KWSupport

Thank you! This was bugging the bejeebies out of me and was dead on the right answer.

Hey, Kev:

Here's what one of my clients, Syd Lines, discovered.... there are actually FIVE places to uncheck Read-Only. Here's his post to our local SBS Users Group listserv.....

If you have clients who use manage or update websites from their offices, there is a surprise outcome in the SBS SP1 upgrade to watch out for. By default FTP protocol is blocked in both directions because all FTP files are made "read only." You have to go in and uncheck the "read only" box on the "Configure FTP" screen. This must be done for each ISA rule having an FTP component. Of special concern are those rules governing transfers from the network or the local host (server) out to the rest of the world.

After I upgraded the server at ITRC a couple of weeks ago, staff began complaining they couldn't make changes to the three website ITRC manages. The grumbling about the proxy server was rising by the minute. Initially I thought I could tweak just open outgoing FTP Port in ISA 2004. That didn't fix it. Next I tried tweaking the desktop firewall to allow Dreamweaver and FTP but found the settings had not change since I did the upgrade. I searched Microsoft and found no hints about this. Finally, one of our interns (Eric Rogers) tripped over an Internet blog with posting about this problem.

Here's how to fix it:

Open ISA Server Management, select Firewall Policy. Right click on the rules listed below, select Configure FTP. You will see the "Read only" checkbox on the screen. Uncheck it. (Probably only the rules for FTP outbound would be of concern for updating a website hosted out of the office, but some firewall rules govern transfers of files among machine on the LAN. I suppose they could affect the development environment in some organizations.)

The rules to look for (these are from my ISA 2004 firewall):

SBS Internet Access Rule (Internal to External)

SBS Protected Network Access (Internal to Internal)

Allow traffic from Internal Network to Local Host (Internal to Internal)

SBS FTP Server Access (Local Host to External)

SBS FTP Server Access (External to Local Host)
*****************
sydlines@itresourcecenter.org

A real timesaver
Thx !!

Many thanks - this was causing some grief to say the least after recently upgrading.

Thanks for this; just spent 4 hrs chasing down the fact that I could FTP onto an XBox and write files to it whilst on the same side of the ISA, but got this message when on opposite sides!
Worst part is, nothing shows up in the logging to point out the problem either!

The solution will only work provided you dont have a rule which works against the ftp rule. For example, if you have an 'outbound internet allow' rule which is higher up in the list than the 'ftp access' rule you have created, then you must also remove the 'read only' tick from the check box on this rule, otherwise they will cancel each other out.

add me to the long list of people you've helped - fantastic

This also happens when the application is acting as a web proxy client.
For IE, this means "use folder view" and remove the proxy settings for FTP under Connections", LAN settings".
The ISA web proxy does not support any FTP commands that could change the upstream server contents.

Useless information...

i want to work with ftp in isa server2004

Thanks for this info. I was having trouble uploading via FTP in Dreamweaver. I followed all of the steps outlined here, and still could not upload. I went into the site settings and UNCHECKED the box for "Use passive FTP" and everything works great!

Thanks again for this tip!

I found this page somehow on google while searching for this problem. I can't cound on my hand how many KB articles on ISA and SBS I read with no answers to fix the problem as simple as this. Thanks.

Absolutely thanks.

But nobody wants to know WHY this is enabled to begin with? Why cripple FTP by default?

i have ISA server 2004, i can connect to remote FTP server and view but when i try upload , it gives me error 500, access denied, need premission to change folder. any idea ?

please advise !

It took forever to find it but I had a lot of problems with ISA that ended in having to remove the FTP Access Filter.

Only after that could I get FTP to work.

THANK YOU!!!

If I do not have ISA 2004 installed but met with the same problem, then how do i solve it? Please advice. Thank you :)

Thanks.

I do what Bob Hood said.

I had to go through every rule that has FTP protocol and remove The "Read Only". And now it works after the series of frustrations.

My Environment is Win2003, SP2, ISA2004.

Thanks Again.

Shidende

Yes works with 2003 / isa 2004. Configure ftp through every rule... thanks

Checking *every* rule for the FTP check box is a key, one that I missed until these posts got me checking. Thanx!

I had to configure a number of different outbound rules to do this, now it works.  Thank you so much for the handy pointer.

I connect and download files from an ftp site but when i try to output the results of an "ls" or "dir" command to my local file is seems like the transaction hangs. Please help?

It Works !!!

Thanks

Spot on. I could not get this figured out. Thanks.

Thank you Bob Hood - that was exactly the oversight - didn't consider FTP would be affected by those other rules with larger scoped protocol listings

Pingback from  FTP and ISA 2004 - Upload Roadblock Take Down « Taking it Upwards with SBS - Dale aka Sisyphus’ Weblog

Pingback from  FTP and ISA 2004 - Upload Roadblock Take Down « Taking it Upwards with SBS - Dale aka Sisyphus’ Weblog

Make sure that you don't have disk quota on this will give the same error, even if you don't have ISA installed.

THANK YOU THANK YOU THANK YOU!

This one stumped me for the longest time - the read only checkbox. I think my head is smaller from hitting my head against the wall so many times :)