01 September 2010

Configure and Publish IIS7 Anonymous FTP site with TMG and ISA

FTP has always kind of confused me.  How can something so simple be so difficult to publish through a firewall. The problem comes in with the data connection and how ftp randomly picks a port to use.

With IIS 7.5 there are significant improvements to the native FTP capabilities.  This includes being able to host Secure FTP (SSL encrypted) and provide firewall friendly services.

For my example I am publishing a simple anonymous FTP server where anyone can PUT and GET files.

For this lab I am using:
Windows Server 2008 R2
TMG 2010
FileZilla FTP client

There are a few steps we need to follow
Step 1  - Create and configure and anonymous internal site
Step 2 - Configure working anonymous site for firewall traversal
Step 3 - Configure Protocol for use in TMG / ISA
Step 4 - Publish Site using TMG / ISA

Step 1 - Create and configure and anonymous internal site

In the Server Manager Console
  • Install the "Web Server (IIS)" role
  • Install the "FTP Server" role service

From the IIS management Console
  • Expand down to Sites
  • Click Add FTP site from the actions menu
  • Specify a Site name
  • Specify a physical path Anon FTP
  • Select and ip address (this would be your internal one) leave the port on 21
  • (Do not specify a host name - it gets complicated and break the 100% compatibility goal)
  • Check Start FTP site automatically
  • Since I want 100% maximum compatibility here, I select No SSL
  • For Authentication I check Anonymous
  • Authorisation Allow access to Anonymous users With Read and Write

Ok so your site is now created and should be up and running. But you still won't be able to write any files to the FTP site.  We need to set the permissions in the local file system.

  • Browse to the physical path you specified during the site creation.
  • Right Click and get to the security tab and then click on Advanced
  • Click Change Permissions
  • Un-check "Include inheritable permissions from the object's parent"
  • Click Add to add the original permission.
  • Now remove all the entries except Administrators
  • Close this all off
  • Open the advanced permissions again (it should be nicely refreshed now)
  • Click add
  • From the location field change this to the server
  • Enter the user name IUSR click check name and OK (this is the "Anonymous User" account)
  • I Select Full control for this folder sub folders and files ( you can fiddle here if you want to restrict more)
  • Close that all off.

Now start up your FTP client and connect to the internal IP of the site and see if you can upload and download and delete a file.

If this does not work here don't proceed.

Step 2 - Configure working anonymous site for firewall traversal

From the IIS management console
  • Select the IIS server (not site, server)
  • Click on FTP Firewall Support
  • In the Data Channel Port Range Specify the port range you want to use for data transfer. (I use 5000 -5005)
  • Click Apply in the action menu
  • Now expand down to your FTP Site
  • Click on Firewall Support
  • Here you will see the Data Channel Port Range is grey and set to what we configured at the server level
  • Specify the external IP address we will be using (IF you are Publishing through TMG you leave this blank sing TMG will handle this for you.
  • Click Apply in the action menu

Now start up your FTP client and connect to the internal IP of the site. You should be able to connect but directory listing and transfer should not be working anymore.  This is because we have now specified for that to be "sent to the outside ip"

Before we move on - I would suggest rebooting the server.  But if you only want to do the minimum restart the Microsoft FTP service and do an IISreset.  The open IIS Manager refresh and check that everything is running again. (If you don't do this things will not work at the end of step 4)

Step 3 - Configure Protocol for use in TMG / ISA

From the TMG console select Firewall Policy
  • Select the Toolbox tab (on the Right)
  • Expand Protocols
  • Click New - Protocol
  • Name it (FTP port Limited)
  • Add two primary port ranges
  • 21-21 TCP Inbound
  • 5000 - 5005 TCP Inbound
  • No Secondary connections
  • Finish The Wizard
  • Now open up your protocol and go to the Parameters tab
  • From the application Filters select FTP Access Filter
If you are using TMG there is an additiona step required.

  • From the TMG console select System
  • Click application Filters
  • Configure the FTP Access
  • On the FTP porpeties tab check "Allow active FTP access"

Step 4 - Publish Site using TMG / ISA

From the TMG console
  • Select Firewall Policy
  • From the Task Tab select Publish Non-Web Server Protocols 
  • Name your rule
  • Specify the internal IP of your FTP server
  • Select your Protocol you created in Step 3
  • Pick your external IP address (This should tie up with the one you specified in step 2)
  • Finish the Wizard
  • Now open the rule for editing
  • On the To tab you need to change the radio button so that Requests appear to com from the TMG computer

If you want write access to your ftp site as well you need to also go to the Traffic Tab
Make Sure your protocol is selected and then Click on Filtering and Configure FTP
Un-check Read Only

Apply the TMG configuration and wait for it to apply - then test from your "Internet machine"

Reboot your FTP server (Not all setting apply properly without a good restart
Remove the FTP Access Filter from your TMG protocol definition (This simplifies the rule)
If your connections are working without the FTP application filter you know where to look.
(IF using ISA check that you have specified the extrnal IP for the FTP site - IF using TMG make sure nothing is specified)

No comments:

Post a Comment