How to enable external client computers access to a File Transfer Protocol server

This article describes the procedures to enable external client computers access to a File Transfer Protocol (FTP) server that is running on Internet Security and Acceleration (ISA) Server.

You can access the FTP server either by opening the static packet filters or by using server publishing by means of ISA Server.

Open the Static Packet Filters

1. Open the ISA Administration tool, and then expand the Server settings.
2. Expand Access Policy, and then click IP Packet Filters.
3. In the right pane, click Create Packet Filter.
4. For the filter settings, specify the following settings, and then click Next:
   Name: FTP Server TCP 21 Local
   Allow Packet Transmission
   Custom:
   IP Protocol: TCP
   Direction: Inbound
   Local port: Fixed port
   Port number: 21
   Remote port: All ports
   
   Name: FTP Server TCP 20 Local
   Allow Packet Transmission
   Custom:
   IP Protocol: TCP
   Direction: Outbound
   Local port: Fixed port
   Port number: 20
   Remote port: All ports
5. In the Apply this packet filter to box, click Default IP addresses for each external interface on the ISA Server computer, and then click Next.
6. In the Remote Computers section, click either All remote computers or Only this remote computer, and then click Next. This setting specifies the host, which is the terminal server client that accesses the Terminal Services session.
7. Click Finish.

NOTE: This option can only enable clients to connect by using the Active mode (Port).

Server Publish the FTP Server

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
IMPORTANT: This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC).

To server publish a service, the port on the external interface has to be free. By default, Microsoft Internet Information Services (IIS) version 5.0 uses the Socket Pooling feature and listens on all computer interfaces. The FTP server is already listening on port 21 (0.0.0.0:21) and any FTP server publishing is unsuccessful.

To ensure that IIS only listens on a selected interface, you must disable the Socket Pooling feature and configure the FTP server to listen on a specific Internet Protocol (IP) address:

1. To disable the Socket Pooling feature for the FTP service, run the following commands:
   1. At a command prompt, change to the \Inetpub\Adminscripts\ folder.
   2. At a command prompt, type: cscript adsutil.vbs set msftpsvc/disablesocketpooling true, and then press ENTER.
   3. Restart the Iisadmin service for the change to take effect. At a command prompt, type:
      net stop iisadmin
   4. Start all of the services that had been running in Inetinfo.
   For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
   238131 How to Disable Socket Pooling
2. Configure the FTP server to listen only on the internal interface:
   1. Open the Internet Services Manager, and then expand the Computername settings.
   2. Click Default FTP Site, and then right-click it.
   3. On the menu, click Properties, and then click the FTP Site tab.
   4. In the Identification section, click IP Address.
   5. Change the IP address from "All Unassigned" to the IP address of the internal interface of ISA Server.
   6. Click OK.
   7. Close IIS in Microsoft Management Console (MMC).
3. Because ISA Server is publishing to itself, you must enable the FTP port attack mechanism:
   1. Start Registry Editor (Regedt32.exe).
   2. Locate the following registry key:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\
   3. Change the EnablePortAttack value to 1.
   4. Close Registry Editor.
   5. Restart the FTP service.
   Note In an installation of IIS version 6, the registry subkey that is listed in step 3c is named EnableDataConnTo3rdIP. Assign it the same value as is shown in that step. For more information, see the �Server-to-Server FTP Transfer� topic in IIS6 Help.
4. Configure the Server Publishing rule:
   1. Open the ISA Administration tool, and then expand the Server settings.
   2. Expand Publishing, and then click Server Publishing Rules.
   3. In the right pane, click Publish a Server.
   4. Specify a name, such as, FTP Server Local, and then click Next.
   5. Enter the internal IP address of the FTP server that had been specified in the Internet Services Manager.
   6. Browse and click the IP address of the external interface, and then click Next.
   7. In the Protocol Settings dialog box, click FTP Server, and then click Next.
   8. Click Any Request to enable all of the clients or to specify a client address set, and then click Next.
   9. Click Finish.
5. For ISA Server to dynamically open up packets filters for client sessions, you must enable the FTP Access Filter option:
   1. Open the ISA Administration tool, and then expand the Server settings.
   2. Expand Extensions, and then click Application Filters.
   3. In the right pane, ensure that the FTP Access Filter option is enabled.

NOTE: The preceding option enables clients to connect by using both Active (Port) and Passive (Pasv) mode.