Error 502 “Active FTP not Allowed” when trying to list files in a FTP session behind Forefront TMG 2010
Consider a scenario where you have a client workstation behind Forefront TMG 2010 and you are trying to download files from a FTP Server. You are successfully able to logon on the FTP but after type the command “dir” you get the error message below:
The message is pretty clear about what is going on, isn’t it? Well, it is but where do I enable this option? I don’t remember having this on ISA!! To address this issue you just need to enable a new option that we have on TMG, this option is located on the FTP Filter properties as shown below:
After enabling this option and apply the changes you should be able to list your files just fine. It is important to mention that this setting has nothing to do with the FTP Read Only option, that you had in ISA 2004/2006 and still have it on TMG. The FTP Filter when running in read only mode (see figure below) will blocks all commands in the control channel except the following ones:
“ABOR, ACCT, CDUP, CWD /0, FEAT, HELP, LANG, LIST, MODE, NLST, NOOP, PASS, PASV, PORT, PWD /0, QUIT, REIN, REST, RETR, SITE, STRU, SYST, TYPE, USER, XDUP, XCWD, XPWD, SMNT”
You can customize this list by using the sample script below (from Configuring Add-ins MSDN article),in this example the script configures FTP Access Filter to allow only the USER and PASS commands:
Dim root Dim ftpFilter Dim vpSet On Error Resume Next Err.Clear Set root = CreateObject("FPC.Root") ' Get the filter's administration object Set ftpFilter = root.GetContainingArray.Extensions.ApplicationFilters("{680A928F-22B3-11d1-B026-0000F87750CB}") If ftpFilter Is Nothing Then Wscript.Echo "FTP Access Filter ({680A928F-22B3-11D1-B026-0000F87750CB}) is not installed in array." WScript.Quit End If ' Get the vendor parameter set containing the filter's configuration. Set vpSet = ftpFilter.VendorParametersSets.Item("{680A928F-22B3-11D1-B026-0000F87750CB}") 'If this vendor parameters set does not exist, create it. If vpSet Is Nothing Then WScript.Echo "Adding a vendor parameters set ({680A928F-22B3-11D1-B026-0000F87750CB})" Err.Clear Set vpSet = ftpFilter.VendorParametersSets.Add("{680A928F-22B3-11D1-B026-0000F87750CB}",False) ftpFilter.VendorParametersSets.Save End If ' Add the required parameter. vpSet.Value("AllowReadCommands") = "USER PASS" vpSet.Save |
Note: don’t change the default Read Only commands unless you have a real business need for that.
Anonymous
January 01, 2003
Great !! Thanks for the feedback Ted and Rith !!Anonymous
January 01, 2003
Well, it is always good to know that the article is lasting that long :) thanks Rusty!Anonymous
January 01, 2003
Great! I'm glad that it did :)Anonymous
January 01, 2003
The comment has been removedAnonymous
May 02, 2011
Dear Yuri Diogenes Thanks for the solution. This solved my problem. RegardsAnonymous
May 16, 2011
thank you we solve the issue on our site alsoAnonymous
July 22, 2011
thank you for solution is right!!!Anonymous
August 29, 2011
Hi there I am also using tmg2010 I have enable the ftp as mentioned but I still get the errorAnonymous
December 27, 2011
using that script can i give download and upload access to any userAnonymous
June 20, 2012
Száraz ÍZoltán You have to set this option TWO places: as depicted in the authors explanation(System->Application Filters), but also under "Enterprise->Enterprise Add-Ins->Application Filters".Anonymous
June 20, 2012
The solution solved my problem. Thanks!Anonymous
May 17, 2013
Hi I have ben playing with TMG for the past few days to enable FTP access. I was able to configure ftp over http and that works fine. I tried to ftp using the windows CMD prompt but the connection seems to timeout. I looked at the logging and i think the ftp request is not even reaching the TMG Server. Any idea where am I going wron with this? thanks MohitAnonymous
March 24, 2014
Three years later and the solution is still paying dividends, thank you.Anonymous
December 15, 2015
Thanks - a good help