Publishing FTP Site with an Alternate Port using ISA Server 2004

[LEFT][CODE]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport.htm[/CODE]

[B]By Thomas W Shinder M.D[/B]
[B]Published: February 2004[/B]


[B]Introduction[/B]

One of the most common requests seen on the Web boards here at [URL="http://www.isaserver.org/"]www.isaserver.org[/URL] is for instructions on how to publish an FTP site on an alternate port. There are a number of reasons why someone might want to publish an FTP site on an alternate port. For example, some ISA admins feel that they’ll benefit from a measure of security through obscurity if FTP access is enabled using a port other than TCP 21. Other ISA admins, believe it or not, actually want to publish an FTP site on an alternate port in order to violate their ISP’s Terms of Use policy.
Whatever the reason, ISA Server 2000 did not support publishing FTP sites on an alternate port. The reason for this was that FTP is a complex protocol which requires an application filter on the ISA Server 2000 firewall to support it. While it is possible to publish an FTP site on an alternate port using ISA Server 2000, you have to use the Firewall client on the FTP server and then create a wspcfg.ini file and place that in the FTP server’s application directory. While it worked, it was cumbersome and not altogether reliable.
While I don’t have an application filter to give you for ISA Server 2000, I do have something better: ISA Server 2004. ISA Server 2004’s Server Publishing Feature allows you to customize the ports used by any protocol you use in a Server Publishing Rule, even Protocols that have been installed by application filters, like the FTP protocol. This increased flexibility over Server Publishing allows you to publish FTP servers using an alternate port number without creating error prone config file or needing to install the Firewall client on the published server.
The procedure is very straightforward. In this article we’ll cover the following steps that are required to publish the FTP server on an alternate port:
[FONT=Symbol]·[FONT=&quot] [/FONT][/FONT]Install and Configure the FTP Site
[FONT=Symbol]·[FONT=&quot] [/FONT][/FONT]Create the FTP Server Publishing Rule
[FONT=Symbol]·[FONT=&quot] [/FONT][/FONT]Make the Connection
The figure below shows the basic network topology for this example.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image007.gif[/IMG]
[B]Install and Configure the FTP Site[/B]

The first step is to install and configure the FTP site on the Server on the internal network. In this example, we will install the FTP site on a Windows Server 2003 machine. We will cover the following steps:
[FONT=Symbol]·[FONT=&quot] [/FONT][/FONT]Install the FTP Server Service
[FONT=Symbol]·[FONT=&quot] [/FONT][/FONT]Configure the Default FTP Site
Perform the following steps to install the FTP Server service on the Windows Server 2003 computer:
1.[FONT=&quot] [/FONT]Click [B]Start[/B] and point to [B]Control Panel[/B]. In the [B]Control Panel[/B] menu, click the [B]Add or Remove Programs[/B] entry.
2.[FONT=&quot] [/FONT]In the [B]Add or Remove Programs[/B] window, click the [B]Add/Remove Windows Components[/B] button on the left side of the window.
3.[FONT=&quot] [/FONT]In the [B]Windows Components[/B] dialog box, click the [B]Application Server[/B] entry in the [B]Components[/B] list, then click the [B]Details[/B] button.
4.[FONT=&quot] [/FONT]In the [B]Application Server[/B] dialog box, click the [B]Internet Information Services[/B] entry and click [B]Details[/B].
5.[FONT=&quot] [/FONT]In the [B]Internet Information Servers (IIS)[/B] dialog box, put a checkmark in the [B]File Transfer Protocol (FTP) Service[/B] checkbox and click [B]OK[/B].
6.[FONT=&quot] [/FONT]Click [B]OK[/B] in the [B]Application Server[/B] dialog box.
7.[FONT=&quot] [/FONT]Click [B]Next[/B] on the [B]Windows Components[/B] page.
8.[FONT=&quot] [/FONT]In the [B]Insert Disk[/B] dialog box, click [B]OK[/B]. In the [B]Files Needed[/B] dialog box, point the installer to the location of the [B]i386[/B] folder of the Windows Server 2003 CD in the [B]Copy files from[/B] text box. Click [B]OK[/B] in the [B]File Needed [/B]dialog box.
9.[FONT=&quot] [/FONT]Click [B]Finish[/B] on the [B]Completing the Windows Components Wizard[/B] page.
10.[FONT=&quot] [/FONT]Wait for the installation to finish and then close the [B]Add or Remove Programs[/B] window.
The next step is to configure the IIS FTP service. Perform the following steps to configure the IIS FTP service on the Windows Server 2003 machine:
1.[FONT=&quot] [/FONT]Click [B]Start[/B] and point to [B]Administrative Tools[/B]. Click on [B]Internet Information Services (IIS) Manager[/B].
2.[FONT=&quot] [/FONT]In the [B]Internet Information Services (IIS) Manager[/B] console, expand your server name, then expand the [B]FTP Sites[/B] node.
3.[FONT=&quot] [/FONT]Right click on the [B]Default FTP Site[/B] node and click [B]Properties[/B].
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image009.jpg[/IMG]
4.[FONT=&quot] [/FONT]In the [B]Default FTP Site Properties[/B] dialog box, click on the [B]FTP Site[/B] tab. In the [B]IP address [/B]list, select the actual IP address of the FTP site.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image011.jpg[/IMG]
5.[FONT=&quot] [/FONT]Click on the [B]Messages[/B] tab. Enter a banner entry in the [B]Banner[/B] text box. Enter a welcome statement in the [B]Welcome[/B] text box. Enter an exit message in the [B]Exit[/B] text box. Enter a statement to be returned to users when the FTP site has reached it maximum number of connections in the [B]Maximum connections[/B] text box.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image013.jpg[/IMG]
6.[FONT=&quot] [/FONT]Click on the [B]Home Directory[/B] tab. Make a note of the default local path for the FTP directory structure. In this example we will use the default path, which is [B]c:\interpub\ftproot[/B]. Put a checkmark in the [B]Write[/B] checkbox so that we can test FTP upload capabilities. Note that you do [I]not[/I] want to enable write access to your FTP site without creating strong NTFS permissions on the FTP directories.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image015.jpg[/IMG]
7.[FONT=&quot] [/FONT]Click [B]Apply[/B] and then click [B]OK[/B] in the [B]Default FTP Site Properties[/B] dialog box.
8.[FONT=&quot] [/FONT]Stop and restart the FTP site using the stop and start buttons in the MMC button bar.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image017.jpg[/IMG]

[B]Create the FTP Server Publishing Rule[/B]

We’re ready to create the FTP Server Publishing Rule now that the FTP site is ready. This FTP Server Publishing Rule will demonstrate the flexibility you have in protocol behavior in Server Publishing using ISA Server 2004 firewalls.
Perform the following steps to create the FTP Server Publishing rule that will publish the FTP site on the alternate port of [B]TCP 99[/B]:
1.[FONT=&quot] [/FONT]Open the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console and expand your server name. Click on the [B]Firewall Policy[/B] node.
2.[FONT=&quot] [/FONT]Right click on the [B]Firewall Policy [/B]node, point to [B]New[/B] and click [B]Server Publishing Rule[/B].
3.[FONT=&quot] [/FONT]On the [B]Welcome to the New Server Publishing Rule[/B] [B]Wizard[/B] page, enter a name for the Server Publishing Rule in the [B]Server publishing rule name[/B] text box. In this example we will name the rule [B]FTP Server TCP Port 99[/B]. Click [B]Next[/B].
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image019.jpg[/IMG]
4.[FONT=&quot] [/FONT]On the [B]Select Server[/B] page, enter the IP address of the FTP server on the internal network in the [B]Server IP address[/B] text box. Click [B]Next[/B].
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image021.jpg[/IMG]
5.[FONT=&quot] [/FONT]On the [B]Select Protocol[/B] page, select the [B]FTP Server[/B] protocol from the [B]Selected[/B][B] protocol[/B] list. After selecting the [B]FTP Server[/B] protocol, click the [B]Ports[/B] button.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image023.jpg[/IMG]
6.[FONT=&quot] [/FONT]In the [B]Ports[/B] dialog box, select the [B]Publish on this port instead of the default port[/B] option in the [B]Firewall Ports[/B] frame. In the [B]Port[/B] text box, enter the value [B]99[/B]. Click [B]OK[/B].
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image025.jpg[/IMG]
7.[FONT=&quot] [/FONT]Click [B]Next[/B] on the [B]Select Protocol[/B] page.
8.[FONT=&quot] [/FONT]On the [B]IP Addresses[/B] page, put a checkmark in the [B]External[/B] checkbox. Then click the [B]Address[/B] button.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image027.jpg[/IMG]
9.[FONT=&quot] [/FONT]In the [B]External Network Listener IP Selection[/B] dialog box, select the [B]Selected IP addresses in this network[/B] option. Select the IP address on the external interface of the ISA Server 2004 firewall that you want to listen to the incoming FTP connections in the [B]Available IP Addresses[/B] list, then click [B]Add[/B]. The IP address then appears in the [B]Selected IP Addresses[/B] list. Click [B]OK[/B].
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image029.jpg[/IMG]
10.[FONT=&quot] [/FONT]Click [B]Next[/B] on the [B]IP Addresses[/B] page.
11.[FONT=&quot] [/FONT]Click [B]Finish[/B] on the [B]Completing the New Server Publishing Rule Wizard[/B] page.
12.[FONT=&quot] [/FONT]Click the [B]Apply[/B] button to save the changes and update the firewall policy.
13.[FONT=&quot] [/FONT]You now see the FTP Server Publishing Rule in the Details pane.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image031.jpg[/IMG]
The next step is to create the connection to the alternate FTP site. Pay very close attention to the steps in the next section, as the initial connection attempt will fail. I want you to see the failure message so that you recognize it when you encounter it on your production networks.
[B]Make the Connection[/B]

Now we’re ready to make the FTP connection using an alternate port number. In this example I have copied the contents Deploy folder that contains the Windows Server 2003 deployment tools in it to the FTP site. I have also create a file named [B]ftplog[/B] that will be used to upload to the FTP site.
Perform the following steps to test the connection:
1.[FONT=&quot] [/FONT]Open a command prompt window. At the command prompt enter [B]ftp[/B] and press ENTER. Next, at the FTP command prompt, enter [B]open 192.168.1.70 99[/B] (which is the IP address on the external interface of the ISA Server 2004 firewall in this example) and press ENTER. Enter the user name [B]anonymous[/B] at the FTP command prompt and press ENTER, then enter a password (the password does not matter because this is an anonymous connection. After logging on enter [B]dir[/B]. A list of files appears at the command prompt. Use the [B]get[/B] command to download a file. The download will be successful. Next, use the [B]put[/B] command to upload a file to the site. You will see an error message saying that [B]Access Denied. Your ISA Server denied this operation[/B].
The figure below shows each of these steps and the results of each step.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image033.jpg[/IMG]
2.[FONT=&quot] [/FONT]The FTP protocol used in the Server Publishing Rule should have allowed us to upload and download to and from the FTP site. The problem with the upload was that we did not configure the FTP policy to allow uploads. We can fix this problem by going back to the Server Publishing Rule. Return to the ISA Server 2004 firewall computer and right click on the Server Publishing Rule, then click the [B]Configure FTP [/B]command.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image035.jpg[/IMG]
3.[FONT=&quot] [/FONT]In the [B]Configures FTP protocol policy[/B] dialog box, place a checkmark in the [B]Read Only[/B] checkbox. Click [B]Apply[/B] and then click [B]OK[/B].
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image037.jpg[/IMG]
4.[FONT=&quot] [/FONT]Click [B]Apply[/B] to save the changes and update the firewall policy.
5.[FONT=&quot] [/FONT]Return to the Command Prompton the external client computer. Repeat the upload attempt. You’ll see that you are now able to upload to the FTP site.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image039.jpg[/IMG]
6.[FONT=&quot] [/FONT]If you observe the connection in the real time log monitor on the ISA Server 2004 firewall machine, you will see something interesting. Even though the external client is actually connecting to TCP port 99, the real time log monitor shows an inbound connection to TCP 21 on the internal network computer directly from the external client. You can see examples of this in the log file entries below that indicate they are associated with the [B]FTP Server TCP Port 99[/B] rule.
[IMG]http://www.msfirewall.org/isa2004/2004pubftpaltport/2004pubftpaltport_files/image041.jpg[/IMG]
7.[FONT=&quot] [/FONT]Close the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console.
[B]Conclusion[/B]

In this article we went over the procedures required to publish an FTP site on an alternate port. Unlike ISA Server 2000, which required an application filter or a special config file to make this work, ISA Server 2004 allows you to publish an FTP site on an alternate easy and quickly with a simple Server Publishing Rule



[/LEFT]