As usual , i just added a access rule associated with the destination ftp server in ISA2006 when i asked to give a answer why sombdoy can't access customer's FTPS site.After seaching related ports, i modified the firewall policies.I think it was just a simple case. But i failed to access the ftp site with "auth ssl" option. It prompted that "ssl error-0". Then , go ahead , checking the ports, ip info of access rules. tcp 21,yes;tcp 990 ,yes...permit protected network access the destination server from high-number ports to destination server's high-number ports to let PASV FTP pass through firewall.No any problem for all of these.
Checking live log , that displayed some connections be killed. But can't find further detail.Investigating the "ssl ftp" again.
Placed a laptop out of protected network. It can access the site successfully . It is implicit that issue caused by ISA. From
microsoft , i found the following:
ISA Server does not support outbound secure FTP connections
Symptom: Clients require access to FTP servers over Secure FTP (FTPS).
Issue: ISA Server does not support outbound FTP over SSL/TLS (FTPS) connections. FTPS uses an encrypted control channel. For standard FTP traffic, ISA Server uses the FTP filter to monitor FTP communication. Outbound Secure Sockets Layer (SSL) connections cannot be seen by ISA Server, and therefore ISA Server cannot adjust traffic policy in reaction to PASV and PORT FTP commands.
Solution: Although there may be a workaround by installing Firewall Client software and creating a custom FTP protocol definition that is not bound to the FTP application filter, this is not supported.
It says , FTPS not be supported by standard ftp filter as SSL encryption. Then, could we define a custom ftp filter and disalbe the standard ftp filter for my new access rule to accessing FTPS ??? It seems it is alternative for applying ftp filter.???
What i need to do just add a new access rule to deny normal ftp traffic from the destination ftp server to my protected network behind the access rule modified newly .Schematically the information of access rule as follow that found in above BLOG POST.
access rule sample:
1. permit all users to destination tcp 21 tcp 990 and other high-number ports(for pasv).
2.deny ftp protocol (normal) from users to destination (to deny the traffic from destination tcp 21 to mine)