Option 1: Restricting or denying FTP access in Microsoft ISA Server or Microsoft Forefront TMG
To restrict FTP to specific users only, it is advisable to create two rules: one to allow usage of common protocols to all users except FTP, and another to allow FTP to particular users only, example the administrator.
Screenshot 14: Microsoft ISA Server: Configured Firewall policies
The preceding screenshot shows both rules.
Firewall Policy Rule 2 allows common protocol traffic from all users to pass from the internal network to the Internet. Note that the Protocols list does not include the FTP protocol.
Firewall Policy Rule 1 allows FTP protocol usage only by the Administrator. To set this rule to allow the administrator to access an FTP server:
On Microsoft ISA Server
1. On the Microsoft ISA Server machine, navigate to Start > Programs > Microsoft ISA Server > ISA Server Management.
2. From the left panel, expand Arrays > <machine name> > Firewall Policy.
3. Right-click Firewall Policy and select New >Access Rule.
4. Key in a name for this rule; for example 'Allow FTP' and click Next.
5. Select Allow and click Next.
Screenshot 15: Microsoft ISA Server: Protocols dialog
6. In the Protocols dialog, click Add.
7. In the Add Protocols dialog, expand All Protocols, select FTP, click Add and Close.
8. In the Protocols dialog click Next.
9. In the Access Rule Sources dialog, click Add.
10. In the Add Network Entities dialog, expand Computer Sets, select Anywhere, click Add and click Close.
11. In the Access Rule Sources dialog click Next.
12. In the Access Rule Destinations dialog, click Add.
13. In the Add Network Entities dialog, expand Computer Sets, select Anywhere, click Add and click Close.
14. In the Access Rule Destinations dialog click Next.
15. In the User Sets dialog, select All Users and click Remove.
16. Click Add.
Screenshot 16: Microsoft ISA Server: Add Users dialog
17. In the Add Users dialog, select Administrator, click Add and click Close.
18. Click Next and Finish.
19. Make sure to save settings before exiting.
On Microsoft Forefront TMG
1. On the Microsoft Forefront TMG machine, navigate to Start > Programs > Microsoft Forefront TMG > Forefront TMG Management.
2. From the left panel expand Forefront TMG <machine name>.
3. Right-click Firewall Policy and select New > Access Rule.
4. Key in a name for this rule; for example 'Allow FTP' and click Next.
5. Select Allow and click Next.
Screenshot 17: Microsoft Forefront TMG: Protocols dialog
6. In the Protocols dialog, click Add.
7. In the Add Protocols dialog, expand All Protocols, select FTP, click Add and click Close.
8. In the Protocols dialog click Next.
Screenshot 18: Microsoft Forefront TMG: Access Rule Sources dialog
9. In the Access Rule Sources dialog, click Add.
10. In the Add Network Entities dialog, expand Computer Sets, select Anywhere, click Add and click Close.
11. In the Access Rule Sources dialog click Next.
12. In the Access Rule Destinations dialog, click Add.
13. In the Add Network Entities dialog, expand Computer Sets, select Anywhere, click Add and click Close.
14. In the Access Rule Destinations dialog click Next.
15. In the User Sets dialog, select All Users and click Remove.
16. Click Add.
Screenshot 19: Microsoft ISA Server: Add Users dialog
17. In the Add Users dialog, select Administrator, click Add and click Close.
18. Click Next and Finish.
19. Save settings before exiting.