RE: FTP and ISA setup
- From: v-bpeng@xxxxxxxxxxxxxxxxxxxx (Bill Peng [MSFT])
- Date: Tue, 10 May 2005 06:53:25 GMT
Hi Steve,
Thank you for posting to the SBS newsgroup.
Please follow the instruction described on the following KB to enable external clients to access your FTP server.
How to enable external client computers access to a File Transfer Protocol server
http://support.microsoft.com/kb/294679
Section 1.
If the FTP service was hold by your SBS server, please use the Packet Filter rule:
1. Open the ISA Administration tool, and then expand the Server settings.
2. Expand Access Policy, and then click IP Packet Filters.
3. In the right pane, click Create Packet Filter.
4. For the filter settings, specify the following settings, and then click Next:
Name: FTP Server TCP 21 Local
Allow Packet Transmission
Custom:
IP Protocol: TCP
Direction: Inbound
Local port: Fixed port
Port number: 21
Remote port: All ports
Name: FTP Server TCP 20 Local
Allow Packet Transmission
Custom:
IP Protocol: TCP
Direction: Outbound
Local port: Fixed port
Port number: 20
Remote port: All ports
5. In the Apply this packet filter to box, click Default IP addresses for each external interface on the ISA Server computer, and then click Next.
6. In the Remote Computers section, click either All remote computers or Only this remote computer, and then click Next. This setting specifies the
host, which is the terminal server client that accesses the Terminal Services session.
7. Click Finish.
[Note] This option can only enable clients to connect by using the Active mode (Port).
Section 2.
If the FTP Server is a internal server and you want to publish it to the Internet, please use the Server Publishing Rule.
[Warning] If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
[Important] This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that
you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft
Management Console (MMC).
To server publish a service, the port on the external interface has to be free. By default, Microsoft Internet Information Services (IIS) version 5.0
uses the Socket Pooling feature and listens on all computer interfaces. The FTP server is already listening on port 21 (0.0.0.0:21) and any FTP
server publishing is unsuccessful.
To ensure that IIS only listens on a selected interface, you must disable the Socket Pooling feature and configure the FTP server to listen on a
specific Internet Protocol (IP) address:
1. To disable the Socket Pooling feature for the FTP service, run the following commands:
a. At a command prompt, change to the \Inetpub\Adminscripts\ folder.
b. At a command prompt, type: cscript adsutil.vbs set msftpsvc/disablesocketpooling true, and then press ENTER.
c. Restart the Iisadmin service for the change to take effect. At a command prompt, type:
net stop iisadmin
d. Start all of the services that had been running in Inetinfo.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
How to Disable Socket Pooling
http://support.microsoft.com/kb/238131
2. Configure the FTP server to listen only on the internal interface:
a. Open the Internet Services Manager, and then expand the Computername settings.
b. Click Default FTP Site, and then right-click it.
c. On the menu, click Properties, and then click the FTP Site tab.
d. In the Identification section, click IP Address.
e. Change the IP address from "All Unassigned" to the IP address of the internal interface of ISA Server.
f. Click OK.
g. Close IIS in Microsoft Management Console (MMC).
3. Because ISA Server is publishing to itself, you must enable the FTP port attack mechanism:
a. Start Registry Editor (Regedt32.exe).
b. Locate the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\
c. Change the EnablePortAttack value to 1.
d. Close Registry Editor.
e. Restart the FTP service.
[Note] In an installation of IIS version 6, the registry subkey that is listed in step 3c is named EnableDataConnTo3rdIP. Assign it the same value as
is shown in that step.
4. Configure the Server Publishing rule:
a. Open the ISA Administration tool, and then expand the Server settings.
b. Expand Publishing, and then click Server Publishing Rules.
c. In the right pane, click Publish a Server.
d. Specify a name, such as, FTP Server Local, and then click Next.
e. Enter the internal IP address of the FTP server that had been specified in the Internet Services Manager.
f. Browse and click the IP address of the external interface, and then click Next.
g. In the Protocol Settings dialog box, click FTP Server, and then click Next.
h. Click Any Request to enable all of the clients or to specify a client address set, and then click Next.
i. Click Finish.
5. For ISA Server to dynamically open up packets filters for client sessions, you must enable the FTP Access Filter option:
a. Open the ISA Administration tool, and then expand the Server settings.
b. Expand Extensions, and then click Application Filters.
c. In the right pane, ensure that the FTP Access Filter option is enabled.
[Note] The preceding option enables clients to connect by using both Active (Port) and Passive (Pasv) mode.
I hope the above info helps.
If there's any update, please feel free to post back.
Bill Peng
MCSE 2000, MCDBA
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: FTP and ISA setup
>thread-index: AcVUrGVWCQXMw+TBSmGsyu+JvEdD5g==
>X-WBNR-Posting-Host: 24.172.3.50
>From: "=?Utf-8?B?c3RldmUgdHlzaW5nZXI=?=" <stevetysinger@xxxxxxxxxxxxxxxxxxxxxxxxx>
>Subject: FTP and ISA setup
>Date: Mon, 9 May 2005 08:33:06 -0700
>Lines: 3
>Message-ID: <35FEFDD0-D803-4772-B1E3-B3E760D669F4@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:117219
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>I setup an FTP server, I can access it from my LAN but I can not access it
>outside my lan, from the internet. I assume I have to setup something to
>allow access since I am using ISA, how do I do that?
>
.
- References:
- FTP and ISA setup
- From: steve tysinger
- FTP and ISA setup
- Prev by Date: RPC over HTTPs
- Next by Date: RPC over Https
- Previous by thread: FTP and ISA setup
- Next by thread: Re: Outlook 2003 Cannot Connect to SBS 2003 Exchange Server
- Index(es):
Relevant Pages
|
|
