TMG initiates active FTP connections to external servers even though it's configured for passive FTP - a problem with FTP over HTTP

TMG initiates active FTP connections to external servers even though it's configured for passive FTP - a problem with FTP over HTTP

  • Comments 3
  • Likes

Hi there,

 

In this blog post, I’ll be talking about another TMG problem where FTP over HTTP was failing through TMG server.

Let me first summarize the scenario:

- Internet Explorer clients need to connect to an external FTP site through TMG server

- Due to some other requirements, this FTP site needs to be accessed passively

FTP filter in TMG server already uses passive FTP when connecting to external FTP sites:

(Note: And this is the default behavior, please see http://blogs.technet.com/b/yuridiogenes/archive/2010/03/16/error-502-active-ftp-not-allowed-when-trying-to-list-files-in-a-ftp-session-behind-forefront-tmg-2010.aspx for more information.

 

That was also the case in my customer’s scenario but passive FTP connection to the target FTP server was still failing. After some troubleshooting, we found out that TMG server was trying to connect to the target FTP site actively even FTP filter was configured as above.

 

Normally, when you type ftp://target-FTP-Server-FQDN in the IE address bar and IE is configured to use a Proxy server, the connection request will be sent as an HTTP request to the Proxy server (and the FTP GET request will be inside that HTTP request), this is also called FTP over HTTP. So the request flow will be similar to below:

 

a) Client sends the request via FTP over HTTP to the Proxy server

b) Proxy server connects to the target FTP server via FTP procotol

 

After some further troubleshooting with TMG data packager and the network trace analysis, I found out that FTP filter wasn’t involved in when Proxy server receives FTP over HTTP traffic from clients and hence FTP filter setting doesn’t apply to FTP over HTTP requests.

 

The resolution was to set the NonPassiveFTPTransfer registry key on the TMG server and restart the firewall service:

 

Note: You can find more information about that registry key at http://support.microsoft.com/kb/300641 How to enable passive CERN FTP connections through ISA Server 2000, 2004, or 2006

 

As mentioned above, after the registry key is created, you’ll need to stop and then start firewall service from an elevated command prompt:

 

net stop fwsrv

net start fwsrv

 

To summarize; even though “NonPassiveFTPTransfer” registry key shouldn’t be needed for TMG server, the exact requirements are as follows:

 

a) If the internal client sends the FTP request directly through FTP procotol, there’s no need to change anything on TMG server side as the FTP filter will kick in and the FTP connection to the external FTP server will be initiated passively (Examples: Command prompt FTP client, 3rd party FTP client applications, IE which isn’t configured to use a Proxy server etc)

 

b) If the internal client sends the FTP request through FTP over HTTP procotol, then the changes mentioned above needs to be implemented on TMG server side in order for TMG server to initiate the outbound FTP connection passively (Example: IE which is configured to use a Proxy server)

 

Hope this helps

 

Thanks,

Murat

 

Comments
  • I have found the same issue, too bad I found this blog after spending a ton of time on it. I agree this fix works for TMG 2010 SP2 and the KB needs to be updated to include TMG support.microsoft.com/.../300641

  • Hi Dave,

    Thank you for your feedback and sorry to hear that. Hope it will help other IT professionals who are likely to hit the same problem in the future.

    Thanks,

    Murat

  • Hey Murat,

    I am trying to open a ftp connection from the Command prompt but i cant seem to get it working. FTP over HTTP works fine. Not sure where am I going wrong. Am I supposed to restart the services after enabling all the options you highlighted above??

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment