ISA Server 2006 and FTP

I’m a big fan of ISA and have been since 2000, yes even 2000. Many things have changed since then and mostly for the better. Layer 7 application filtering is a concept that has been around since the beginning and is one of the reasons ISA is a powerful firewall solution. The management of app filter behavior has gone from front and center to somewhat hidden, hence the purpose of this post. App filters provide the ability to control aspects of specific protocols that pass through the firewall: FTP, HTTP, RPC, SMTP, DNS, etc.

If you enable the FTP and HTTP filters on a general outbound internet access policy, the affects of the filters in default form can be quite limiting, especially for FTP. You can edit the policy’s filter behavior one of two ways: right-click context menu on the policy item, or via the filtering button on the Protocols tab in the policy item itself.

The default mode of the FTP filter is read only so you will be able to log into an external FTP site, execute dir/ls commands but transfers to or from will fail. Uncheck read only from the FTP protocol policy to enable full FTP functionality through the firewall. This behavior can be frustrating to troubleshoot if you don’t know where to look, especially since the configuration of the app filters is not particularly obvious.