HOW TO: Secure FTP Directory Access by Using Internet Security and Acceleration Server 2000 (310110)


The information in this article applies to:

  • Microsoft BackOffice Server 2000
  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft Small Business Server 2000
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
This article was previously published under Q310110

IN THIS TASK

SUMMARY

This article describes how to secure File Transfer Protocol (FTP) directories by using options in the Microsoft Internet Security and Acceleration (ISA) Server 2000 Management console. FTP authentication options are limited to Anonymous and Basic Authentication. Basic Authentication may pose a security risk because it permits username and password information to pass over the network in clear text. Anonymous authentication does not expose username and password information, but it does not permit you to control who can access directories on an FTP server.

ISA Server 2000 solves this problem by allowing you to use a combination of Web publishing rules and other authentication options on the Incoming Web Requests Listener.

back to the top

Create a Destination Set

  1. Log on to the ISA Server computer by using an account that has administrative credentials.
  2. Start the ISA Management console. To do so, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
  3. In the console tree, expand Servers and Arrays, click server name (where server name is the name of the ISA Server computer), expand Policy Elements, and then click Destination Sets.
  4. On the View menu, click Taskpad.
  5. Click Create a Destination Set.
  6. In the Name box, type the name of the destination that you want. For example, example.com.
  7. In the Description (optional) box, type a description. For example, FTP site.
  8. Click Add.
  9. In the Destination box, type the fully-qualified domain name (FQDN) of the FTP site. For example, ftp.example.com.

    Note: The FTP server must have an A resource record or a CNAME resource record on an externally-accessible DNS server that directs Internet-based FTP requests to the external interface of the ISA Server computer.
  10. Click OK, and then click OK again.
The destination set is displayed in the Available Destination Sets list.

back to the top

Configure the Incoming Web Requests Listener

  1. Start the ISA Management console. To do so, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
  2. Expand Servers and Arrays, right-click your server or array, and then click Properties.
  3. Click the Incoming Web Requests tab, and then click to select the Configure listeners individually per IP address check box (if it is not already selected).
  4. Do one of the following:
    • If you already have an Incoming Web Listener configured, click the listener, click Edit, and then go to step 5.
    • If there are no Incoming Web Listeners configured, click Add, click your ISA server in the Server list, and then click the IP address that is assigned to the external interface in the IP address list.
  5. Click to select the following check boxes (if they are not already selected):
    • Digest with this domain
    • Integrated
    • Client certificate (secure channel only)
  6. Click OK, click to select the Ask unauthenticated users for identification check box, and then click Apply.
  7. Click Save the changes and restart the service(s), click OK, and then click OK again.
back to the top

Publish the FTP Site

  1. Start the ISA Management console. To do this, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
  2. Expand Servers and Arrays, expand your server or array, expand Publishing, right-click Web Publishing Rules, point to New, and then click Rule.
  3. Type a descriptive name for the rule, and then click Next.
  4. In the Apply this rule to list, click Specified destination set, click the destination set that you created in the Name list, and then click Next.
  5. Click Specific users and groups, and then click Next.
  6. Click Add, select the users and groups to which you want to allow access to the FTP site, click OK, and then click Next.
  7. Click Redirect the request to this internal Web server (name or IP address), type the FQDN or the IP address of the internal FTP server, and then click Next.
  8. Confirm the settings that you have configured, and then click Finish.

    The new Web publishing rule is listed under Published Web Servers in the Web Publishing Rules folder.
  9. Right-click the new Web publishing rule that you created, and then click Properties (or if you are in Taskpad view, double-click the new Web publishing rule).
  10. Click the Bridging tab, and then click FTP requests under Redirect HTTP requests as.
  11. Click Apply, and then click OK.
back to the top

REFERENCES

For additional information about how to configure ISA Server 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:

313072 HOW TO: Configure the Web Publishing Service to Work with Internet Security and Acceleration Server in Windows 2000

294679 How to Enable External Client Computers Access to a File Transfer Protocol Server

back to the top
Modification Type:MajorLast Reviewed:6/18/2003
Keywords:kbHOWTOmaster KB310110 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.