Solution to FTP under ISA

There are many people on the issue of FTP a lot, we refer to, discuss. My environment is as follows:

Server:isa Sp1,iis

Client:windows and XP, CuteFTP

This article mainly discusses the ISA and FTP on the same machine processing methods.

Most TCP services use a single connection, typically a client initiates a connection to a well-known port on the server, and then communicates using this connection. However, the FTP protocol is different, it uses multiple two-way connections, and the ports used are difficult to anticipate. Generally, FTP connections include:

A control connection (connection)

This connection is used to pass the client's command and the server-side response to the command. It uses the server's 21 port, and the lifetime is the entire FTP session time.

Several data connections (connection)

These connections are used to transfer files and other data, such as directory listings. This connection is established when data transfer is required, and once the data is transferred, the port used for each use is not necessarily the same. Furthermore, the data connection may be initiated either by the client or by the server side.

In the FTP protocol, the control connection uses well-known port 21, so the IP PACKET filter with ISA can be used for good security protection. Conversely, the destination port of a data transmission connection is generally not known, so it is difficult to handle such port forwarding. The FTP protocol uses a standard port of 21 as the Ftp-data port, but this port is used only for the connection's source address on the server side, and there is no listening process at all on this port. FTP Data connections and control the direction of the connection is generally the opposite, that is, the server to the client to initiate a connection for data transmission. The ports that are connected are determined by the server-side and the client. This feature of the FTP protocol adds a lot of difficulty to the configuration of ISA forwarding and firewall and NAT.

In addition, there is another FTP mode, called passive mode (passive mod). In this mode, the data connection is initiated by the client, contrary to the pattern discussed earlier (we can call it active mode). Whether to take passive mode depends on the client program, and the passive command on the FTP command line enables passive mode to be turned off/on.