FTP & Microsoft ISA Server 2004

Microsoft ISA (Internet Security and Acceleration Server) 2004 is a tool to secure and accelerate (as the name suggests) networks running on Windows platforms. It’s a very powerful tool and is one of the most flexible firewalls I have seen in the market. Where I work, Microsoft ISA actually replaced several CISCO firewalls. Not only were we able to migrate all the access lists rules we were able to do far more than that.

Just so we a sense of our setup we have two Microsoft ISA servers running. One that handles the X subnet and the handles the Y subnet. All of the servers and static-IP workstations are hosted on the Y subnet. The ISA server that firewalls the Y subnet allows more incoming and outgoing ports to facilitate testing, production level data transfer and so on.

Me and our system administrators spent almost all day today trying to figure out a solution to a strange problem. When we FTP from the Y subnet (the static subnet) to a external box, we can successfully login because PORT 21 is port. However, after logging in we cannot upload any files. After some researching I found out that FTP does not receive data from PORT 21 but changes the incoming port dynamically which is set using the FTP command PORT or PASV (depending on which mode you are running your client). So even though the primary port is PORT 21 — it’s referred to as the COMMAND PORT. It’s not the PORT which is used to send/receive data. Which port will be used is randomly selected using the PORT/PASV command to minimize security issues.

The way to fix this issue only seems to be to open a range of outgoing TCP ports above the 1000 range (what this range is still remains an issue) it seems to depend on the server — and worst yet the server configuration. Most FTP servers will allow the emperical port range to change which might cause problems on our ISA server.

In any case, the issue hasn’t been resolved yet — but I will definietly post the solution once we find out.

Leave a Reply