Error 502 “Active FTP not Allowed” when trying to list files in a FTP session behind Forefront TMG 2010

Consider a scenario where you have a client workstation behind Forefront TMG 2010 and you are trying to download files from a FTP Server. You are successfully able to logon on the FTP but after type the command “dir” you get the error message below:

image

The message is pretty clear about what is going on, isn’t it? Well, it is but where do I enable this option? I don’t remember having this on ISA!! To address this issue you just need to enable a new option that we have on TMG, this option is located on the FTP Filter properties as shown below:

image

After enabling this option and apply the changes you should be able to list your files just fine. It is important to mention that this setting has nothing to do with the FTP Read Only option, that you had in ISA 2004/2006 and still have it on TMG. The FTP Filter when running in read only mode (see figure below) will blocks all commands in the control channel except the following ones:

“ABOR, ACCT, CDUP, CWD /0, FEAT, HELP, LANG, LIST, MODE, NLST, NOOP, PASS, PASV, PORT, PWD /0, QUIT, REIN, REST, RETR, SITE, STRU, SYST, TYPE, USER, XDUP, XCWD, XPWD, SMNT”

image

You can customize this list by using the sample script below (from Configuring Add-ins MSDN article),in this example the script configures FTP Access Filter to allow only the USER and PASS commands:

Dim root Dim ftpFilter Dim vpSet On Error Resume Next Err.Clear Set root = CreateObject("FPC.Root") ' Get the filter's administration object Set ftpFilter = root.GetContainingArray.Extensions.ApplicationFilters("{680A928F-22B3-11d1-B026-0000F87750CB}") If ftpFilter Is Nothing Then Wscript.Echo "FTP Access Filter ({680A928F-22B3-11D1-B026-0000F87750CB}) is not installed in array." WScript.Quit End If ' Get the vendor parameter set containing the filter's configuration. Set vpSet = ftpFilter.VendorParametersSets.Item("{680A928F-22B3-11D1-B026-0000F87750CB}") 'If this vendor parameters set does not exist, create it. If vpSet Is Nothing Then WScript.Echo "Adding a vendor parameters set ({680A928F-22B3-11D1-B026-0000F87750CB})" Err.Clear Set vpSet = ftpFilter.VendorParametersSets.Add("{680A928F-22B3-11D1-B026-0000F87750CB}",False) ftpFilter.VendorParametersSets.Save End If ' Add the required parameter. vpSet.Value("AllowReadCommands") = "USER PASS" vpSet.Save

Note: don’t change the default Read Only commands unless you have a real business need for that.

Comments

  • Anonymous
    January 01, 2003
    Great !! Thanks for the feedback Ted and Rith !!

  • Anonymous
    January 01, 2003
    Well, it is always good to know that the article is lasting that long :) thanks Rusty!

  • Anonymous
    January 01, 2003
    Great! I'm glad that it did :)

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    May 02, 2011
    Dear Yuri Diogenes Thanks for the solution. This solved my problem. Regards

  • Anonymous
    May 16, 2011
    thank you we solve the issue on our site also

  • Anonymous
    July 22, 2011
    thank you for solution is right!!!

  • Anonymous
    August 29, 2011
    Hi there I am also using tmg2010 I have enable the ftp as mentioned but I still get the error

  • Anonymous
    December 27, 2011
    using that script can i give download and upload access to any user

  • Anonymous
    June 20, 2012
    Száraz ÍZoltán You have to set this option TWO places: as depicted in the authors explanation(System->Application Filters), but also under "Enterprise->Enterprise Add-Ins->Application Filters".

  • Anonymous
    June 20, 2012
    The solution solved my problem. Thanks!

  • Anonymous
    May 17, 2013
    Hi I have ben playing with TMG for the past few days to enable FTP access. I was able to configure ftp over http and that works fine. I tried to ftp using the windows CMD prompt but the connection seems to timeout. I looked at the logging and i think the ftp request is not even reaching the TMG Server. Any idea where am I going wron with this? thanks Mohit

  • Anonymous
    March 24, 2014
    Three years later and the solution is still paying dividends, thank you.

  • Anonymous
    December 15, 2015
    Thanks - a good help