That makes sense. Thanks. Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, May 14, 2010 12:06 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: FTP Oddity over TMG Rob, That second error you see (502 Active FTP not allowed) is because the TMG FTP filter has been changed to disallow active FTP. This was done to prevent malware creating an inbound connection to non-FTP listeners such as RPC (port 135), SMB (port 445), etc. The difference between active and passive FTP is that when the FTP server sends data (other than status messages) to the client, the FTP server must Active: create a connection to the client on the port specified by the client. Passive: accept a connection from the client on a port specified by the FTP server Scenario: a vulnerability exists in component "x". This component listens on TCP:666. A new chunk of malware wants to exploit this vulnerability and uses active FTP to communicate with its "master" and create connections to the client on TCP:666, opening the vulnerable component to attack from the malicious server through your firewall. To prevent this scenario, TMG requires passive FTP, which requires that any connection between the client and remote server occur outbound only. Yuri Diogenes discussed this in http://blogs.technet.com/yuridiogenes/archive/2010/03/16/error-502-active-ftp-not-allowed-when-trying-to-list-files-in-a-ftp-session-behind-forefront-tmg-2010.aspx Jim. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Friday, May 14, 2010 05:33 To: isalist@xxxxxxxxxxxxx Subject: [isalist] FTP Oddity over TMG OK, here's an odd one for you. I've almost completed my transition from ISA 2006 to TMG. Yesterday I reconfigured DHCP so that all my clients started using TMG as their default gateway. We then discovered a problem. One of the users needed to FTP a file to someplace offsite. Something he does regularly to this site. (I hadn't discovered this problem because those of us testing the firewall don't use FTP much.) His FTP failed when using Windows Explorer to do the FTPing. I tried replicating the problem from the command line, while monitoring the activity from TMG. My FTP also failed. The command line returned this error: 502 Active FTP not allowed. 550 Access is denied. However, TMG returned no errors at all. After a while, I hit upon the FTP filter. It has a checkbox that is checked by default that is labeled "Read Only" and says "When Read Only is selected, FTP uploads will be blocked." I unchecked that box and tried again. The upload from the command line failed again, with a slightly different error: 502 Active FTP not allowed. 550 No port specified. Again, no errors reported by TMG. However, the FTP now works from Windows Explorer. So, a couple of oddities come to mind. 1. Why is it that the default in an "allow" rule is to have the filter block the traffic you just allowed? Seems weird to me. 2. Why does FTP work from Windows Explorer but not from the command line? Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Helpdesk: 800-500-AFSC