29 September 2010

TMG additional NLB IP not showing as Virtual IP

I recently ran into this odd little scenario.  I built a TMG stand alone array and configured NLB.  Then I added a munch of NLB IPs that I would be using for Web listeners.  As I set up the very first listener I saw something very odd.

The primary virtual IP was listed as "Virtual IP" under the Server Column,  The rest of the Virtual IPs that I defined in the NLB configuration was shown to belong to one or the other TMG servers.  This prompted me to check out the network Addresses configuration.  Everything looked fine and then I checked the  "Add Adapter" button.  I did not recall adding the adapter and sure enough the "Network Adapter Details differed significant between the two adapters.  So I checked them both and then configurations lined up correctly again.

Now when I check the IPs again in the Listener configuration the IPs are listed correctly.  The non NLB server IPs belong to the individual servers and all the virtual IPs are listed as "Virtual IP." Checking the network adapter, the correct IPs are listed too.

27 September 2010

TMG Stand Alone Arrays - How to create, join and troubleshoot

Arrays consist of redundant members of a TMG deployment that share the same configuration.  There are stand alone arrays and enterprise arrays.  An enterprise array require an EMS server where stand alone arrays do not.  The advantage of the enterprise array is that you can "share configuration items" across all the TMG deployments.  You can also manage all your arrays from one spot. This is very handy if you have a large number of these.

I personally like the idea of discreet standalone arrays.  They operate in isolation from other TMG arrays, yet they are still fully redundant.  You also don't need and EMS.  And in my environment I could never practically get enough enterprise level configurations to justify the need for it, but that is just my environment.

Okay so let us set up a stand alone array.

One the first array member you need to do the following:

  • Install TMG SP1 and Update for SP1
  • Complete the getting started Wizard

From the TMG management console

  • Click Firewall Policy
  • On the Toolbox tab, click Network Objects, click Computer Sets, and then double-click Managed Server Computers.
  • In the Managed Server Computers Properties dialog box, click Add, select Computer, and enter the details of the server you are adding to the list. Repeat this step for all the array members you want to add to the Managed Server Computers list.
  • Apply the configuration, wait for it to be applied and check that all servers are listed.
On the second and other array memebers do the following:

  • Install TMG SP1 and Update for SP1
  • Complete the getting started Wizard

From the TMG management console

  • Click ForeFront TMG (ServerName)
  • Click Join Array from the Task tab
  • On the Join Membership Type page, click Join a standalone array managed by a designated array member (array manager)

  • On the Array Manager Details page, enter the IP address or FQDN of the array manager, and then click Finish.

  • Then wait, and wait and wait

  • The following message shows that you have now joined the array

Should your Array manager server fail you will have to specify a new array manager.

To designate a new array manager

  • On the server that you wish to designate as the array manager, in the Forefront TMG Management console, on the Tasks tab, click Set as Array Manager.
  • On each of the remaining array members, in the Forefront TMG Management console, in the Tasks tab, click Change Array Manager.
  • On the Change Array Manager page, enter the IP address or FQDN of the array manager, and then click Finish.

The Technet articles for this is here:

While testing I discovered that machines on the same SP1 and Software Update1 will join into an array without configuring the Managed Server Computers.  I would however still complete this step.

Machines that are not on the same level failed with a critical error path not available.. or something similar.

Machines that require a reboot before joining an array will fail with a RPC call could not be completed failure.

23 September 2010

TMG Safe Search Enforcement and limitations

Software Update 1 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
has been released and can be downloaded from here:

One of the features that caught my eye was this one.

  • SafeSearch Enforcement. Forefront TMG can enforce blocking adult text, images and videos from search results by popular search engines. SafeSearch can be enforced on specific groups or to the entire organization.
This is a feature that was available in a previous Web Sensible product I used to use.  So I was quite keen to see how well it works in TMG.  After installing the Software Update you now have a new item in the web protection tasks.  This will launch a really simple wizard where you can turn this feature on, and then another tab where you can exclude users.
For those who are not quite familiar with this concept it is simply this.  The major search engines support some sort of safe search feature.  This prevent explicit or inappropriate content from being returned when searching for items. This is especially relevant to image and video searches.

Google Bing and Yahoo use three settings
  • Strict
  • Moderate
  • Off
 Safe search enforcement in TMG is either on or off.  You can see what TMG is doing by checking out the configuration file “SafeSearchConfiguration.xml”, located in the installation directory:
    <provider domainPattern=".google." safeSearchSuffix="&amp;safe=active" >
        <searchQuery pattern="/search?" />
        <searchQuery pattern="/images?" />
    <provider domainPattern=".yahoo.com" safeSearchSuffix="&amp;vm=r" >
        <searchQuery pattern="/search?" />
        <searchQuery pattern="/search;" />
        <searchQuery pattern="/search/images?" />
        <searchQuery pattern="/search/images;" />
        <searchQuery pattern="/search/video?" />
        <searchQuery pattern="/search/video;" />
    <provider domainPattern="www.bing.com" safeSearchSuffix="&amp;adlt=strict" >
        <searchQuery pattern="/search?" />
I figured I would do some digging and see if I could figure out how stuff works. So armed with Firefox and firebug I checked out some searches.  I used google as my search engine since that is the default for everyone.  Then I did an image search for "xxx" and changed the safe search setting.  With Firebug I grabbed the GET strings  and the results are as follows.


Safe off


If we look at the three results we can see that the "safe=" parameter is only included when the safe search is set to Off or Strict. 

This is where a limitation of Safe search enforcement comes in.  It would have been nice to enforce Moderate safe search but that is just not possible.  The only setting that can be enforced is the Strict one.

With Safe Search Enforcement this is all you will get for a "XXX" image search...

You do not have the option to enable Moderate or Off.  (Well you do, they just dont work)

Most users will never be aware of the safe search features in the search engines or that you are enforcing them with TMG.  For the users who want to change their setting, you have no other option but to exclude them from "Safe Search Enforcement"  You will then give the responsibility back to them to choose between the Moderate and Off options.

Search engines do a good job of preventing "accidental" exposure and I had to manually go and change my settings to be able to view possibly offensive content.  Having said that, I am very happy to have this as an option even if I choose not to use it.

21 September 2010

Testing TMG NLB in a lab with a great little web load generator

I am currently busy testing TMG as a Network Load Balance device for various web servers and applications.  One of the biggest problems is to generate test traffic.

Yes TMG can generate test traffic but it is not a load simulator.  So you either need a few of your friend to generate some traffic  for you (and this is harder than it sounds) or you need a tool.  There are of course many different tools out there but I was looking for something simple quick and easy and free. 

I stumbled onto an old little load tester called Diesel Test.  http://sourceforge.net/projects/dieseltest/files/  It allows you to record your actions and then use them to generate multiple request from multiple users.  Importantly from a TMG NLB perspective is they way it handles cache and cookies - it discards them after every connection.

So now we have a traffic source that is reliable and configurable.  Next I need to set up a test bed of web servers.  I am just using two but you can easily use more.  Since I am really in an artificial environment I need to change some of the normal environmental IIS behavior.  Be default http keep-alive is enabled.  This will keep a connection open should additional web requests come through from the same host.  Great in practice - bad for my test. 

From the web server's IIS console
  • Select the site to be used for testing
  • Open HTTP Response Headers
  • Click Set Common Headers from the Actions menu
  • Un-check Enable HTTP Keep-alive
  • Check Expire Web Content: Immediately

The next thing I need is to be able to track the usage or load on the two different web servers.   This is important since I will be load shedding from the one to the other.  For this I am going to use performance monitor. I set up one of the server with the following counters:

Web Service
  • Anonymous Users/Sec
  • Total Anonymous Users

I configure my TMG server to Publish a Farm.  and I include the two test servers.  I use Cookie based affinity.  I prefer this method since many of the connection will be coming from the Internet from behind a reverse proxy.  This means all those sessions would be from the same IP.

So all the pieces are ready for testing now. I will be doing the following load balance tests.

Drain one server
Resume one server
Drain both servers
Resume both

First up I turn on the traffic. Then I check to see that my traffic is being load balanced across my servers.
As the traffic is ramped up from Diesel Test I can see that the load is increasing and that it is being balanced beautifully across the two servers.

Next I am going to drain one of the servers.  This is done by Clicking on the Farm in the TMG toolbox, selecting the servers tab and clicking on Drain.  Then OK and APPLY.

The result is that as the configuration is applied to TMG the traffic is then shifted.  The blue line is session dropping off the one server.  As the blue line drop the red one increases by the dropped amount.   

Now what would happen if i want to stop both servers an turn off the application gracefully.  Sure I could change the rule from allow to deny, but that will just drop all traffic once the configuration is active.  This would drop active sessions.  So I will drain the second server now.   We now expect to see all the sessions dying off.

Servers will remain in the drained state unless you resume them.  This means you can reboot etc.
Next I resume my "Blue server" and we can see the load comes back.

Now to resume load balancing. I resume the "Red Server"  and watch the graphs with great anticipation.

We can once again see, by looking at the graph, that the load is being shared by both servers.  This should be enough to be able to proceed to the next step of testing this NLB configuration with an actual web application with actual users.

This test would not have been possible without a stable source of reliable traffic.  It is great to find a little app like this that takes seconds to setup and configure and lets you worry about what you really want to test.

20 September 2010

Expanding hard drives and partitions by using dynamic disks and volumes

Virtual environments are great because they give you the ability to allocated actual hardware resources in a dynamic manner to your virtual machines.  Sure there are a few restrictions, mostly that the machines needs to be shut down, and in the case of disk that there can be no snapshots or checkpoints.

Virtual drives in Hyper-V can be allocated as either Dynamic or Fixed.  This is the same for Vmware.

The difference is that where a Fixed disk grabs the full allocated space on the host or shared storage, the Dynamic disk only grabs as much as it needs.  The advantage is that you are only consuming as much disk as you need.  There is a small performance penalty as the disk has to expand, but not the sort of thing that would worry a development or test server.  Just a note here as well, disks will expand or grow automatically but they will not shrink or compress automatically.  You can manually perform these actions of you want to.

This brings me to the second part of this article.  Typically the only time you would want to mess with a dynamic disk is when you run our of disk space within the virtual machine.  At this point you can add another disk or you can make the hard drive bigger by expanding the disk.  This will expand the disk for the virtual machines so you would end up with this picture.

There is now disk space available to the OS but it cant be used unless it is allocated to a partition and logical drive.  Previously this would be a bit of a problem since you could not in any practical manner expand the OS partition.  This is where one or my Windows Server 2008 favourite tricks come in. Right click the active partition. and click Extend Volume.

A Simple wizard will guide you through the process. and provide the options that you might want to change.  You might for instance not want to grow the volume to all the available space. 

You might be wondering why you would not do this if you are using a dynamic disk.  A real world example would be where you want to limit the disk space being used by someone,  if they make use of snapshots this creates a problem if you need to give them more space.  It is far easier to just expand the volume into unallocated space than to have to expand the virtual disk first.

Once you have completed the wizard your Virtual machine and OS can now make you of the added disk space. 

Just a little reminder.  Since this is a setting that resides within the virtual machine it is something that would be reverted if you restore a snapshot that predates expanding the volume.

Sharepoint disk space issues.

Running out of disk space on a sharepoint server can manifest in a few different ways.  Two i have come across is that certain web parts fail to initialise.

The other is when the back end SQL server is out of disk space.

The following error is returned:

Exception from HRESULT: 0x80040E14.
Troubleshoot issues with Windows SharePoint Services.

Fadi Noja' blog pointed this one out to me.

There are of course other reasons why you might get this error.  Check out the article on technet.  http://support.microsoft.com/kb/841216

Interestingly enough they do not mention disk space on the Databse server as a potential cause.

17 September 2010

The trust relationship between this workstation and the primary domain failed

One of the best things about virtual machines is the ability to be able to turn them off and park them till you need them again.  This is normally implemented with lab testing something or doing POC work.  Depending on your domain policy, your domain will stop trusting you machine after the timeout of inactivity expires. So typically when you pull a VM out of the moth balls for testing again you can run into a few snags.

When you attempt to log in you get the following error message:

"The trust relationship between this workstation and the primary domain failed"

That is a pain, fortunately all you have to do is remove it from the domain and add it again. No reboot required in between.  Just remove apply then join and restart.

This does however require you to be logged into the machine. This can be done in one of two ways.

Using Cached Credentials
Disconnect the network
Log in with an account that will be stored in the cached credentials with the password from back then.
Reconnect the network and do the domain remove and join.

This is not easy to do in the VM space since networks can't be changed while the machine is running.

Using the local administrator account
You can also elect to log in with the local admin password.

Now I normally build machines with a standards password. but I had a problem where both my cached credentials and my local admin gave me a

"The username or password  is incorrect"

The only thing that was left to do was to attempt reset the local admin password.  This of course could not be done by the normal means because no one on the domain trusts the machine.

There are a few password reset tools that are available for Windows but the one I ended up using was
The Offline Password and Registry Editor  It is a small 4MB bootable ISO file that works nicely within VM environments.  It is recommended to clear the password rather than changing it.  Just follow the prompts and before you know it you can log in without a password.  What is also handy is that it shows you all the local accounts and ask which password to change.  If you have changed the local administrator account to something else and you cant remember what it is this will help for that too.

16 September 2010

Disk management options missing from SCVMM hardware configuration

I recently had an interesting experience.  One of my Hyper-V machines was running low on disk space.  I wanted to expand the disk so that more space was available.  However when I looked at the machine properties I found that the disk management options weren't grayed out - they were missing all together.

So this got me looking into the different states of the machines and how they affect the GUI the I see.

When a virtual machine is running you would normally see this screen when looking at the disk properties.

This is expected since the machine is currently running.  If you shut the machine down the options become available.

When I looked at my low disk virtual machine I was somewhat surprised to see this. Or should I say not see what I am looking for.

Interesting enough this also was the view when the machine was shut down.  I figured  - let me check it out in Hyper-V manager.  This is what I saw:

"Do not edit a virtual hard disk when it is used by a virtual machine that has snapshots, or when it is associated with a differencing virtual hard disk."

Now it makes sense.  It would have been handy / nice to have this same warning in SCVMM.   The other odd thing that struck me is the reported disk usage. According to this there should still be 10+ GB of space left.  I log onto server to check it out. And there is 120MB of free disk space left.

I also have the Self service portal available to the server owners.  If the log in they see the hard drive only being 1GB

So I figure the only thing to do is to remove the checkpoint and then expand the disk.  I remove the check point and shut the machine down.  But still there are no option in SCVMM.  This is because the disk merge is currently happening.  The Hyper-V manager will tell you this -SCVMM does not. 

If you check out the file structure for the virtual machine you will still see that there is a .vhd file and a .avhd file.  The .avhd file will only disappear once the merge is complete.  This can take a while sometime a longs while.  It is therefore handy to have a place where you can check on the progress of the merge.  One other thing I have noticed.  Sometimes it appears that a restart and shutdown are required to force the merge to happen.

Finally after the disks are merged you can perform your normal disk management options.

The moral of the story is what everyone keeps saying about snapshots and checkpoints.  They are a really handy feature if used correctly, but they do come with penalties.  Don't use them unless you have to.

15 September 2010

TMG Delegated Aministration

I have been running ISA deployments for years without ever needing to delegate administration to anyone.  I now have a requirement to allow this sort of thing and was very happy to find that it is very easy to deploy.

There are three roles to choose from:
Role Permissions
Forefront TMG Array Monitoring AuditorMonitor basic server and network activity across a Forefront TMG array. Cannot view the Forefront TMG configuration.
Forefront TMG Array AuditorPerform all monitoring tasks across a Forefront TMG array, including most log configuration and alert definition configuration, with the following exceptions:
  • Cannot configure a different user account when publishing reports.
  • Cannot customize report contents.
In addition, Forefront TMG array auditors can view the Forefront TMG configuration.
Forefront TMG Array AdministratorPerform any administrative task across a Forefront TMG array, including rule configuration, applying of network templates, and monitoring, as well as running highly privileged processes on the Forefront TMG server

Te following matrix gives you a breakdown of the functions the various roles can perform:
Action Monitoring Auditor Auditor Administrator
View Dashboard, alerts, connectivity, sessions, servicesAllowedAllowedAllowed
Acknowledge and reset alertsAllowedAllowedAllowed
View log informationNot allowedAllowedAllowed
Create alert definitionsNot allowedNot allowedAllowed
Create reportsNot allowedAllowedAllowed
Stop and start sessions and servicesNot allowedAllowedAllowed
View firewall policyNot allowedAllowedAllowed
Configure firewall policyNot allowedNot allowedAllowed
Configure cacheNot allowedNot allowedAllowed
Configure a virtual private network (VPN)Not allowedNot allowedAllowed
Drain and stop network load balanced (NLB) firewall or Web Proxy load balanced serverNot allowedAllowedAllowed
View local configuration (in Active Directory Lightweight Directory Services on array member)Not allowedAllowedAllowed
Change local configuration (in Active Directory Lightweight Directory Services on array member)Not allowedNot allowedAllowed

Setting this up is pretty straight forward. 
  • Open the TMG management console
  • Right click your array and select properties
  • Select the Assign Roles tab.
  • Add your user and select the Role you want them to have.
So this is part one sorted.  Nice and neat, quick and easy. But how are your users going to gain access to your TMG array to administer it?

The two methods normally being used is to allow your administrators to RDP to the TMG server.  The other preferred method is to allow MMC access to the TMG server. One small catch to both these methods.  You need to configure the system policy to grant access to this.

  • Open the TMG management console
  • Click Firewall Policy
  • On the right hand side click Edit system policy
  • Under the remote management section you will see Microsoft Management Console and Terminal Server
  • To enable this access check Enable this configuration group.
  • In the From tab you need to specify your "trusted network or computers or computer group"
Typically an administrator might have access from his laptop to administer and application.  But with TMG you can only specify a network or a computer group.  These have to be tied to and IP.  If the client laptop is a DHCP client this is not going to work if the ip changes.

I suggest having a "Management server" that your administrators can connect to and that only that server has access to manage your TMG environment. This allows you to restrict access to a single IP that you can manage properly with AV etc.

When I build my multi array enterprise configuration I will update this article on how to best administer an enterprise deployment.
For more info you can always check out the MS articles http://technet.microsoft.com/en-us/library/dd441007.aspx

10 September 2010

Grab an FTP username and password using Wireshark

As IT professionals there are just some tools that you will need sooner or later.  One of these is a protocol analyser.  I start off using Microsoft's netmon.  It is fine for doing some basic troubleshooting but when there is a much better tool to use and it is free, you would have to be a die hard fan to continue using it.

I just posted an article on publishing secure FTP-ES and in there I make reference to standard ftp being insecure and that anyone can sniff the packets and gain your user name and password.

Getting Started
First up you will need Wireshark get it directly form the site http://www.wireshark.org/ There are also some great tutorials and FAQ etc there.

Then you will need a client machine and a server machine.  I installed Wireshark on the client machine.

When you first open Wireshark you get this screen.

Click on Capture options

The capture options screen will appear.  From here click on the capture Filter Button

We want to limit the capture to data to and from the FTP server so we specify the capture filter string.

Click on OK and click on start to start the capture.

I am just going to use the windows command line ftp client to connect to the ftp server.

  • I connect to the ftp IP address
  • Then I specify my user name  as mysecrectusername
  • I then get prompted for a password.
  • I type in my password and hit enter

The login attempt fails but we are interested in the transmitted data.

Analysing the Captured data packets
If you switch back to your Wireshark screen now you will see that there has been some captured packets. Hit the "Stop the running capture" button from the toolbar.

You should now see something like this

Wireshark has now listed all the traffic to and from the specified IP.  We can clean it up nicely because we know we are only interested in FTP traffic. So in the filter field we can specify FTP and click apply

If you look at the Info column (far right) you can see that this correlates to the command line ftp session from earlier.  Significantly you can also read - in (plain text) the password I used.

Yes - That easy.

What else can we learn form this trace?

Let's dive into some more info.  Select one of the lines. you will see that the bottom two panes listing the detailed information.

If we work our way up from the bottom we are working our way down the OSI layers.

Lets start the the FTP application layer

Here we learn what the password is.

If we skip through to Ethernet we see something that could be useful.

The MAC addresses reveal that the MACs are From Microsoft and From VMWare this tells me that the destination is a VMWARE virtual server and the the source is a Microsoft HyperV Virtual Machine

You would also have noticed that as you click on the various "levels" different items are highlighted in the bottom window.  This is the different parts of the actual data packet that you are looking at.

This is a very simple little tutorial but it would hopefully have touched on enough bits of both Wireshark and TCP/IP to prompt you to investigate further.

Incidentally if we tried this with the FTP-ES server  this is what we would have gotten:  Traffic is still recognised as FTP but where previously everything is open to read we now see that everything is hashed because of the encryption.

Happy hunting for packets...

03 September 2010

Configure and Publish a Secure IIS 7 FTP site

In a previous post Configure and Publish IIS7 Anonymous FTP site with TMG and ISA  I went through the basics of setting up and publishing IIS7 FPT sites with either ISA 2006 or TMG 2010.

The article was specifically about anonymous ftp. The reasons for using anonymous is based on historic FTP problems.

The first issue with FTP is that the data is not encrypted.  All data can be grabbed using a packet sniffer like wire shark.  More importantly the username and password would also be sent in plain text and can be read just as easily.

The second issue is user isolation.  You can't isolate users without authenticating them.

So how would we go about building a secure FTP solution where the credentials and data is encrypted during transit and where we have proper user isolation.

I will be stepping through configuring FTP-ES.  This is FTP over explicit TLS/SSL as the encryption method.
Secondly since you may have a mixed user base we will look at handling domain and non domain users.
Thirdly I will go through configuring User Isolation based on the username and physical directories.

STEP 1 : Configure Secure FTP Site

From the IIS management Console

  • Expand down to Sites
  • Click Add FTP site from the actions menu
  • Specify a Site name
  • Specify a physical path Secure_FTP
  • Select and ip address (this would be your internal one) leave the port on 21
  • (Do not specify a host name - it gets complicated and breaks the 100% compatibility goal)
  • Check Start FTP site automatically
  • Since I want 100% security here, I select Require SSL and select a pre-installed CA cert or self signed cert.
  • For Authentication I check basic
  • Authorisation allow access to Specified roles or user groups
  • Specify domain\domain users
  • With Read and Write Permissions

STEP 2: Configure your FTP client for FTP-ES Connection

I like to use the Filezilla FTP client because it is free.  And because it is full of really useful features like support for FTP-ES connections.  Since it is free you can also request your inbound connections to use it.

Up to now you could get away with just specifying the host and clicking the Quick Connect button. Now however we need to go into a little more configuration. Fortunately it is quite easy.

From the File Zilla Client
  • Select the File menu and Click Site Manager
  • Click New Site
  • Specify a name
  • Add the host IP address
  • on Server Type select FTP_ES form the drop down.
  • Logon type can be set to normal - just specify a username and password
  • (I normally include domain\username)
  • Click on OK
Your site has now been save and you can connect to it form the top left hand site drop down list

You should now be able to connect to your site from an internal test machine.  When you do you will get a certificate notification. The certificate may be from an unknown source but it does not change that the encryption is happening

You can suppress this notice by checking the  "Always Trust certificate in future sessions"

Step 3 : Providing for Domain and Non Domain Users

There is a great article about using IISManager Authentication but i am going to keep it short.

For a user to be able to access anything on the site they need to be granted access by the FTP Authorisation Rules

  • Create a local group on the FTP server and call it something like non_domain_FTP_users (you get the idea)
  • Then create users as and when they are required. and ensure they are added to this group
  •  Do the same for your domain users except you can use a domain group.

Form the IIS Management console
  • Open FTP Authorisation Rules
  • If not there already - click Add allow Rule form the action menu
  • Select specified roles or user groups and specify your local group
  • Select Read and Write permission
  • You need to do the same for your domain users.

  • Test using your domain account
  • and test using your local machine account

So up to this point users from your domain or for specifically created local users, can access your ftp site securely.  But right now they can all see all the content on the site,  This is where User Isolation comes in.

STEP 4 : User Isolation

I would like to be able to split users completely from each other. I also like the idea of being able to work with physical directories to make the same data available for non ftp client.  

From the IIS Management console select the secure FTP site
  • Open the FTP user Isolation
  • From the "Isolate users. Restrict users to the following directory:" section select
  • "User name physical directory (enable global virtual directories)
  • Click Apply in the Actions Menu
Connections attempts now will be denied with a  "530 User Cannot log in, home directory inaccessible"

This is because the directories do not exist yet and the user does not have access.

  • For local users you need to create the homedirectories in
  • C:\inetpub\ftproot\secureftp\LocalUser\<username>
  • For domain users you need to create the home directories in
  • C:\inetpub\ftproot\secureftp\<domainname>\<username>

Great, so by now I have:
Secure encrypted FTP channel
User and Data isolation
Cater for both domain and non domain users

Step 5 : Stick it on the Internet

You can follow the steps from Configure and Publish IIS7 Anonymous FTP site with TMG and ISA  This time round though you will have to remove the FTP application filter from your protocol definition.   It is now encrypted so not even ISA or TMG can't inspect it.

01 September 2010

Configure and Publish IIS7 Anonymous FTP site with TMG and ISA

FTP has always kind of confused me.  How can something so simple be so difficult to publish through a firewall. The problem comes in with the data connection and how ftp randomly picks a port to use.

With IIS 7.5 there are significant improvements to the native FTP capabilities.  This includes being able to host Secure FTP (SSL encrypted) and provide firewall friendly services.

For my example I am publishing a simple anonymous FTP server where anyone can PUT and GET files.

For this lab I am using:
Windows Server 2008 R2
TMG 2010
FileZilla FTP client

There are a few steps we need to follow
Step 1  - Create and configure and anonymous internal site
Step 2 - Configure working anonymous site for firewall traversal
Step 3 - Configure Protocol for use in TMG / ISA
Step 4 - Publish Site using TMG / ISA

Step 1 - Create and configure and anonymous internal site

In the Server Manager Console
  • Install the "Web Server (IIS)" role
  • Install the "FTP Server" role service

From the IIS management Console
  • Expand down to Sites
  • Click Add FTP site from the actions menu
  • Specify a Site name
  • Specify a physical path Anon FTP
  • Select and ip address (this would be your internal one) leave the port on 21
  • (Do not specify a host name - it gets complicated and break the 100% compatibility goal)
  • Check Start FTP site automatically
  • Since I want 100% maximum compatibility here, I select No SSL
  • For Authentication I check Anonymous
  • Authorisation Allow access to Anonymous users With Read and Write

Ok so your site is now created and should be up and running. But you still won't be able to write any files to the FTP site.  We need to set the permissions in the local file system.

  • Browse to the physical path you specified during the site creation.
  • Right Click and get to the security tab and then click on Advanced
  • Click Change Permissions
  • Un-check "Include inheritable permissions from the object's parent"
  • Click Add to add the original permission.
  • Now remove all the entries except Administrators
  • Close this all off
  • Open the advanced permissions again (it should be nicely refreshed now)
  • Click add
  • From the location field change this to the server
  • Enter the user name IUSR click check name and OK (this is the "Anonymous User" account)
  • I Select Full control for this folder sub folders and files ( you can fiddle here if you want to restrict more)
  • Close that all off.

Now start up your FTP client and connect to the internal IP of the site and see if you can upload and download and delete a file.

If this does not work here don't proceed.

Step 2 - Configure working anonymous site for firewall traversal

From the IIS management console
  • Select the IIS server (not site, server)
  • Click on FTP Firewall Support
  • In the Data Channel Port Range Specify the port range you want to use for data transfer. (I use 5000 -5005)
  • Click Apply in the action menu
  • Now expand down to your FTP Site
  • Click on Firewall Support
  • Here you will see the Data Channel Port Range is grey and set to what we configured at the server level
  • Specify the external IP address we will be using (IF you are Publishing through TMG you leave this blank sing TMG will handle this for you.
  • Click Apply in the action menu

Now start up your FTP client and connect to the internal IP of the site. You should be able to connect but directory listing and transfer should not be working anymore.  This is because we have now specified for that to be "sent to the outside ip"

Before we move on - I would suggest rebooting the server.  But if you only want to do the minimum restart the Microsoft FTP service and do an IISreset.  The open IIS Manager refresh and check that everything is running again. (If you don't do this things will not work at the end of step 4)

Step 3 - Configure Protocol for use in TMG / ISA

From the TMG console select Firewall Policy
  • Select the Toolbox tab (on the Right)
  • Expand Protocols
  • Click New - Protocol
  • Name it (FTP port Limited)
  • Add two primary port ranges
  • 21-21 TCP Inbound
  • 5000 - 5005 TCP Inbound
  • No Secondary connections
  • Finish The Wizard
  • Now open up your protocol and go to the Parameters tab
  • From the application Filters select FTP Access Filter
If you are using TMG there is an additiona step required.

  • From the TMG console select System
  • Click application Filters
  • Configure the FTP Access
  • On the FTP porpeties tab check "Allow active FTP access"

Step 4 - Publish Site using TMG / ISA

From the TMG console
  • Select Firewall Policy
  • From the Task Tab select Publish Non-Web Server Protocols 
  • Name your rule
  • Specify the internal IP of your FTP server
  • Select your Protocol you created in Step 3
  • Pick your external IP address (This should tie up with the one you specified in step 2)
  • Finish the Wizard
  • Now open the rule for editing
  • On the To tab you need to change the radio button so that Requests appear to com from the TMG computer

If you want write access to your ftp site as well you need to also go to the Traffic Tab
Make Sure your protocol is selected and then Click on Filtering and Configure FTP
Un-check Read Only

Apply the TMG configuration and wait for it to apply - then test from your "Internet machine"

Reboot your FTP server (Not all setting apply properly without a good restart
Remove the FTP Access Filter from your TMG protocol definition (This simplifies the rule)
If your connections are working without the FTP application filter you know where to look.
(IF using ISA check that you have specified the extrnal IP for the FTP site - IF using TMG make sure nothing is specified)