Solutions for FTP under ISA (2)

As we have said before, there are two modes of data transmission in FTP protocol: Active mode and passive mode. The two modes initiate the connection in the opposite direction, the active mode is originated from the server to the client, and the passive mode is the client initiating a connection to the server side.

We're back in the case of ISA, if passive mode, because IIS is completely random to select a port, and inform the customer, and then the customer active connection, which means that on the ISA, you want all ports to allow dynamic inbound connections to the line, this will not be, because it is too dangerous, Equal to all port connections open.

If the active mode (Portmode), IIS Select a good port, the initiative to connect with customers, this time does not need to be like the PASV mode to open all the dynamic inbound connection, and on the contrary, we need to open all the dynamic outbound connection, security increased a lot. And by the Isa Ippacketfilter only to the ISA native function, will not cause the local area network customer "put the sheep".

So, I personally do this:

(1) Since both IIS and ISA are on a single machine, both of them are listening on port 21st (IIS by default listens on 21 ports of all addresses), so we first have IIS listening to the PORT21 of the intranet address, and in DOS you can pass the netstat-na> Abc.txt, and then open this file and you'll see 0.0.0.021LISTENING words.

Enter the following command:

NETSTOPMSFTPSVC (Stop FTP service)

Enter \inetpub\adminscripts\ Directory

Cscriptadsutil.vbssetmsftpsvc/disablesocketpoolingtrue (Stop listening)

NETSTARTMSFTPSVC (Start FTP service)

(2) In the IIS console, Ftp->property->ftpsite->ipaddress changed to intranet address. Now, the FTP service is only listening on the intranet IP port 21st.

(3) You may be in doubt at this time, if the IIS active connection to the client, the client firewall is not to prevent this connection (PASV mode does not exist this problem). To prevent this, we can force IIS to not connect to any port on the client, and only the port where the client connects to IIS for data transfer. This resolves the conflict between the Portmode and the client firewall. Methods: Modify the registry, Hkey_local_machine\system\currentcontrolset\services\msftpsvc\parameters\, and change the EnablePortAttack value from 0 to 1, Then restart the FTP service.

(4) In the ISA, the use of Serverpublish method to publish the FTP service, where: Ipaddressofinternalserver fill in the ISA's internal network card IP, Ipaddressofexternalserver Ip,mappedserverprotocol Select Ftpserver to fill out the external NIC of ISA.

(5) Then establish a new rules,protocol->tcp,direction->outbound,localport->dymanic,remoteport-> in Ippacketfilter All.
　　
This is my solution, but not perfect, mainly:

(1) The customer cannot use the PASV method to connect, the reason has already spoken.

(2) Because of the fifth, ISA Server cannot restrict the access of ISA native to the outside as it guarantees the restrictions on external access.