FTP and ISA 2004

SBS 2003 SP1 Premium includes ISA 2004. After upgrading to SP1, I discovered that I could not do an FTP upload from any workstation – it was failing with a 500 access denied error.

Here’s the fix:

On your SBS server, open up ISA Server Mgmt, click on Firewall Policy, and scroll down and locate the policy labeled ‘SBS Internet Access Rule’. Right click on this rule, and then click on the option ‘Configure FTP’.

In the popup window that opens, click to UNCHECK the ‘read only’ option, then click Apply, then OK.

THEN — look towards the top of the ISA Firewall Policy window, and you will see two new buttons displayed: Apply and Discard. Be sure to click on Apply, otherwise the changes you just made will NOT be applied.

That’s it.

Go back to your workstation, restart your FTP client utility and happy uploading!

35 thoughts on “FTP and ISA 2004

  1. this is very helpful, spent several decades learning about ftp permissions and scratching my head for a answers to this problem. thanks to the guy who posted the top comment! he is the man indeed.


  2. If I do not have ISA 2004 installed but met with the same problem, then how do i solve it? Please advice.

    Thank you 🙂

  3. I clicked to UNCHECK the ‘read only’ option, then Apply , but the problem already exists.

    I should mention that when I connect to FTP from internal network by entring local name or local ip I have no Problem on uploading but when I use the registred name or from external (using ISA) I have read-only acess to my FTP folders.

  4. Hey, Kev:

    Here’s what one of my clients, Syd Lines, discovered…. there are actually FIVE places to uncheck Read-Only. Here’s his post to our local SBS Users Group listserv…..

    If you have clients who use manage or update websites from their offices, there is a surprise outcome in the SBS SP1 upgrade to watch out for. By default FTP protocol is blocked in both directions because all FTP files are made “read only.” You have to go in and uncheck the “read only” box on the “Configure FTP” screen. This must be done for each ISA rule having an FTP component. Of special concern are those rules governing transfers from the network or the local host (server) out to the rest of the world.

    After I upgraded the server at ITRC a couple of weeks ago, staff began complaining they couldn’t make changes to the three website ITRC manages. The grumbling about the proxy server was rising by the minute. Initially I thought I could tweak just open outgoing FTP Port in ISA 2004. That didn’t fix it. Next I tried tweaking the desktop firewall to allow Dreamweaver and FTP but found the settings had not change since I did the upgrade. I searched Microsoft and found no hints about this. Finally, one of our interns (Eric Rogers) tripped over an Internet blog with posting about this problem.

    Here’s how to fix it:

    Open ISA Server Management, select Firewall Policy. Right click on the rules listed below, select Configure FTP. You will see the “Read only” checkbox on the screen. Uncheck it. (Probably only the rules for FTP outbound would be of concern for updating a website hosted out of the office, but some firewall rules govern transfers of files among machine on the LAN. I suppose they could affect the development environment in some organizations.)

    The rules to look for (these are from my ISA 2004 firewall):

    SBS Internet Access Rule (Internal to External)

    SBS Protected Network Access (Internal to Internal)

    Allow traffic from Internal Network to Local Host (Internal to Internal)

    SBS FTP Server Access (Local Host to External)

    SBS FTP Server Access (External to Local Host)

  5. Thanks for this; just spent 4 hrs chasing down the fact that I could FTP onto an XBox and write files to it whilst on the same side of the ISA, but got this message when on opposite sides!
    Worst part is, nothing shows up in the logging to point out the problem either!

  6. The solution will only work provided you dont have a rule which works against the ftp rule. For example, if you have an ‘outbound internet allow’ rule which is higher up in the list than the ‘ftp access’ rule you have created, then you must also remove the ‘read only’ tick from the check box on this rule, otherwise they will cancel each other out.

  7. This also happens when the application is acting as a web proxy client.
    For IE, this means “use folder view” and remove the proxy settings for FTP under Connections”, LAN settings”.
    The ISA web proxy does not support any FTP commands that could change the upstream server contents.

  8. Thanks for this info. I was having trouble uploading via FTP in Dreamweaver. I followed all of the steps outlined here, and still could not upload. I went into the site settings and UNCHECKED the box for “Use passive FTP” and everything works great!

    Thanks again for this tip!

  9. I found this page somehow on google while searching for this problem. I can’t cound on my hand how many KB articles on ISA and SBS I read with no answers to fix the problem as simple as this. Thanks.

  10. i have ISA server 2004, i can connect to remote FTP server and view but when i try upload , it gives me error 500, access denied, need premission to change folder. any idea ?

    please advise !

  11. If I do not have ISA 2004 installed but met with the same problem, then how do i solve it? Please advice.

    Thank you 🙂

  12. Thanks.
    I do what Bob Hood said.
    I had to go through every rule that has FTP protocol and remove The “Read Only”. And now it works after the series of frustrations.
    My Environment is Win2003, SP2, ISA2004.

    Thanks Again.


  13. I had to configure a number of different outbound rules to do this, now it works. Thank you so much for the handy pointer.

  14. I connect and download files from an ftp site but when i try to output the results of an “ls” or “dir” command to my local file is seems like the transaction hangs. Please help?

    This one stumped me for the longest time – the read only checkbox. I think my head is smaller from hitting my head against the wall so many times 🙂

  16. When I right-click on the rules, I see “configure http” and “Configure RPC Protocol” but no “Configure FTP”. Am I looking in the wrong place?

Leave a Reply

Your email address will not be published. Required fields are marked *