Use Server Publishing Rules

Step 1 : Disable Socket Pooling for the FTP Service

The first thing you need to do is disable Socket Pooling for the FTP Service. Socket Pooling
allows IIS to listen on all IP addresses assigned to a particular server.

You can check this by typing the following command at the command prompt: netstat -na

Perform these steps to disable Socket Pooling for the FTP Service :

1. Open a command prompt and navigate to the \Inetpub\adminscripts\ folder

2. Type net stop msftpsvc and press [ENTER]
3. Type the following command:
cscript adsutil.vbs set msftpsvc/disablesocketpooling true and press [ENTER]
4. At the command prompt type net start msftpsvc and press [ENTER]

Check with netstat –na to confirm that TCP port 21 is now listening on one IP address instead of
listening on 0.0.0.0.

Step 2 : Configure the FTP service to listen only on the internal interface

1. Open the Internet Information Services console from the Administrative Tools
2. Right click on the default and click Properties
3. In the Default FTP Site Properties dialog box, select the IP address where your FTP
server must listen on, click Apply and then OK
 4. After making these changes, restart the FTP Service.

Step 3 : Disabling the FTP Port Attack Setting

Some implementations of FTP servers allow a PORT command to open a connection between
the FTP server and an arbitrary port on another machine. This allows the attacker to establish
connections to arbitrary ports on machines other than the actual source machine.

To disable the Port Attack Setting, perform the following steps:

1. Open Regedt32 go to following key :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\
Default setting is 0
2. Change the EnablePortAttack value to 1
3. Close Regedt32 and restart the FTP service

Step 4 : Create the Publishing Rule

If you use the Web Publishing Wizard you can publish multiple FTP Servers with the same IP
address on the external interface of the ISA Server. If you use the Server Publishing Wizard, you
can only publish a single FTP server per IP address.

1. Open the ISA Management console, expand your server and then expand the Publishing
node. Click on Server Publishing Rules, click New and then click Rule.
2. On the Welcome page type a name for the FTP server publishing rule then click Next.
 3. On the Address Mapping page, type in the IP address of the internal interface of the ISA
server IP address of internal server text box and the IP address of the external interface in
the External IP address on ISA server text box, click Next.
4. On the Protocol Settings page select FTP Server protocol, then click Next.
5. On the Client Type page select either Any request or Specific computer option, click
Next.
6. On the last page of the wizard, confirm your settings and click Finish.

Secure FTP Server Publishing

When you use the standard ftp.exe program included in Windows 2000, a user has to
authenticate against the FTP server. This means a user must enter a username and a password
before he or she can access the FTP server. After successfully authenticating, the user can
download or upload files.

The problem with FTP server authentication is that anyone with a network sniffer program can
capture your authentication request. The username and password are sent in clear text over the
Internet. If the files the user downloads are in clear text format, someone with a network sniffer
program can capture your files and read their contents. This can be a major security risk.

Since SSL is not supported with this standard tool (ftp.exe), we can use IPSec to encrypt only
FTP traffic from the client and to the ISA server.

Step 1: Creating a IP Filter List on the ISA server

1. Open Local Security Policy from the Administrative Tools menu.
2. Expand IP Security Policies on Local Machine.
3. You see a list of three default policies, since these policies encrypt some IP traffic
specified in this rule, they encrypt too much for our purpose. So, we create a new policy.
4. Right click on IP Security Policies on Local Machine.
5. Select Manage IP filter lists and filter actions.

6. On the Manage IP Filter Lists tab, click Add.

7. In the IP Filter List dialog box, type the name of the filter, example FTP Secure, click
Add.
8. An IP Filter Wizard shows up, click Next.
9. On the IP Traffic Source Page, Specific IP address from the listbox. In the IP Address
text box, type in the external IP address of the ISA server, click Next.
10. On the IP Traffic Destination Page, select a Any IP Address from the listbox, click Next.
11. On the IP Protocol Type page, select TCP from the listbox, click Next.
12. On the IP Protocol Port page, select
From any port
To this port : 21
13. Click Next and Finish.
 14. Close and Close again.

We just created a IP Filter List, now it’s time to create the actual policy.

Step 2: Creating a IP Security Policy on the ISA server

 1. Right click on IP Security Policies on Local Machine.
2. Select Create IP Security Policy.
3. On the Welcome page click Next.
4. On the IP Security Policy Name page, type in the name of the policy in the text box,
example FTP Security Policy, if you want you can add additional comments, otherwise
click Next.
5. On the Request for Secure Communications page, check Activate the default response
rule and click Next.
6. On the Default Response Rule Authentication Method page, choose one of the
Authentication methods, but beware. If the target computer (the one you want to set up an
IPSec connection) is not part of the domain, you cannot use Kerberos. If you are sure that
the target computer has a computer certificate from your CA or a trusted CA, you can use
Certificate based authentication. Otherwise select Use this string to protect the key
exchange. In my example I use a preshared key.
7. Enter a string, let’s say protectftp, click Next.
8. Be sure Edit Properties is checked and click Finish.
9. A new FTP Secure Wizard dialog box shows up, click Add.
10. On the Security Rule Wizard dialog box, click Next.
11. On the Tunnel Endpoint page, select this rule does not specify a tunnel, click Next.
12. On the Network Type page, select All connections, click Next.
13. On the Authentication Method page select Use this string to protect the key exchange,
choose let’s say the same as above (protectftp), click Next.
14. On the IP Filter List page, select FTP Secure from the listview, click Next.
15. On the Filter Action page, select Request Security from the listview, click Next.
16. Uncheck Edit Properties and click Finish.
17. Close dialog box.
18. Right click on the FTP Secure policy and select assign.

19. The policy is not affected immediately, You have to restart the IP Security Policy Agent
from the Services console in Administrative Tools.

Step 3: Creating a IP Filter List on the target computer

The target computer is the computer that connects to your ISA server. Actually it is a computer
on the Internet.
 1. Open Local Security Policy from the Administrative Tools menu.
2. Expand IP Security Policies on Local Machine.
3. You see a list of three default policies, since these policies encrypt some IP traffic
specified in this rule, they encrypt to much for our purpose. So, we create a new policy.
4. Right click on IP Security Policies on Local Machine.
5. Select Manage IP filter lists and filter actions.
6. On the Manage IP Filter Lists tab, click Add.
7. In the IP Filter List dialog box, type the name of the filter, example FTP Secure, click
Add.
8. An IP Filter Wizard shows up, click Next.
9. On the IP Traffic Source Page, My IP address from the list box, click Next.
10. On the IP Traffic Destination Page, select a Specific IP Address from the list box. In the
IP Address text box, type in the external IP address of the ISA server click Next.
11. On the IP Protocol Type page, select TCP from the list box, click Next.
12. On the IP Protocol Port page, select
From any port
To this port : 21
13. Click Next and Finish.
14. Close and Close again.

Step 4 : Creating a IP Security Policy on the target computer

1. Right click on IP Security Policies on Local Machine.

2. Select Create IP Security Policy.
3. On the Welcome page click Next.
4. On the IP Security Policy Name page, type in the name of the policy in the text box,
example FTP Security Policy, if you want you can add additional comments, otherwise
click Next.
5. On the Request for Secure Communications page, check Activate the default response
rule and click Next.
6. On the Default Response Rule Authentication Method page. Select Use this string to
protect the key exchange. In my example I use a preshared key.
7. Enter the same string as you choose on the ISA server, let’s say protectftp, click Next.
8. Be sure Edit Properties is checked and click Finish.
9. A new FTP Secure Wizard dialog box shows up, click Add.
10. On the Security Rule Wizard dialog box, click Next.
11. On the Tunnel Endpoint page, select this rule does not specify a tunnel, click Next.
12. On the Network Type page, select All connections, click Next.
13. On the Authentication Method page select use this string to protect the key exchange,
choose let’s say the same as above (protectftp), click Next.
14. On the IP Filter List page, select FTP Secure from the list view, click Next.
15. On the Filter Action page, select Request Security from the list view, click Next.
16. Uncheck Edit Properties and click Finish.
17. Close dialog box.
18. Right click on the FTP Secure policy and select assign.
 19. The policy is not affected immediately; you have to restart the IP Security Policy Agent
from the Services console in Administrative Tools.

Note: It is important to use the same preshared key on both systems; otherwise a connection
couldn’t be established.

Step 5: Testing the connection

1. Open a command prompt and type ftp external_IP_ISA [ENTER]

2. Login with a valid user account or anonymous and download your files.
3. If you have network monitor installed you can see that you will find ISAKMP and ESP
packets. FTP traffic from your client computer to the ISA server is encrypted. The traffic
between ISA server and your internal firewall is unencrypted.

Note: You can only use IPSec on Windows 2000 and Windows XP clients and IPSec is not
supported on Windows 9x Family.