which ISA Server 2006 should listen for FTP traffic. This is typically the external network definition. If there are more than one IP addresses bound to the External network interface, you have to explicitly enter the IP address on which ISA Server should listen for traffic.


Figure 7: Select the ISA Server Listener

Click Next, than Finish and Apply.

Important:
The FTP-Filter does not have to be enabled for the new FTPS protocol definition so you have to make sure that the option is unchecked in the protocol definition.

After we have finished all settings on ISA Server site, it is now time to configure the FTP Server part for the Firewall configuration.

I already assume that you have configured the required parts of the FTP Server two use the FTPS protocol. For more information how to configure FTPS on the FTP Server I give you a link at the end of this article.

Please note:
If you use Windows Server 2008 you have to manually download and install the Microsoft FTP service from the following website: http://www.iis.net. The built-in FTP service with the Windows Server 2008 Standard installation comes with nearly the 7

Windows Server 2008 R2 comes with the correct FTP Server version which is built into the Windows Server 2008 R2 Server Manager Roles configuration as you can see in the following screenshot.


Figure 8: Installing the FTP service

Because we want to use FTPS (FTP over SSL) on our FTP Server, we have to specify the port range for the FTP Data channel. The port range you enter here must be identical with your protocol definition at ISA Server site. You must also specify the external IP address of the Firewall which is typically the IP address from the Firewall which is directly connected to the Internet. Click Apply to activate the new configuration settings in the IIS configuration.


Figure 9: FTP Firewall support

Now you should be able to connect from the Internet to your internal FTPS server through ISA Server 2006 with your favorite FTP client application which supports FTP over SSL (FTPS). If your connection is unsuccessful first double check the FTP client connection settings with the FTP configuration in IIS and if a secure FTP connection is still not possible, you should have a look in the ISA Server 2006 real time monitoring to see if something gets blocked.  

Conclusion

In this article, I tried to show you how to securely publish an FTP Server running on Windows Server 2008 with ISA Server 2006. ISA Server 2006 has built-in capabilities to publish a FTP Server but per default no wizards for publishing the more secure FTPS protocol. To publish a Microsoft FTPS-Server you have to configure some additional settings on the Windows Server 2008 and some settings at ISA Server 2006 site.

Related links

About Marc Grote

Marc Grote photo Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in TMG/UAG Server, Exchange, System Center, Security for Windows Server 2012 and Windows Server 2012 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004.

Click here for Marc Grote's section.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by Enterprise Security MVP Debra Littlejohn Shinder, containing news, the hottest tips, Forefront TMG / UAG links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Readers' Choice

Which is your preferred ISA Server Reporting solution?