Publishing FTPS on TMG 2010.

For instructions on creating FTP site on IIS read this post - Creating FTP or FTPS on IIS 8.5 (with Active Directory User isolation).

 

I. Configure FTP for Firewall Support (IIS 8.5)

1. Open IIS Manager, in connections pane select your FTPS server and in Features View double click FTP Firewall Support

 

 2. Enter port range for Data Channel for example we will be using 50100-50200. Also enter external IP of your firewall in this example yyy.yyy.yyy.yyy and in Actions pane click Apply.

Note: do not forget to allow this port range on your FTPS servers windows firewall, if it is not added automatically.

 

3. Repeat same step on FTP site level. Select your FTP site and in Feature View double click FTP Firewall Support.

 

 4. Data Channel Port Range should be greyed out with the value you specified earlier. For External IP Address of Firewall enter your firewalls external IP: yyy.yyy.yyy.yyy and in Actions pane click Apply.

 

 

II. Create Publishing rule on TMG

1. Open Forefront TMG console, right click Firewall Policy and choose New->Create new Non-Web Server Protocol Publishing Rule...

 

 

2. Enter the name of your FTPS rule for example "FTPS" and click Next

 

3. Enter IP address of your FTPS server

 

3. Click New... to create new protocol definition

 

4. Specify name for you protocol definition for example "FTPS Custom" and click Next

 

4. Click New to add port range for your protocol definition

 

 

 

5. Specify the following

Protocol type: TCP

Direction: Inbound

Port Range: From: 21 To: 21

and click OK

 

6. In New Protocol Definition Wizard click New one more time to add port range for data channel we specified in step I.2.

Specify the following

Protocol type: TCP

Direction: Inbound

Port Range: From: 50100 To: 50200

and click OK

 

7. Check if protocol configuration is fine and click Next

 

8. On following step leave the default No selected and click Next

 

9. Double check the settings and click Finish

 

10. After protocol definition has been created we can proceed with the rule. Click Next

 

11. Select checkbox next to External network and click Address... to specify external IP on which the FTPS service rule will be listening

 

12. Select Specified IP addressess on the Forefront TMG computer in the selected network and add the IP you specified in step I.2 (in this example yyy.yyy.yyy.yyy). After that click OK

 

13. Click Next to proceed

 

14. Click Finish to end the Publishing Rule Wizard

 15. Click Apply in TMG console and then click OK. Wait a few minutes and you are ready to test your FTPS server from external client.

 

 

 

 Links:

 

 http://www.isaserver.org/articles-tutorials/configuration-security/secure-file-transfer-microsoft-ftp-over-ssl-and-forefront-threat-management-gateway-tmg-2010.html