Solutions for FTP under ISA (2)

Source: Internet
Author: User
Tags ftp iis connect client ftp protocol access firewall

As we have said before, there are two modes of data transmission in FTP protocol: Active mode and passive mode. The two modes initiate the connection in the opposite direction, the active mode is originated from the server to the client, and the passive mode is the client initiating a connection to the server side.

We're back in the case of ISA, if passive mode, because IIS is completely random to select a port, and inform the customer, and then the customer active connection, which means that on the ISA, you want all ports to allow dynamic inbound connections to the line, this will not be, because it is too dangerous, Equal to all port connections open.

If the active mode (Portmode), IIS Select a good port, the initiative to connect with customers, this time does not need to be like the PASV mode to open all the dynamic inbound connection, and on the contrary, we need to open all the dynamic outbound connection, security increased a lot. And by the Isa Ippacketfilter only to the ISA native function, will not cause the local area network customer "put the sheep".

So, I personally do this:

(1) Since both IIS and ISA are on a single machine, both of them are listening on port 21st (IIS by default listens on 21 ports of all addresses), so we first have IIS listening to the PORT21 of the intranet address, and in DOS you can pass the netstat-na> Abc.txt, and then open this file and you'll see words.

Enter the following command:


Enter \inetpub\adminscripts\ Directory

Cscriptadsutil.vbssetmsftpsvc/disablesocketpoolingtrue (Stop listening)


(2) In the IIS console, Ftp->property->ftpsite->ipaddress changed to intranet address. Now, the FTP service is only listening on the intranet IP port 21st.

(3) You may be in doubt at this time, if the IIS active connection to the client, the client firewall is not to prevent this connection (PASV mode does not exist this problem). To prevent this, we can force IIS to not connect to any port on the client, and only the port where the client connects to IIS for data transfer. This resolves the conflict between the Portmode and the client firewall. Methods: Modify the registry, Hkey_local_machine\system\currentcontrolset\services\msftpsvc\parameters\, and change the EnablePortAttack value from 0 to 1, Then restart the FTP service.

(4) In the ISA, the use of Serverpublish method to publish the FTP service, where: Ipaddressofinternalserver fill in the ISA's internal network card IP, Ipaddressofexternalserver Ip,mappedserverprotocol Select Ftpserver to fill out the external NIC of ISA.

(5) Then establish a new rules,protocol->tcp,direction->outbound,localport->dymanic,remoteport-> in Ippacketfilter All.
This is my solution, but not perfect, mainly:

(1) The customer cannot use the PASV method to connect, the reason has already spoken.

(2) Because of the fifth, ISA Server cannot restrict the access of ISA native to the outside as it guarantees the restrictions on external access.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.