Server Solver

No Way Out

ISA Server seems to be preventing outbound traffic to an external FTP server.

• By Zubair Alexander
• 09/26/2005

Zubair: I’ve configured our ISA Server 2004 as an edge firewall with one of the rules permitting all outbound traffic. Everything works exactly the way I want, except for one thing. I'm unable to upload files from internal clients to an FTP server on the Internet.

I’ve tried with or without Linksys hardware firewall, a BEFSX41 behind ISA Server. I’ve tried using PASV, PORT, EPSV, and EPRT with different FTP software, such as IE, WS_FTP, CuteFTP and others. I’ve even set up another protocol definition that allows port 21 out with a secondary connection for port 20, as per CuteFTP’s knowledge base.

I'm convinced it’s something on the ISA Server firewall because, if I disable the firewall, I can upload files. In case you're wondering, I’ve also tried disabling ISA Firewall Client, but nothing seems to work. The error I get is "550. Access is denied".
— Name withheld

Answer: Well, I’ve seen a lot of people run into the same problem you’ve described. First, let me give you a little bit of background on how FTP works and talk briefly about the FTP Access Filter in ISA Server 2004 to help you understand the entire process.

As far as the FTP session, the FTP client first creates a connection to an FTP server on TCP port 21. At that time, the client also tells the server on which port it’s going to listen for a response from the server. The response from the server is always on a random port number above 1023. The FTP server responds and the client and server perform a three-way handshake.

Next, the FTP server initiates a connection on TCP port 20. This is the port that's eventually used to transmit the data. The server also tells the client on which port the client should respond to. Again, the port number will be above 1023. The client and server perform a three-way handshake and now they are ready to transmit data over TCP port 20.

You may have noticed that the first three-way handshake is nothing more than the traditional handshake that we know and love, but here’s the catch: Because the second connection on TCP port 20 was initiated by the FTP server, which is not on the internal network, the connection should be blocked. Since the internal client didn’t initiate that connection, and it wasn’t part of any existing TCP session, that connection should not be allowed by the ISA firewall. Lucky for us, all this complexity is handled by the FTP Access Filter on the ISA Server 2004.

You can configure FTP filter either for incoming or outgoing traffic, and either for read-only or full access. You have a choice to either disable the FTP filter for all the rules (found at Configuration, Add-ins, FTP Filter), or disable it for individual rules on the General tab. By default, if an FTP filter is enabled, the filter is configured to allow read-only access. Now let’s talk about your specific situation.

Although you’ve configured a rule to allow all outbound traffic, which includes FTP, the problem is that the FTP filter only allows read-only access by default. As a result, your clients cannot upload files to an FTP server, even though they seem to have no problem downloading files.

Configure FTP filter so that it's no longer "Read Only" and your uploads will work.

To allow clients to upload, you need to configure the FTP filter (see Figure). Right-click the firewall rule that allows unrestricted outbound traffic and select Configure FTP. Uncheck the box that says Read Only. Notice that it says "When Read Only is selected, FTP uploads will be blocked." Apply the changes to your ISA Server. Now, your clients can upload files without restriction.