IT definitions, discussions and more
Using FTPS (TLS) through TMG 2010
Some of my users used to download files though FTP from a partner company in Germany, and to be able t connect and downlad files they had to use an FTP client with capability of using TLS (Transpport Layer Security) as an ecryption protocol. Things were fine till we implemented the TMG 2010 and its predecessor ISA 2006. We tried every thing to allow the communication, even we tried allow every thing and deny nothing but still cients won’t connect to the FTP server. And if you monitor the TMG sessions nothing is recorded as denied or accepted.
We searched a alot and found something in Misrosoft site and on other sites as well indicatin that TLS is not supported by TMG and ISA !!! It was a depression till I found a post in a forum discussing the same isse and requesting for help. One replied with a simple solution and it worked with us as well.
It was simply to disable the FTP protocol filter and define a new protocol allowing ports 1024 – 65535
It was a solution but I was worried about disabling the FTP filter, but I decided to go for it as we generally do not allow FTP clients to the internet except for this connection specifically and to that company only and we do not allow FTP servers to be published to the internet. Except that only IT are allowed to download FTP files and there will be no need for normal users except this type of connection I thought I will do it.
This is what I did:
- Created a protocol TCP Outbound 1024-65535 (No application filters) (Toolbox > Protocols > New Protocol)
- Edited the FTP protocol to remove the FTP application filter (Toolbox > Protocols > All Protocols > D.Click FTP)
- Created a computer object with the IP address of the remore FTP server in Germany (Toolbox > Network Objects > New Computer)
- Created a new access rule allowing internal computers to go to the computer created in step 3 with the protocls of (FTP, and the protocol created in step 1)
Remark: I had no other access rule allowing FTP except for IT staff.
And it worked.