FTP access filter

The File Transfer Protocol (FTP) filter that is provided with Microsoft Internet Security and Acceleration (ISA) Server forwards FTP requests from secure network address translation (SecureNAT) clients to the Firewall service. The filter dynamically opens secondary ports, which are required by the FTP protocol, and performs necessary address translation for SecureNAT clients.

Although you could create a protocol definition for FTP, the protocol definition would not offer the full range of capabilities afforded by the FTP filter. A user-defined FTP protocol definition and the FTP access filter are different because:

• The FTP filter dynamically opens specific ports for the secondary connection, but the protocol definition opens a range of secondary ports.

• The FTP access filter can protect SecureNAT clients by performing the address translation required for the secondary connection. The protocol definition cannot.

• Because the FTP access filter includes a read-only FTP protocol definition, it can distinguish between read and write permissions, enabling you to fine-tune access permissions.

Protocol definitions

The FTP access filter uses the following protocol definitions, which are installed with the filter when ISA Server is installed:

• FTP client read only

• FTP client

• FTP server

For more information, see Configuring protocol definitions.

You can create protocol rules that limit access to the protocol definitions. For example, you might want to limit the client's FTP access to FTP read operations only. You can create a protocol rule that allows the FTP client read only protocol. Because ISA Server allows access only when explicitly specified, only this protocol will be allowed.

For more information, see Create a protocol rule.