There are times when you need to change the default tunnel port ranges on TMG 2010, to allow an internal client to connect to an external resource such as an FTP site. You might get the following error when connecting to an external FTP server.

HTTP/1.1 502 Proxy Error (The specified Secure Sockets Layer (SSL) port is not allowed. ISA server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.)

To access FTP sites through ISA server’s HTTP proxy, access to all ports must be allowed. FTP’s control connection port is 21 by default, but data connections can use virtually any port, because it is assigned by the FTP server. (Although allowing port 21 and ports >1024 should be enough, there might be exceptions.)

You need to add in FTP tunnel ranges to your TMG/ISA server to allow the FTP client to make the connection using the HTTP CONNECT method via the proxy. By default on TMG/ISA, the following tunnel ranges are configured:

NNTP (single port): 563
ssl (single port): 443

You will need to add in a third range for FTP, using a ISA Tunnel Port tool from http://www.isatools.org/tools/isa_tpr.js This is a java script, which will need to be run using command prompt.

To show the current tunnel ranges – cscript isa_tpr.js

To add in an FTP tunnel range – cscript isa_tpr.js /add FTP 1 65535 (This will cover all ports, as the FTP client will connect on a different port each time).

If you need to delete – cscript isa_tpr.js /del FTP

Once you have done this, restart the Microsoft Forefront TMG Control service.

Connect to an FTP server using an FTP client that uses the HTTP CONNECT method, and watch the live logging on TMG, the records will display the FTP client connecting using SSL-Tunnel protocol.

Troubleshooting Outbound FTP Access in ISA Server

http://technet.microsoft.com/en-us/library/bb794745.aspx