Configuring FTP server publishing

  • Article

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

To publish an FTP server

  1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

  2. In the Tasks pane, on the Tasks tab, click Publish Non-Web Server Protocols to open the New Server Publishing Rule Wizard.

  3. Complete the New Server Publishing Rule Wizard as outlined in the following table.

    Page Field or property Setting or action

    Welcome to the New Server Publishing Wizard

    Server publishing rule name

    Type a name for the protocol definition. For example, type:

    Publish FTP Server

    Select Server

    Server IP address

    Type the IP address of the FTP server that you want to publish.

    Select Protocol

    Selected protocol

    From the drop-down list, select FTP Server. Then click Ports if you want to override the default ports in the protocol definition.

    Ports (appears only if you click Ports on the Select Protocol page)

    Firewall Ports

    Select one of the following:

    • Publish using the default port defined in the protocol definition. With this option, Forefront TMG accepts incoming client requests on port 21.

    • Publish on this port instead of the default port. With this option, Forefront TMG accepts incoming client requests on the nonstandard port specified, and then forwards them to the designated port on the published server.

    Published Server Ports

    Select one of the following:

    • Send requests to the default port on the published server. With this option, Forefront TMG accepts requests for the published service on port 21.

    • Send requests to this port on the published server. With this option, Forefront TMG accepts requests for the published service on a port other than port 21.

    Source Ports

    Select one of the following:

    • Allow traffic from any allowed source port. With this option, Forefront TMG accepts requests from any port on allowed client computers.

    • Limit access to traffic from this range of source ports. With this option, Forefront TMG accepts requests only from the ports that you specify.

    Network Listener IP Addresses

    Listen for requests from these networks

    Select the External network. To select specific IP addresses on which Forefront TMG will listen, click Addresses, and then select Specified IP Addresses on the Forefront TMG computer in the selected network. In the Available IP Addresses list, select the appropriate IP address, click Add, and then click OK.

    In an array with multiple array members, select the same virtual IP address for each array member if Network Load Balancing is enabled. Otherwise, select an appropriate IP address for each array member.

    Completing the New Server Publishing Wizard

    Review the settings, and then click Finish.

  4. If you want to enable FTP uploads, perform the following steps.

    1. In the details pane, right-click the name of the rule that you just created.

    2. Click Configure FTP.

    3. On the Configure FTP protocol policy page, clear Read Only.

    4. Click OK.

  5. In the details pane, click the Apply button to save and update the configuration, and then click OK.

Note

  • For more information about server publishing, see About publishing non-Web servers.

  • When you create an FTP server publishing rule, the FTP Access Filter is initially configured to block FTP uploads.

  • By default, client requests that are forwarded by Forefront TMG to the published server appear to come from the IP address of the original client. In this case, the default gateway on the FTP server must be set to the IP address of the network adapter on the Forefront TMG computer through which the FTP server connects to it. As an alternative, you can configure your server publishing rule so that forwarded client requests will appear to come from the Forefront TMG computer on the To tab of the server publishing rule's properties.

  • Server publishing rules are typically used when there is a network address translation (NAT) relationship defined by a network rule between the network on which the clients sending requests to the published server are located and the network on which the published server is located. Server publishing rules can also be used when the network rule between the client network and the network where the server is located defines a routing relationship. However, in this case, the clients must send requests directly to the IP address of the published server.

  • If you are publishing an FTP server on the Forefront TMG computer, the published server IP address can be either the IP address of the network adapter of the Forefront TMG computer in the External network or the IP address of the network adapter of the Forefront TMG computer in the protected network.

  • Server publishing rules are not supported in a single network adapter configuration.

Concepts

Configuring publishing of other protocols