Threat Management Gateway (TMG) 2010 Tunnel Port Ranges–SSL, FTP, NNTP

There are times when you need to change the default tunnel port ranges on TMG 2010, to allow an internal client to connect to an external resource such as an FTP site. You might get the following error when connecting to an external FTP server.

HTTP/1.1 502 Proxy Error (The specified Secure Sockets Layer (SSL) port is not allowed. ISA server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.)

To access FTP sites through ISA server’s HTTP proxy, access to all ports must be allowed. FTP’s control connection port is 21 by default, but data connections can use virtually any port, because it is assigned by the FTP server. (Although allowing port 21 and ports >1024 should be enough, there might be exceptions.)

You need to add in FTP tunnel ranges to your TMG/ISA server to allow the FTP client to make the connection using the HTTP CONNECT method via the proxy. By default on TMG/ISA, the following tunnel ranges are configured:

NNTP (single port): 563
ssl (single port): 443

You will need to add in a third range for FTP, using a ISA Tunnel Port tool from http://www.isatools.org/tools/isa_tpr.js This is a java script, which will need to be run using command prompt.

To show the current tunnel ranges – cscript isa_tpr.js

To add in an FTP tunnel range – cscript isa_tpr.js /add FTP 1 65535 (This will cover all ports, as the FTP client will connect on a different port each time).

If you need to delete – cscript isa_tpr.js /del FTP

Once you have done this, restart the Microsoft Forefront TMG Control service.

Connect to an FTP server using an FTP client that uses the HTTP CONNECT method, and watch the live logging on TMG, the records will display the FTP client connecting using SSL-Tunnel protocol.

Troubleshooting Outbound FTP Access in ISA Server

http://technet.microsoft.com/en-us/library/bb794745.aspx

5 Comments

  1. Are there any other security concerns when doing this?

  2. You are my HERO! Been searching for this solution for a year.

  3. Thanks a lot !!!

  4. If you want to improve your familiarity only keep visiting
    this website and be updated with the newest news posted here.

  5. […] Threat Management Gateway (TMG) 2010 Tunnel Port Ranges … – Sep 22, 2010 · There are times when you need to change the default tunnel port ranges on TMG 2010, to allow an internal client to connect to an external resource such as …… […]

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s