Publishing FTP Servers Using ISA Server 2004

Microsoft® Internet Security and Acceleration (ISA) Server 2004 uses server publishing rules to securely publish servers, including File Transfer Protocol (FTP) servers. This document provides information about several scenarios where FTP servers are published on or behind an ISA server computer.

Server Publishing Rules

ISA Server uses server publishing to process incoming requests to internal servers, such as File Transfer Protocol (FTP) servers, Structured Query Language (SQL) servers, and others. Requests are forwarded downstream to an internal server, located behind the ISA Server computer.

Server publishing allows virtually any computer on your Internal network to publish to the Internet. Security is not compromised because all incoming requests and outgoing responses pass through ISA Server. When a server is published by an ISA Server computer, the IP addresses that are published are actually the IP addresses of the ISA Server computer. Users who request objects assume that they are communicating with the ISA Server computer”whose name or IP address they specify when requesting the object”while they are actually requesting the information from the publishing server. This is true when the network on which the published server is located has a network address translation (NAT) relationship from the network on which the clients accessing the published server are located. When you configure a routed network relationship, the clients use the actual IP address of the published server to access it.

This document provides several publishing solutions for FTP servers:

  • An FTP server in the Internal or in a perimeter network.
  • An FTP server on the ISA Server computer.

The solutions for both of these scenarios are similar, and are presented using a single walk-through.

This document provides procedures on how to use ISA Server to publish FTP servers in the described scenarios.

Network Topology

To publish an FTP server you require, at a minimum:

  • A connection to the Internet.
  • A computer to serve as the ISA Server computer. If the FTP server is located on the ISA Server computer or on the Internal network, the ISA Server computer must have at least two network adapters. One adapter will be connected to the External network (representing the Internet) and one adapter will be connected to the Internal network. If the FTP server is located on a perimeter network, this computer will require an additional network adapter, connected to the perimeter network.
  • A computer that will be the FTP server (if the FTP server is not on the ISA Server computer).
  • To test the setup, a computer that is external to your network, with a connection to the Internet.

Publishing an FTP Server”Walk-through

This walk-through guides you through the steps necessary to publish an FTP server computer using ISA Server.

Publishing an FTP Server Walk-through Procedure 1: Back Up Your Current Configuration

We recommend that you use the export functionality of ISA Server to back up your configuration before making any changes. If the changes you make result in behavior that you did not expect, you can easily revert to the previous, exported configuration.

To export the complete configuration of your ISA Server computer.
  1. Expand Microsoft ISA Server Management.

  2. Right-click the name of the ISA Server computer, and then click Back up.

  3. In Backup Configuration, provide the location and name of the file to which you want to save the configuration. You may want to include the date of the export in the file name to make it easier to identity, such as ExportBackup2June2004.

  4. Click Backup. Because you are exporting confidential information such as user passwords, you will be prompted to provide a password, which will be needed to restore the configuration from the exported file.

  5. When the export operation has completed, click OK.

    Because the .xml file is being used as a backup, a copy of it should be saved on another computer in case of catastrophic failure.

Publishing an FTP Server Walk-through Procedure 2: Create the FTP Site

Create the FTP site or sites on the Internal or perimeter computer using Internet Information Services (IIS) or other FTP server applications. For more information about creating FTP sites using IIS, see œAdding FTP Sites to Your Server (

Publishing an FTP Server Walk-through Procedure 3: Create a Server Publishing Rule

To publish an FTP server you must create a new server publishing rule. Use the following steps to create the rule:
  1. In the Microsoft ISA Server Management console tree, select Firewall Policy.

  2. In the task pane, on the Tasks tab, select Create New Server Publishing Rule to start the New Server Publishing Rule Wizard.

  3. On the Welcome page, type a name for the new server publishing rule. Use a descriptive name, such as Publish FTP server in Internal network. and then click Next.

  4. On the Select Server page, provide the IP address of the server that you are publishing, and then click Next.

    If you are publishing an FTP server on the ISA Server computer, the published server IP address can be either the IP address of the external network adapter of the ISA Server computer, or the IP address of the internal network adapter of the ISA Server computer. When you publish the server to the external network, ISA Server will listen to requests on the external network adapter, and forward them to the FTP server. There is no need to modify the default IP address configuration of your FTP server.
  5. On the Selected Protocol page, select FTP Server, and then click Next.

  6. Select the network IP addresses that will listen for requests intended for the published server. Because you are publishing the server to the Internet, select External. Click Next.

  7. Review the information on the wizard summary page, and then click Finish.

  8. In the Firewall Policy details pane, click Apply to apply the new server publishing rule.

    You can modify the properties of any rule by double-clicking the rule in the Firewall Policy details pane to open the rule properties dialog box.When you create an FTP server publishing rule, the FTP filter is configured as read only by default, and FTP uploads are blocked. To change this setting, right-click the rule, and select Configure FTP. Clear the Read Only checkbox, click OK, and then click Apply.

Publishing an FTP Server Walk-through Procedure 4: Test the FTP Server Publishing Configuration

On a computer in the External network (any computer outside of your corporate networks, with a connection to the Internet), open Internet Explorer, and type the URL of the FTP site, such as ftp://fabrikam/ftp, and verify that you reach the intended page on the published FTP server.

Do you have comments about this document? Send feedback.