RE: FTP server publishing problem

  • From: Glen Howard <ghoward@xxxxxxxx>
  • To: "'[ Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 13 Aug 2002 12:48:53 -0400

I just published my FTP server through ISA a couple of days ago...It was
indeed tricky, but it now works GREAT!!! Dr. Shinder has a couple of
tutorials which I regard as the "Bibles" on FTP itself...
keyword "FTP"... Great articles and tutorials!...

AND YES, there are 3 packet filters which you MUST create for this whole
thing to work even AFTER you publish the server.
1) FTP1 - protocol:TCP    Direction: Both    LocalPort: Dynamic (1025-5000)
Remote Port: Any
2) FTP2 - protocol:TCP    Direction: Inbound LocalPort: fixed (21)
Remote Port: All Ports
3) FTP3 - protocol:TCP    Direction: BOTH          LocalPort: fixed (20)
Remote Port: All Ports

FAQ answered by Shinder which helped me:
Question 265 -    Jan 05, 2001  :  I am trying to publish my internal FTP
server, which is behind ISA Server. I configured a custom protocol for ports
21 and 20 and it still won't work, what could the problem be? 

SHINDER: You need to open internal dynamic ports 1025-5000 outbound to any
port as a filter.

Glen Howard II, MCP
Systems Administrator
Barnes &
"If it ain't broke, BREAK IT.. The only thing that is constant is CHANGE"   

-----Original Message-----
From: Mark Hippenstiel [mailto:mark@xxxxxxxxxxxx] 
Sent: Monday, August 12, 2002 5:04 PM
To: [ Discussion List]
Subject: [isalist] FTP server publishing problem


I have a rather tricky problem here: one of my friends recently set up an
ISA server and now tries to publish an FTP server on a second server.

I searched all over the net for posts regarding the trickyness of FTP server
publishing but didn't find anything else than the special requirements for
running FTP on the ISA itself.

Here's some sample IPP log:

2002-08-12      19:25:40   Tcp
8414    21      BLOCKED Dialout
2002-08-12      19:25:43   Tcp
8414    21      BLOCKED Dialout
2002-08-12      19:25:49   Tcp
8414    21      BLOCKED Dialout
2002-08-12      20:28:35   Tcp
8797    21      BLOCKED Dialout
2002-08-12      20:28:36   Tcp
8797    21      BLOCKED Dialout

The first address being me (also behind ISA) trying to connect to the
published FTP service.

My FTP clients either get a timeout or in case of Windows 2000 ftp.exe an
'unknown error'

So this raises three questions:

1. could it be that FTP is one of those protocol that do not work well if
both parties are behind a firewall? 2. why do I have a blocking from a
packet filter, when to my understanding publishing the server should
suffice? 3. What can we do to get this setup working?

Thanks for your help!

You are currently subscribed to this Discussion List as:
ghoward@xxxxxxxx To unsubscribe send a blank email to

Other related posts: