Visit Half Price Computer Books

Allow an ISA Server Machine Write Access to a Remote FTP Server

ISA Server, in its default configuration, will not allow the machine it is installed on write (or rename, or delete, etc.) access to outside FTP Servers. This denial of functionality is present because traffic access to ports 21 (FTP Control Channel) and 20 (FTP Data Channel) is blocked.

You may notice this issue while connecting up to an FTP server that you would normally have write access to using Internet Explorer Ž (for information on how to use your Browser as a Lite FTP Client ***Link***).
While experiencing this error, IE will give the message:


"The folder 'ftp://FTPUser@TestNet1.com/' is read-only because the proxy server is not set up to allow full access.  To move, paste, rename, or delete files, you must use a different proxy.  For information on changing your proxy, contact your administrator".

This problem is characterized by clients being able to access the writable FTP server as expected, while the ISA Server cannot.

Packet filters must be created to allow the FTP Data and Control channels access to the internet:

Create the Packet Filters

In ISA Management, Expand: Internet Security and Acceleration Server > Servers and Arrays > <ServerName> > Access Policy.
Right Click "IP Packet Filters" > New > Filter...
Type a suitable name for the packet filter, such as "Allow FTP Control Channel". Click Next.
Ensure "Allow packet transmission" is selected, Click Next.
Select "Custom", Click Next.
Apply the Filter Settings to the Custom IP Packet Filter as listed below and Click Next.
1. IP protocol: TCP
2. Direction: Both
3. Local Port: All Ports
4. Remote Port: Fixed Port
5. Remote Port Number: 21
Leave "Default IP addresses for each external interface on the ISA Computer" selected, Click Next.

Leave Apply this packet filter to: "All Remote Computers", and Click Next. Click Finish

To create the FTP Data Channel Packet Filter, follow Steps 2 through 8 above changing only the following steps:
Step 3 - Type a suitable name such as "Allow FTP Data Channel"
Step 6 - Apply the Filter Settings to the Custom IP Packet Filter as listed below and Click Next.

IP protocol: TCP
Direction: Both
Local Port: All Ports
Remote Port: Fixed Port
Remote Port Number: 20

Recommended Reading

Great Books. Great Prices.

Inside the Security Mind: Making the Tough Decisions

Title	Inside the Security Mind: Making the Tough Decisions
Publisher	Prentice Hall
Description	Learn how the top gurus approach security. Enlighten yourself and rest your mind.
ISBN	0321174070
Price Discount	20%

Internet and EMail Security Kit: Defeat Hackers and Viruses and Increase Network Security

Title	Internet and EMail Security Kit: Defeat Hackers and Viruses and Increase Network Security
Publisher	Syngress
Description	How to use security features, configurations, and methods. W2K, UNIX, Cisco, and more.
ISBN	1928994288
Price Discount	50%

Linux Information

Did you find this document to be helpful? Have any questions? Send us a note: computing@Fusion13.com
Broken links? Typographical errors? Send to: webmaster@Fusion13.com

Fusion 13 has taken painstaking effort to ensure the validity of its data;
however, the information contained in this document is provided without warranty.
The data presented is offered simply as a suggestion.
Fusion 13 can in no way be held responsible for how these suggestions are implemented in any environment.