How to enable external client computers access to a File Transfer Protocol server

Article translations Article translations
Article ID: 294679 - View products that this article applies to.
This article was previously published under Q294679
Expand all | Collapse all

On This Page

SUMMARY

This article describes the procedures to enable external client computers access to a File Transfer Protocol (FTP) server that is running on Internet Security and Acceleration (ISA) Server.

MORE INFORMATION

You can access the FTP server either by opening the static packet filters or by using server publishing by means of ISA Server.

Open the Static Packet Filters

  1. Open the ISA Administration tool, and then expand the Server settings.
  2. Expand Access Policy, and then click IP Packet Filters.
  3. In the right pane, click Create Packet Filter.
  4. For the filter settings, specify the following settings, and then click Next:
    Name: FTP Server TCP 21 Local
    Allow Packet Transmission
    Custom:
    IP Protocol: TCP
    Direction: Inbound
    Local port: Fixed port
    Port number: 21
    Remote port: All ports

    Name: FTP Server TCP 20 Local
    Allow Packet Transmission
    Custom:
    IP Protocol: TCP
    Direction: Outbound
    Local port: Fixed port
    Port number: 20
    Remote port: All ports
  5. In the Apply this packet filter to box, click Default IP addresses for each external interface on the ISA Server computer, and then click Next.
  6. In the Remote Computers section, click either All remote computers or Only this remote computer, and then click Next. This setting specifies the host, which is the terminal server client that accesses the Terminal Services session.
  7. Click Finish.
NOTE: This option can only enable clients to connect by using the Active mode (Port).

Server Publish the FTP Server

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

IMPORTANT: This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).

To server publish a service, the port on the external interface has to be free. By default, Microsoft Internet Information Services (IIS) version 5.0 uses the Socket Pooling feature and listens on all computer interfaces. The FTP server is already listening on port 21 (0.0.0.0:21) and any FTP server publishing is unsuccessful.

To ensure that IIS only listens on a selected interface, you must disable the Socket Pooling feature and configure the FTP server to listen on a specific Internet Protocol (IP) address:
  1. To disable the Socket Pooling feature for the FTP service, run the following commands:
    1. At a command prompt, change to the \Inetpub\Adminscripts\ folder.
    2. At a command prompt, type: cscript adsutil.vbs set msftpsvc/disablesocketpooling true, and then press ENTER.
    3. Restart the Iisadmin service for the change to take effect. At a command prompt, type:
      net stop iisadmin
    4. Start all of the services that had been running in Inetinfo.
    For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    238131 How to Disable Socket Pooling
  2. Configure the FTP server to listen only on the internal interface:
    1. Open the Internet Services Manager, and then expand the Computername settings.
    2. Click Default FTP Site, and then right-click it.
    3. On the menu, click Properties, and then click the FTP Site tab.
    4. In the Identification section, click IP Address.
    5. Change the IP address from "All Unassigned" to the IP address of the internal interface of ISA Server.
    6. Click OK.
    7. Close IIS in Microsoft Management Console (MMC).
  3. Because ISA Server is publishing to itself, you must enable the FTP port attack mechanism:
    1. Start Registry Editor (Regedt32.exe).
    2. Locate the following registry key:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\
    3. Change the EnablePortAttack value to 1.
    4. Close Registry Editor.
    5. Restart the FTP service.
    Note In an installation of IIS version 6, the registry subkey that is listed in step 3c is named EnableDataConnTo3rdIP. Assign it the same value as is shown in that step. For more information, see the “Server-to-Server FTP Transfer” topic in IIS6 Help.
  4. Configure the Server Publishing rule:
    1. Open the ISA Administration tool, and then expand the Server settings.
    2. Expand Publishing, and then click Server Publishing Rules.
    3. In the right pane, click Publish a Server.
    4. Specify a name, such as, FTP Server Local, and then click Next.
    5. Enter the internal IP address of the FTP server that had been specified in the Internet Services Manager.
    6. Browse and click the IP address of the external interface, and then click Next.
    7. In the Protocol Settings dialog box, click FTP Server, and then click Next.
    8. Click Any Request to enable all of the clients or to specify a client address set, and then click Next.
    9. Click Finish.
  5. For ISA Server to dynamically open up packets filters for client sessions, you must enable the FTP Access Filter option:
    1. Open the ISA Administration tool, and then expand the Server settings.
    2. Expand Extensions, and then click Application Filters.
    3. In the right pane, ensure that the FTP Access Filter option is enabled.
NOTE: The preceding option enables clients to connect by using both Active (Port) and Passive (Pasv) mode.

Properties

Article ID: 294679 - Last Review: January 6, 2005 - Revision: 2.2
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
Keywords: 
kbenv kbhowto KB294679

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com