How to publish a File Transfer Protocol server that is running on an ISA Server computer (838243)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
For a Microsoft Internet Security and Acceleration Server 2000 version of this article, see 294679.
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

Important This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).

INTRODUCTION

This article describes how to publish an FTP server that is running on the local Microsoft Internet Security and Acceleration (ISA) Server 2004 computer.

MORE INFORMATION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it. To publish a service on the ISA Server computer, the port on the external interface must be available. By default, Microsoft Internet Information Services (IIS) version 5.0 and later uses the Socket Pooling feature and listens on all computer interfaces. Therefore, the FTP server is already listening on port 21 (0.0.0.0:21). Because of this, FTP server publishing may be unsuccessful.

To make sure that IIS only listens on a particular interface, disable the Socket Pooling feature and configure the FTP server to listen on a specific Internet Protocol (IP) address. To do this, follow these steps:
  1. Disable the Socket Pooling feature for the FTP service. To do so:
    1. At a command prompt, change to the \Inetpub\Adminscripts\ folder.
      • For a Windows 2000-based computer, type the following command, and then press ENTER:

        cscript adsutil.vbs set msftpsvc/disablesocketpooling true

      • For a Windows Server 2003-based computer, type the following command, and then press ENTER:

        cscript adsutil.vbs set /msftpsvc/1/disablesocketpooling 1

    3. Restart the IIS Admin Service for the change to take effect. To do so:
      1. Click Start, click Run, type services.msc in the Open box, and then click OK.
      2. Right-click IIS Admin Service, and then click Restart.
      3. Click Yes if you are prompted to restart other dependent services.
  2. Configure the FTP server to listen on the internal interface of the ISA Server computer. To do so:
    1. Start Internet Information Services (IIS) Manager.
    2. Expand ServerName (local computer), expand FTP Sites, right-click your FTP site, and then click Properties.
    3. In the IP address list, click the IP address that corresponds to the internal interface of the ISA Server computer, and then click OK.
    4. Quit the Internet Information Services (IIS) Manager tool.
  3. Because ISA Server is publishing to itself, you must disable the FTP port attack mechanism. To do so:
    1. Start Registry Editor. To do this, click Start, click Run, type regedit in the Open box, and then click OK.
    2. Locate, and then click the following registry subkey:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\

    3. Change the EnablePortAttack DWORD value to 1.

      Note In an installation of IIS version 6, the registry DWORD value is named EnableDataConnTo3rdIP. Assign this registry value a value of 1. For more information, see the "Server-to-Server FTP Transfer" topic in IIS version 6 Help.
    4. Quit Registry Editor, and then restart the FTP Publishing Service.
  4. Configure the server publishing rule. In ISA Server 2004, follow these steps:
    1. Start the ISA Server Management tool.
    2. Expand ServerName, where ServerName is the name of your ISA Server computer.
    3. Click Firewall Policy, click the Tasks tab, and then click Create a New Server Publishing Rule.
    4. Type a descriptive name for the new rule, and then click Next.
    5. In the Server IP address box, type the IP address of the ISA Server computer's internal interface, and then click Next.
    6. In the Selected protocol list, click FTP Server, and then click Next.
    7. In the Listen for requests from these networks list, click to select the External check box, click Next, and then click Finish.
    8. Click Apply to update the firewall policy, and then click OK.
    In ISA Server 2006, follow these steps:
    1. Start the ISA Server Management tool.
    2. Expand ServerName, where ServerName is the name of your ISA Server computer.
    3. Right-click Firewall Policy, point to New, and then click Non-Web Server Protocol Publishing Rule.
    4. Type a descriptive name for the new rule, and then click Next.
    5. In the Server IP address box, type the IP address of the ISA Server computer's internal interface, and then click Next.
    6. In the Selected protocol list, click FTP Server, and then click Next.
    7. In the Listen for requests from these networks list, click to select the External check box, click Next, and then click Finish.
    8. Click Apply to update the firewall policy, and then click OK.
  5. Configure FTP filtering. To do so:
    1. In the ISA Server Management tool, right-click the FTP Server rule that you created, and then click Properties.
    2. Click the Traffic tab, click Filtering, and then click Configure FTP.
    3. If you want to allow uploads to your FTP site, click to clear the Read Only check box, and then click OK two times.
    4. Click Apply to update the firewall policy, and then click OK.
Modification Type:MajorLast Reviewed:9/29/2006
Keywords:kbISA2006Swept kbFirewall kbinfo kbHOWTOmaster KB838243 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.