ForeFront TMG and Active FTP Issues

While working with a client today, I was informed that they were having issues with a recently converted ISA to TMG instance, using the latest release of TMG. Particularly, the issue was that Active FTP just wasn’t plain working when used from a SharePoint financial application that is pretty heavily treaded.

Now for folks who aren’t accustomed to the difference between Active and Passive FTP, when using active mode the client machine will connect to a random unprivileged port to the FTP server’s command port, port 21. Following, the client will start listening to that port and sends the FTP commands in respect of the aforementioned port. The server will then connect back to the client’s specified data port from its local data port, which is port 20.

Now, there are some additional steps required when using ForeFront TMG in order to get Active FTP working, which in ISA 2006 was accomplished by merely unchecking the read-only checkbox on the rule and configuring Windows Firewall. In TMG the process requires additional steps, since it is also required to not only uncheck the read-only checkbox on Configure FTP, but you also have to right click the rule, go to System – > Application Filters and check the Allow active FTP access in the FTP Filter.

Share