A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
A control connection)
This connection is used to transmit client commands and server-side responses to commands. It uses port 21 of the server, and the lifetime is the entire FTP session time.
Several data connections)
These connections are used to transmit files and other data, such as directory lists. These connections are established when data transmission is required. Once data transmission is completed, the ports used each time are not necessarily the same. In addition, the data connection may be initiated by the client or the server.
In the FTP protocol, the control connection uses protocol port 21. Therefore, using the isa ip packet filter can provide good security protection for this connection. On the contrary, the destination port of the data transmission connection is usually unknown, so it is very difficult to process such port forwarding. The FTP protocol uses a standard port 21 as the ftp-data port, but this port is only used to connect to the source address of the server. There is no listening process on this port. The direction of FTP data connection and control connection is generally the opposite, that is, the server initiates a connection for data transmission to the client. The connection port is determined by the negotiation between the server and the client. This feature of the FTP protocol adds a lot of difficulties to ISA forwarding and firewall and NAT configuration.
In addition, there is another ftp mode called passive Mod ). In this mode, the data connection is initiated by the customer program, which is the opposite of the model discussed just now (we can call it the active mode. Whether the passive mode is used depends on the client program. You can use the passive command in the FTP command line to disable/enable the passive mode.
As mentioned above, FTP data transmission has two modes: Active Mode and passive mode. The two modes initiate a connection in the opposite direction. The active mode initiates a connection from the server to the client. The Passive mode initiates a connection from the client to the server.
When we return to ISA, if we adopt the passive mode, because IIS selects a port randomly and notifies the customer, and then the customer actively connects, this means that on ISA, you must allow dynamic inbound connections to all ports. This is definitely not acceptable because it is too dangerous to enable all port connections.
If the port mode is used, after IIS selects the port, it actively connects to the customer. In this case, it does not need to open all dynamic inbound connections as in PASV mode, and the opposite is true, we need to open all the dynamic outbound connections, increasing security. In addition, the IP packet filter of ISA only acts on the ISA machine and does not cause customers in the LAN to "put the sheep ".
Therefore, I personally do this:
(1) because both IIS and ISA are on one machine, both are listening for port 21 (IIS listens for port 21 of all addresses by default ), therefore, we must first make IIS only listen
Port 21 of the network address. In dos, you can open the file through netstat-Na> abc.txt, and you will see the words 0.0.0.0 21 listening.
Run the following command:
Net stop msftpsvc (stop FTP service)
Go to the \ Inetpub \ adminscripts \ directory
Cscript adsutil. vbs set msftpsvc/disablesocketpooling true (stop listening)
Net start msftpsvc (start FTP service)
(2) On the IIS console, change FTP-> property-> FTP site-> IP address to intranet address. Now, the FTP service only listens to port 21 of the Intranet IP address.
(3) You may have questions at this time. If IIS actively connects to the client, will the firewall of the client block this connection (PASV mode does not have this problem ). To prevent this situation, we can force IIS to be unable to connect to any port of the client, but only the port connecting the client to IIS for data transmission. In this way, the conflict between the port mode and the Client Firewall can be solved. Method: Modify Registration
Table, HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ msftpsvc \ Parameters \, change the value of enableportattack from 0 to 1, and restart the FTP service.
(4) In Isa, use the server publish method to publish the FTP service, where: IP address of internal server fill in the IP address of the internal Nic of ISA, IP address of external server fill in the IP address of ISA's external Nic, mapped server protocol select FTP server.
(5) create a new rules, protocol-> TCP, Direction-> outbound, local port-> dymanic, remote port-> all in IP packet filter.
This is my solution, but it is not perfect, mainly because:
(1) The customer cannot use the PASV Method for connection. The reason is described above.
(2) due to article 5, the ISA Server cannot restrict the external access of the local machine as the external access is guaranteed.
I also tested my methods and made some mistakes using Serv-U, but I did it all the time. The following is a summary:
The PASV server is placed behind ISA to solve two problems:
1. PASV port. I proposed to use secondary connection in the above method, but it turns out that it is incorrect. We should create a primary connection for each PASV port, and then create the server publishing rules and the number of PASV ports respectively, number of entries to be created.
Another topic is the use of web Hing rules. Tony should know that FTP servers can also be published through web publishing rules, however, rule only provides an FTP port option. Obviously, this is for the port-mode FTP server, because the port-mode data connection is initiated by the server, on the server side, there is no problem of passing through the firewall.
Another exciting feature of using web publishing rules is that it supports dynamic public IP users. You do not need to modify the external address every time you dial the number like server publishing rules. If PASV problems can also be solved in Web Hing rules, it is a great news for those who use dial-up Internet access and want to publish the PASV server on the Intranet.
You need to consider how to publish a random PASV port through the option that can only fill in one port? I have found some inspiration from today's experiment, that is, as mentioned above, a Web publishing rules is set for each PASV port! I have not done this experiment yet, and I cannot prove that this operation is not feasible. I believe there will be results in the evening.
Of course, you also need to consider how to control the port range in PASV mode. Serv-U can be set, but FTP in IIS cannot.
2. It is a problem that the server sends an IP address to the client. When the FTP client logs on to the server, the PASV Mode Server will send the IP address and data port of the local machine to the client. When the server is placed in the Intranet, the server will return the Intranet IP address to the client, of course, the connection cannot be completed, and the server needs to return the Internet address of ISA. Originally, the solution can use the nameresolutionforlocalhost parameter in the application settings of the firwall client. If it is set to P, the application can return the Internet address of ISA. However, this parameter is used by the firewall client, it is a pity that the publishing server cannot install the firewall client.
Fortunately, the good news is that Serv-U itself has the function of returning the ISA Internet address by selecting the attribute of the new FTP server first, select "Enable Dynamic DNS" in the domain tag. The second tag, "Dynamic DNS", is displayed, and then apply for a dynamic domain name at tz0.com. After applying, a key is obtained, enter this key in this tag. The last step is to go to the settings attribute of the new server, select the advanced tag, select "allow passive mode data transfer", and leave the IP address box next to it blank. This box is not required for dial-up users. It is required only for the exit to use a fixed address.
In this way, before Serv-U returns the IP address and port to the client, it first queries the Internet address of ISA from tz0.com and then sends it to the client.
After solving these two problems, the rest of the work is simple.
It can also be explained from the above content that the FTP server of IIS cannot be released from the Intranet, because IIS neither has the option to select the PASV port range nor can it return the ISA Internet address. Both Serv-U can meet the requirements. Of course, there may also be ways to solve IIS on Microsoft's website.
When publishing an FTP server, note that the FTP server has port and PASV modes. Both use port 21 for user authentication and management. The difference is that the data transmission method is different, and the port mode for FTP server data is fixed at Port 20, PASV mode is random between 1025-65535. This difference should be taken into account during release.
If the FTP server is in the internal network and when the server publish rules is created (although the Web Publish rules can also publish the FTP server, it does not provide processing for the port and PASV modes ), the 21 inbound entry in Protocol Definitions establishes a secondary connection, which is the inbound between Port 20 and port 1025-65535.
If the FTP server is built on the ISA server, you need to set related entries in the IP packet filters. For port mode, it is very easy to enable 20 inbound, but PASV mode is troublesome, because IP packet filters cannot set port segments, but we cannot write tens of thousands of ports one by one. We can only set the local port to dynamic and the remote port to all ports. Of course, this is a damage to security.
Fortunately, some FTP servers in PASV mode can set the port range in PASV mode, for example, Serv-U, which can control the PASV mode port to a maximum of 50 ports, if the number of concurrent users set for Serv-U is small, we can write a filter for each PASV port without opening all ports. If you use the FTP server of IIS, This FTP server does not provide the function of selecting the PASV mode port. Dynamic and all ports can only be enabled as described above.
From the error information above, you should use IE to access the FTP server. The FTP client of IE is different from other Professional FTP clients. It cannot automatically detect the FTP server type and change the client type based on the server type. IE only provides one manual option to change the port and PASV client roles, that is, Internet Options-> advanced-> enable the folder view for the FTP site, and select it. IE is the PASV client, if this parameter is not selected, the port client is used. You need to manually change this option based on the server type. If the server egress is an ADSL link, select "use Passive FTP (for firewall and DSL modem compatibility)". The two options are only in ie5. 5 or above.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service