FTP, Forefront TMG 2010, IIS FTP 7.5 and Virtual Directories

Getting all of these components to work together is a bit tricky, primarily because Forefront TMG (and former ISA) are really proxies (as opposed to firewalls) and as such, want to interfere with will-known traffic types like HTTP and FTP. Getting these platforms to behave the way you want can be tricky, especially if you want to do something non-standard.

Here are the requisite configurations:

• TMG/ISA
  • Know: You can't know ports ahead of time, and can't sniff ssl for secondary ports
  • Do: publish rule to publish high-level port AND inbound for the high-level ports specified in IIS (e.g., 10000-10099), these are additional primary ports (TCP) on the connection (not secondary connections)
  • Optional: publish to high-numbered port internally too, or just 21 
• IIS
  • Know: Must use SSL (required for FTPES)
  • Do: Configure FTP firewall support, use port range (e.g., 10000-10099)
  • Optional: configure outside address of ftp (from TMG external) 
• IIS virtual directories
  • Know: IIS by design does not "LIST" pure virtual directories, you can connect to them by name, but you cannot "LIST" or browse them
  • Do: Create real directories in wherever you want virtual directories (same exact name), then IIS will list the real folders, but connect you to the virtual directory (e.g., creating a folder called c:\inetpub\ftproot\test-share will make the virtual directory ftp://mysite.com/test-share visible, although the actual data may be located at a different URL internally, such as \\otherserver\test-share )
  • Do: Make sure the ftp users will have the appropriate credentials to access this share (like they would need for internal non-ftp filesharing). This also assumes that you enable pass-thru authentication.
• Testing - FileZilla client:
  • use active mode FTP
  • make sure to change port to whatever you are actually publishing on
  • use FTPES (not FTPIS/FTPS)