Zedan IT Blog

IT definitions, discussions and more

Using FTPS (TLS) through TMG 2010

Some of my users used to download files though FTP from a partner company in Germany, and to be able t connect and downlad files they had to use an FTP client with capability of using TLS (Transpport Layer Security) as an ecryption protocol.  Things were fine till we implemented the TMG 2010 and its predecessor ISA 2006.  We tried every thing to allow the communication, even we tried allow every thing and deny nothing but still cients won’t connect to the FTP server.  And if you monitor the TMG sessions nothing is recorded as denied or accepted.

We searched a alot and found something in Misrosoft site and on other sites as well indicatin that TLS is not supported by TMG and ISA !!!   It was a depression till I found a post in a forum discussing the same isse and requesting for help.  One replied with a simple solution and it worked with us as well.

It was simply to disable the FTP protocol filter and define a new protocol allowing ports 1024 – 65535

It was a solution but I was worried about disabling the FTP filter, but I decided to go for it as we generally do not allow FTP clients to the internet except for this connection specifically and to that company only and we do not allow FTP servers to be published to the internet.   Except that only IT are allowed to download FTP files and there will be no need for normal users except this type of connection I thought I will do it.

This is what I did:

  1. Created a protocol TCP Outbound  1024-65535 (No application filters) (Toolbox > Protocols > New Protocol)
  2. Edited the FTP protocol to remove the FTP application filter (Toolbox > Protocols > All Protocols > D.Click FTP)
  3. Created a computer object with the IP address of the remore FTP server in Germany (Toolbox > Network Objects > New Computer)
  4. Created a new access rule allowing internal computers to go to the computer created in step 3 with the protocls of (FTP, and the protocol created in step 1)

Remark:  I had no other access rule allowing FTP except for IT staff.

And it worked.

5 responses to “Using FTPS (TLS) through TMG 2010

  1. Vicky 24/07/2012 at 2:02 PM

    Solved my secure ftp issue….thanks…

  2. tmgadmin 21/12/2012 at 7:27 PM

    You shouldn’t disable the ftp filter from the FTP protocol. In fact, it will create other problem with the regular FTP.

    1) Create an allow outbound rule from the computers needing FTP/S access, protocol TCP Outbound 1024-65535, to the FTP/S server computer/set.
    2) Create an allow outbound rule from the computers needing FTP/S access, FTPS protocol, to the FTP/s server computer/set.
    3) Create a deny outbound rule from from the computers needing FTP/S access, protocol FTP, to to the FTP/s server computer/set.

    These three rules should be in that order.

  3. Jan Muhammad 12/09/2013 at 10:45 AM

    Thanks I have also done, its working fine ……

Leave a Reply to Sam Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: