کد:
http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport.htm
By Thomas W Shinder M.D
Published: February 2004
Introduction
One of the most common requests seen on the Web boards here at
www.isaserver.org is for instructions on how to publish an FTP site on an alternate port. There are a number of reasons why someone might want to publish an FTP site on an alternate port. For example, some ISA admins feel that they’ll benefit from a measure of security through obscurity if FTP access is enabled using a port other than TCP 21. Other ISA admins, believe it or not, actually want to publish an FTP site on an alternate port in order to violate their ISP’s Terms of Use policy.
Whatever the reason, ISA Server 2000 did not support publishing FTP sites on an alternate port. The reason for this was that FTP is a complex protocol which requires an application filter on the ISA Server 2000 firewall to support it. While it is possible to publish an FTP site on an alternate port using ISA Server 2000, you have to use the Firewall client on the FTP server and then create a wspcfg.ini file and place that in the FTP server’s application directory. While it worked, it was cumbersome and not altogether reliable.
While I don’t have an application filter to give you for ISA Server 2000, I do have something better: ISA Server 2004. ISA Server 2004’s Server Publishing Feature allows you to customize the ports used by any protocol you use in a Server Publishing Rule, even Protocols that have been installed by application filters, like the FTP protocol. This increased flexibility over Server Publishing allows you to publish FTP servers using an alternate port number without creating error prone config file or needing to install the Firewall client on the published server.
The procedure is very straightforward. In this article we’ll cover the following steps that are required to publish the FTP server on an alternate port:
·Install and Configure the FTP Site
·Create the FTP Server Publishing Rule
·Make the Connection
The figure below shows the basic network topology for this example.
Install and Configure the FTP Site
The first step is to install and configure the FTP site on the Server on the internal network. In this example, we will install the FTP site on a Windows Server 2003 machine. We will cover the following steps:
·Install the FTP Server Service
·Configure the Default FTP Site
Perform the following steps to install the FTP Server service on the Windows Server 2003 computer:
1.Click
Start and point to
Control Panel. In the
Control Panel menu, click the
Add or Remove Programs entry.
2.In the
Add or Remove Programs window, click the
Add/Remove Windows Components button on the left side of the window.
3.In the
Windows Components dialog box, click the
Application Server entry in the
Components list, then click the
Details button.
4.In the
Application Server dialog box, click the
Internet Information Services entry and click
Details.
5.In the
Internet Information Servers (IIS) dialog box, put a checkmark in the
File Transfer Protocol (FTP) Service checkbox and click
OK.
6.Click
OK in the
Application Server dialog box.
7.Click
Next on the
Windows Components page.
8.In the
Insert Disk dialog box, click
OK. In the
Files Needed dialog box, point the installer to the location of the
i386 folder of the Windows Server 2003 CD in the
Copy files from text box. Click
OK in the
File Needed dialog box.
9.Click
Finish on the
Completing the Windows Components Wizard page.
10.Wait for the installation to finish and then close the
Add or Remove Programs window.
The next step is to configure the IIS FTP service. Perform the following steps to configure the IIS FTP service on the Windows Server 2003 machine:
1.Click
Start and point to
Administrative Tools. Click on
Internet Information Services (IIS) Manager.
2.In the
Internet Information Services (IIS) Manager console, expand your server name, then expand the
FTP Sites node.
3.Right click on the
Default FTP Site node and click
Properties.
4.In the
Default FTP Site Properties dialog box, click on the
FTP Site tab. In the
IP address list, select the actual IP address of the FTP site.
5.Click on the
Messages tab. Enter a banner entry in the
Banner text box. Enter a welcome statement in the
Welcome text box. Enter an exit message in the
Exit text box. Enter a statement to be returned to users when the FTP site has reached it maximum number of connections in the
Maximum connections text box.
6.Click on the
Home Directory tab. Make a note of the default local path for the FTP directory structure. In this example we will use the default path, which is
c:\interpub\ftproot. Put a checkmark in the
Write checkbox so that we can test FTP upload capabilities. Note that you do
not want to enable write access to your FTP site without creating strong NTFS permissions on the FTP directories.
7.Click
Apply and then click
OK in the
Default FTP Site Properties dialog box.
8.Stop and restart the FTP site using the stop and start buttons in the MMC button bar.
Create the FTP Server Publishing Rule
We’re ready to create the FTP Server Publishing Rule now that the FTP site is ready. This FTP Server Publishing Rule will demonstrate the flexibility you have in protocol behavior in Server Publishing using ISA Server 2004 firewalls.
Perform the following steps to create the FTP Server Publishing rule that will publish the FTP site on the alternate port of
TCP 99:
1.Open the
Microsoft Internet Security and Acceleration Server 2004 management console and expand your server name. Click on the
Firewall Policy node.
2.Right click on the
Firewall Policy node, point to
New and click
Server Publishing Rule.
3.On the
Welcome to the New Server Publishing Rule Wizard page, enter a name for the Server Publishing Rule in the
Server publishing rule name text box. In this example we will name the rule
FTP Server TCP Port 99. Click
Next.
4.On the
Select Server page, enter the IP address of the FTP server on the internal network in the
Server IP address text box. Click
Next.
5.On the
Select Protocol page, select the
FTP Server protocol from the
Selected protocol list. After selecting the
FTP Server protocol, click the
Ports button.
6.In the
Ports dialog box, select the
Publish on this port instead of the default port option in the
Firewall Ports frame. In the
Port text box, enter the value
99. Click
OK.
7.Click
Next on the
Select Protocol page.
8.On the
IP Addresses page, put a checkmark in the
External checkbox. Then click the
Address button.
9.In the
External Network Listener IP Selection dialog box, select the
Selected IP addresses in this network option. Select the IP address on the external interface of the ISA Server 2004 firewall that you want to listen to the incoming FTP connections in the
Available IP Addresses list, then click
Add. The IP address then appears in the
Selected IP Addresses list. Click
OK.
10.Click
Next on the
IP Addresses page.
11.Click
Finish on the
Completing the New Server Publishing Rule Wizard page.
12.Click the
Apply button to save the changes and update the firewall policy.
13.You now see the FTP Server Publishing Rule in the Details pane.
The next step is to create the connection to the alternate FTP site. Pay very close attention to the steps in the next section, as the initial connection attempt will fail. I want you to see the failure message so that you recognize it when you encounter it on your production networks.
Make the Connection
Now we’re ready to make the FTP connection using an alternate port number. In this example I have copied the contents Deploy folder that contains the Windows Server 2003 deployment tools in it to the FTP site. I have also create a file named
ftplog that will be used to upload to the FTP site.
Perform the following steps to test the connection:
1.Open a command prompt window. At the command prompt enter
ftp and press ENTER. Next, at the FTP command prompt, enter
open 192.168.1.70 99 (which is the IP address on the external interface of the ISA Server 2004 firewall in this example) and press ENTER. Enter the user name
anonymous at the FTP command prompt and press ENTER, then enter a password (the password does not matter because this is an anonymous connection. After logging on enter
dir. A list of files appears at the command prompt. Use the
get command to download a file. The download will be successful. Next, use the
put command to upload a file to the site. You will see an error message saying that
Access Denied. Your ISA Server denied this operation.
The figure below shows each of these steps and the results of each step.
2.The FTP protocol used in the Server Publishing Rule should have allowed us to upload and download to and from the FTP site. The problem with the upload was that we did not configure the FTP policy to allow uploads. We can fix this problem by going back to the Server Publishing Rule. Return to the ISA Server 2004 firewall computer and right click on the Server Publishing Rule, then click the
Configure FTP command.
3.In the
Configures FTP protocol policy dialog box, place a checkmark in the
Read Only checkbox. Click
Apply and then click
OK.
4.Click
Apply to save the changes and update the firewall policy.
5.Return to the Command Prompton the external client computer. Repeat the upload attempt. You’ll see that you are now able to upload to the FTP site.
6.If you observe the connection in the real time log monitor on the ISA Server 2004 firewall machine, you will see something interesting. Even though the external client is actually connecting to TCP port 99, the real time log monitor shows an inbound connection to TCP 21 on the internal network computer directly from the external client. You can see examples of this in the log file entries below that indicate they are associated with the
FTP Server TCP Port 99 rule.
7.Close the
Microsoft Internet Security and Acceleration Server 2004 management console.
Conclusion
In this article we went over the procedures required to publish an FTP site on an alternate port. Unlike ISA Server 2000, which required an application filter or a special config file to make this work, ISA Server 2004 allows you to publish an FTP site on an alternate easy and quickly with a simple Server Publishing Rule