Troubleshooting Outbound FTP Access in ISA Server
Corporate clients located in networks protected by Microsoft® Internet Security and Acceleration (ISA) Server may require access to File Transfer Protocol (FTP) sites on the Internet. ISA Server support for outbound FTP access depends on a number of factors, including:
- Type of client request.
- Limitations of the FTP client application.
The type of ISA Server client making the request determines how FTP communications are handled. ISA Server provides support for three types of clients:
- Firewall clients Client computers with Firewall Client for ISA Server software installed and running have full support for complex protocols with secondary connections, such as FTP.
- **SecureNAT client computers that use ISA Server in their route to the Internet **In a simple network, these SecureNAT clients have a default gateway pointing to the ISA Server computer. ISA Server provides application filters to handle complex protocols for SecureNAT. FTP support is provided by the FTP access filter.
- **Web proxy clients **Web proxy clients make CERN proxy requests to FTP servers on the Internet. When an FTP client application is configured to use ISA Server as a Web proxy, FTP requests are handled by ISA Server Web Proxy Filter, and passed over Hypertext Transfer Protocol (HTTP) between the client and ISA Server. The FTP client application can be an Internet browser, such as Microsoft Internet Explorer®, or a command-line or graphical user interface (GUI) FTP tool.
For more information about ISA Server client types, see "Internal Client Concepts in ISA Server 2006" at the ISA Server TechCenter.
Client support can be summarized as follows:
- For Web proxy client requests, ISA Server does not support FTP uploads. FTP requests are passed over HTTP, and support for Active or Passive mode is a global ISA Server setting.
- For non-Web proxy requests from Firewall clients or SecureNAT client computers, read/write FTP access is supported. The default setting for the ISA Server FTP access filter is read-only. Either Active or Passive FTP mode can be used, according to communications with the FTP server.
- For more information about having more granular control of client FTP commands, see the topic "FTP Access Filter" in "Configuring Add-Ins" in the ISA Server SDK at Microsoft MSDN.
Common troubleshooting issues
The following sections describe common troubleshooting issues.
Web proxy clients cannot upload to an FTP site
- Symptom: Web proxy clients cannot upload to an FTP site. The following message may appear: "The folder FTP_Name is read-only because the proxy server is not set up to allow full access."
- Issue: When a client computer makes a request as a Web proxy client, FTP requests are passed over HTTP, and only FTP downloads are supported.
- Solution: Install Firewall Client for ISA Server software to configure the computer as a Firewall client, or configure the computer as a SecureNAT client. For more information about client configuration, see "Internal Client Concepts in ISA Server 2006" at the ISA Server TechCenter. You may not have to remove Web proxy settings on the client. For example, a browser such as Internet Explorer will try to make a SecureNAT client request before making a Web proxy request. Success is dependent on the ability of the browser to resolve the FTP server name to an IP address.
Web proxy clients cannot download from an FTP server using PASV mode
Symptom: Attempts by Web proxy clients to download from a PASV mode FTP server fail.
Issue: By default, FTP traffic handled by Web Proxy Filter uses Active mode.
Solution: Set the DWORD value NonPassiveFTPTransfer to 0 in the registry on the ISA Server computer, which sets the mode to Passive. The default value is 1, indicating that Active mode is used. For information about setting this registry key, see the Microsoft Knowledge Base article 300641 "How to enable passive CERN FTP connections through ISA Server 2000 or ISA Server 2004 Standard Edition." The registry instructions in this article also apply to ISA Server 2006 and ISA Server 2004 Enterprise Edition.
Warning
Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
When setting this value in ISA Server 2004, you should ensure that ISA Server 2004 Service Pack 2 (SP2) is installed, to avoid the issue described in Microsoft Knowledge Base article 900256 "Error message when ISA Server 2004 Web Proxy client users try to access an external FTP site by using passive FTP functionality: 'Error Code: 502 Proxy Error'." Note that information in this article does not apply when using the Microsoft Windows® command-line FTP client, which cannot be used by Web proxy clients. In addition, the Windows command-line FTP client cannot work in Passive mode.
How to ensure that FTP requests are not proxied over HTTP
Symptom: Outbound FTP requests from internal clients are being proxied over HTTP and are thus read-only.
Issue: FTP over HTTP is limited to read-only.
Solution: If you are using Internet Explorer, you can configure the browser to access FTP servers directly. Alternatively, you can configure client computers as SecureNAT clients, or install Firewall Client software. ISA Server will detect these settings, and FTP traffic will be handled by the Microsoft Firewall service and will not be proxied. For information about configuring Internet Explorer to make a direct FTP request, see the section "How to enable Internet Explorer to make a request directly to the FTP server," later in this topic.
How to enable Internet Explorer to make a request directly to the FTP server
Symptom: By default, Internet Explorer make a direct request to an external FTP server, instead of making the request over HTTP.
Issue: You can specify a setting in Internet Explorer so that requests are made directly.
Solution: Specify the appropriate setting in Internet Explorer by doing the following.
To proxy an Internet Explorer FTP request
Start Internet Explorer.
On the Tools menu, click Internet Options.
Click the Advanced tab.
In the Settings list, do the following:
Note that when you select the Enable folder view for FTP sites check box, Internet Explorer behaves as a standard FTP client and uses Active mode, even if the Use Passive FTP check box is enabled.
How to configure Passive and Active mode in Internet Explorer
Issue: Internet Explorer needs to be configured to use Passive or Active mode.
Solution: Before configuring Passive or Active mode, it is useful to understand the implications for each mode, as follows:
- In Active mode, the FTP client uses a PORT command to inform the server that it should connect to a specific IP address and port, and then send the data. This requires that the firewall allows inbound access from port 20 on the FTP server to all high-number ports for the client.
- In Passive mode, the FTP client uses a PASV command to request that the server tells the client to which IP address and port it should connect to, to send and receive data. This requires that the firewall allows outbound access to all high-number TCP ports on the FTP server, and to inbound high-number TCP ports for the client.
ISA Server supports both modes. To configure Internet Explorer in Active or Passive mode, do the following:
To configure Internet Explorer 7 to use Passive mode
On the Tools menu of Internet Explorer, click Internet Options.
Click the Advanced tab.
In the Browsing section of the Settings list, do the following:
To configure Internet Explorer 7 to use Active mode
On the Tools menu of Internet Explorer, click Internet Options.
Click the Advanced tab.
In the Browsing section of the Settings list, do the following:
How to access an FTP site that is not anonymous using Internet Explorer
Symptom: Internet Explorer cannot access FTP sites requiring credentials.
Issue: When FTP requests are sent over HTTP for Web proxy clients, only anonymous access is allowed. To use Internet Explorer as an FTP client when an FTP server requires authentication, you must configure Internet Explorer for direct FTP access.
Solution: Enable the Enable folder view for FTP sites check box in Internet Explorer. This causes Internet Explorer to prompt for credentials. Then specify credentials in the following format: ftp://username:password@ftp.usdirectcom.net/. Alternatively, configure the client as a SecureNAT or Firewall client and access the FTP server using an alternative FTP client.
HTTP 502 Proxy Error - The login request was denied
Symptom: When accessing an external FTP site that requires authentication, the following error is received: "HTTP 502 Proxy Error - The login request was denied."
Issue: Web proxy normally sends anonymous authentication information to an FTP site in the first request. If the FTP site rejects and closes the connection at the first try, this error is issued. If you monitor the FTP traffic, you will see a log entry similar to: "Port: 21 FTP failed connection attempt user: anonymous request: Get ftp://FTPServer/."
Solution: When accessing an external FTP site that requires authentication from a Web proxy client, provide credentials in the URL, in the following format: ftp://username:password@FTPServerName.
This issue does not occur in the following circumstances:
- SecureNAT clients or Firewall clients make the FTP request.
- The Enable folder view for FTP sites check box is selected in Internet Explorer. With this setting enabled, Internet Explorer sends the request directly to the FTP site if it can resolve the remote host name, ignoring browser settings. If the host name cannot be resolved, the browser is used.
Firewall client computers require the FTP access filter for outbound FTP access
Symptom: An access rule to allow Firewall client computers outbound FTP access must use the FTP access filter.
Issue: Even though Firewall client computers can handle complex secondary protocols such as FTP, the FTP access filter is required.
- Solution: Although the FTP access filter is not required for Firewall clients to handle the complex FTP protocol, the FTP access filter defines and dynamically opens the secondary connections required for FTP. ISA Server provides a predefined FTP protocol, but the protocol definition only includes the primary connection.
Permissions error message when Firewall clients access an Active mode FTP server using ISA Server 2004
Symptom: Client computers running Firewall Client for ISA Server software receive an error message when accessing an external FTP server.
Clients using Internet Explorer receive the following error message: "Windows cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder."
Clients using other FTP client applications may receive the following message: "425 Can't open data connection."
Issue: The problem is the handling of the TCP connection in the following circumstances:
- ISA Server 2004 Firewall Client software is used.
- ISA Server 2004 Standard Edition is installed.
- When using Internet Explorer, the Enable folder view for FTP sites check box is selected.
- When using Internet Explorer, the Use Passive FTP check box is cleared.
Solution: Check that you have the hotfix installed that is described by the Microsoft Knowledge Base article 884580 "Active mode FTP client programs cannot access an FTP server from behind Internet Security and Acceleration Server 2004." This hotfix is included in ISA Server 2006 and ISA Server 2004 Enterprise Edition.
SecureNAT clients cannot access external FTP servers
Symptom: Computers configured as SecureNAT clients (with their default gateway pointing directly or indirectly to the ISA Server computer for Internet access) cannot access external FTP servers.
Issue: There may be an issue with protocol definitions, access rules, or client settings.
Solution: Check the following:
- SecureNAT clients must be able to resolve the FTP server name themselves. Ensure that name resolution is working correctly for SecureNAT clients.
- SecureNAT clients require the FTP access filter for FTP communications. To check that the filter is enabled, do the following.
To verify that the FTP access filter is enabled
In ISA Server Management, expand the Configuration node, and then click Add-ins.
On the Application Filters tab, right-click FTP Access Filter, and then click Properties.
On the General tab, ensure that Enable this filter is selected.
Click OK.
When using ISA Server Enterprise Edition, if this filter is enabled at the enterprise level, it is enabled for all arrays, and it cannot be disabled at the array level.
- Check that an access rule is configured to allow outbound FTP access. For example, to allow access to all users, the following rule would be configured:
- Selected protocols: FTP
- From: Internal
- To: Create a computer set with the address of the FTP server
- User sets: All Users
- We recommend that the rule destination is limited to the FTP server. Create a computer set containing the IP address of the FTP server. The rule should be applied to all users. SecureNAT clients cannot use access rules requiring authentication. The predefined FTP protocol is bound by default to the FTP filter.
- Check that the predefined FTP protocol used in the rule has the correct ports enabled. If you want to access an FTP server on an alternate port, you cannot access it using a SecureNAT client. Instead, you must install Firewall Client for ISA Server software on the client, and then create a custom FTP protocol definition with the alternative port. Note that the FTP access filter only listens on the standard FTP control port, TCP port 21. You cannot modify the port settings for the FTP access filter.
- If you are using a non-browser FTP client application, ensure that it does not have Web proxy settings configured.
FTP upload is not available in a single network adapter configuration
Symptom: Internal clients are not able to do FTP uploads when ISA Server is installed with a single network adapter.
Issue: In a single network adapter scenario, FTP requests are handled by Web Proxy Filter, as FTP over HTTP requests. Web Proxy Filter supports FTP download only.
Solution: Verify the limitations of a single network adapter configuration. For more details, see the following documents at the ISA Server TechCenter at Microsoft TechNet:
- Troubleshooting Unsupported Configurations in ISA Server
- Configuring ISA Server 2004 on a Computer with a Single Network Adapter (Note that the information in this document also applies to ISA Server 2006.)
ISA Server does not support outbound secure FTP connections
Symptom: Clients require access to FTP servers over Secure FTP (FTPS).
Issue: ISA Server does not support outbound FTP over SSL/TLS (FTPS) connections. FTPS uses an encrypted control channel. For standard FTP traffic, ISA Server uses the FTP filter to monitor FTP communication. Outbound Secure Sockets Layer (SSL) connections cannot be seen by ISA Server, and therefore ISA Server cannot adjust traffic policy in reaction to PASV and PORT FTP commands.
Solution: Although there may be a workaround by installing Firewall Client software and creating a custom FTP protocol definition that is not bound to the FTP application filter, this is not supported.