Configuring Globalscape SFTP Behind an ISA Firewall

I was having some trouble trying to get FTP over SSL on a Globalscape SFTP (Secure FTP) server working behind an ISA Firewall. Once I got it working, I figured  I’d post the configuration to hopefully help you avoid the headache of figuring it out on your own.

On the ISA server I created two new rules to open the correct ports.

First firewall rule:

I created a Server publishing rule for the inbound connections below, specifying the sftp server IP as the destination:

  1. Port 21 TCP
  2. Port 990 TCP
  3. Port 28000 – 30000 (for PASV traffic)

Second firewall rule:

I created an access rule for the outbound connections below, allowing traffic from the Internal network to the External network:

  1. Port 20 TCP
  2. Port 989 TCP

Next, make sure to go to the SFTP server and on the SERVERS tab, choose the SITE OPTIONS tab on the right. Check the box for “Assign PASV mode IP Address”. Since you’re behind the ISA firewall which performs NAT translation, you should enter the external address of the SFTP server. The port range is by default 28000 – 30000 (which I left). Note that if you change this entry, the firewall entry (#3 on the first rule above) needs to match whatever you change it to.

Now, if you’ve done your other setup chores already like generating the SSL certificate, etc on the server already, then you should be able to connect. You’ll be prompted on your client to accept the certificate. After you choose “accept” the connection should be established and you’re in business.

Please let me know if this brief how-to helped you by leaving a comment below!

Technorati Tags: , ,

2 Responses to “Configuring Globalscape SFTP Behind an ISA Firewall”

Leave a Reply

Leave a Reply