Microsoft KB Archive/294679

= How to enable external client computers access to a File Transfer Protocol server =

Article ID: 294679

Article Last Modified on 1/6/2005

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



This article was previously published under Q294679



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
This article describes the procedures to enable external client computers access to a File Transfer Protocol (FTP) server that is running on Internet Security and Acceleration (ISA) Server.



MORE INFORMATION
You can access the FTP server either by opening the static packet filters or by using server publishing by means of ISA Server.

Open the Static Packet Filters
 Open the ISA Administration tool, and then expand the Server settings. Expand Access Policy, and then click IP Packet Filters. In the right pane, click Create Packet Filter. For the filter settings, specify the following settings, and then click Next:

Name: FTP Server TCP 21 Local

Allow Packet Transmission

Custom:

IP Protocol: TCP

Direction: Inbound

Local port: Fixed port

Port number: 21

Remote port: All ports

Name: FTP Server TCP 20 Local

Allow Packet Transmission

Custom:

IP Protocol: TCP

Direction: Outbound

Local port: Fixed port

Port number: 20

Remote port: All ports

 In the Apply this packet filter to box, click Default IP addresses for each external interface on the ISA Server computer, and then click Next. In the Remote Computers section, click either All remote computers or Only this remote computer, and then click Next. This setting specifies the host, which is the terminal server client that accesses the Terminal Services session.</li> Click Finish.</li></ol>

NOTE: This option can only enable clients to connect by using the Active mode (Port).

Server Publish the FTP Server
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

IMPORTANT: This article contains information about editing the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the &quot;Configuration Backup/Restore&quot; Help topic in Microsoft Management Console (MMC).

To server publish a service, the port on the external interface has to be free. By default, Microsoft Internet Information Services (IIS) version 5.0 uses the Socket Pooling feature and listens on all computer interfaces. The FTP server is already listening on port 21 (0.0.0.0:21) and any FTP server publishing is unsuccessful.

To ensure that IIS only listens on a selected interface, you must disable the Socket Pooling feature and configure the FTP server to listen on a specific Internet Protocol (IP) address: <ol> To disable the Socket Pooling feature for the FTP service, run the following commands: <ol style="list-style-type: lower-alpha;"> At a command prompt, change to the \Inetpub\Adminscripts\ folder.</li> At a command prompt, type: cscript adsutil.vbs set msftpsvc/disablesocketpooling true, and then press ENTER.</li> Restart the Iisadmin service for the change to take effect. At a command prompt, type:

net stop iisadmin

</li> Start all of the services that had been running in Inetinfo.</li></ol>

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

238131 How to Disable Socket Pooling

</li> Configure the FTP server to listen only on the internal interface: <ol style="list-style-type: lower-alpha;"> Open the Internet Services Manager, and then expand the Computername settings.</li> Click Default FTP Site, and then right-click it.</li> On the menu, click Properties, and then click the FTP Site tab.</li> In the Identification section, click IP Address.</li> Change the IP address from &quot;All Unassigned&quot; to the IP address of the internal interface of ISA Server.</li> Click OK.</li> Close IIS in Microsoft Management Console (MMC).</li></ol> </li> Because ISA Server is publishing to itself, you must enable the FTP port attack mechanism: <ol style="list-style-type: lower-alpha;"> Start Registry Editor (Regedt32.exe).</li> <li>Locate the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\

</li> <li>Change the EnablePortAttack value to 1.</li> <li>Close Registry Editor.</li> <li>Restart the FTP service.</li></ol>

Note In an installation of IIS version 6, the registry subkey that is listed in step 3c is named EnableDataConnTo3rdIP. Assign it the same value as is shown in that step. For more information, see the “Server-to-Server FTP Transfer” topic in IIS6 Help.</li> <li>Configure the Server Publishing rule: <ol style="list-style-type: lower-alpha;"> <li>Open the ISA Administration tool, and then expand the Server settings.</li> <li>Expand Publishing, and then click Server Publishing Rules.</li> <li>In the right pane, click Publish a Server.</li> <li>Specify a name, such as, FTP Server Local, and then click Next.</li> <li>Enter the internal IP address of the FTP server that had been specified in the Internet Services Manager.</li> <li>Browse and click the IP address of the external interface, and then click Next.</li> <li>In the Protocol Settings dialog box, click FTP Server, and then click Next.</li> <li>Click Any Request to enable all of the clients or to specify a client address set, and then click Next.</li> <li>Click Finish.</li></ol> </li> <li>For ISA Server to dynamically open up packets filters for client sessions, you must enable the FTP Access Filter option: <ol style="list-style-type: lower-alpha;"> <li>Open the ISA Administration tool, and then expand the Server settings.</li> <li>Expand Extensions, and then click Application Filters.</li> <li>In the right pane, ensure that the FTP Access Filter option is enabled.</li></ol> </li></ol>

NOTE: The preceding option enables clients to connect by using both Active (Port) and Passive (Pasv) mode.

Additional query words: PASV PORT

Keywords: kbhowto kbenv KB294679

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.