The initial setup of ISA 2004 in SBS does not enable FTP Outbound access. However, many small businesses need to be able to use FTP. Small manufacturing firms FTP download CAD files of parts to be manufactured, whereas architecture firms often upload finished drawings to clients or builders. In both cases, files might go back and forth between a small business and its client several times before the product is finished. Note FTP Inbound isn't enabled by default either but can be set up using the Connect to the Internet Wizard in the SBS Management MMC. FTP is one of the oldest protocols and as such wasn't developed with security in mind. Because of this, consider your FTP needs carefully, and only allow as much access as necessary. The first step is to note which users are going to need FTP access and whether they need to both upload and download FTP. Finally the type of ISA client that your computers are will tell you which rule you need to modify. To enable FTP downloads for clients other than Firewall Clients, follow these steps: 1. | Click Firewall Policy; then right-click SBS FTP Access and select Properties.
| 2. | Click the Users tab, click the Add button, and then click New. The New User Set Wizard opens. Click Next to move to the next page.
| 3. | Click Add and from the pop-up menu select Windows Users and Groups as shown in Figure 24.13. Add your users, click Next, and then click Finish.
Figure 24.13. A new user group consisting of Active Directory users can be configured during the editing of the SBS FTP access policy. | 4. | Your user set is now listed in the Users window. Select the group you just created and click the Add button; then click Close. The FTP user group now is listed in the Users tab.
| 5. | Select the General tab and check Enable; then click OK.
| 6. | If you also want to enable the uploading of files via FTP to remote servers go back into the properties of the SBS FTP access rule and move to the Protocols tab. Click the Filtering button and select Configure FTP. Uncheck the Read Only box to allow the uploading of FTP files; then click OK.
| Firewall Clients don't need the FTP Outbound access rule, which is why it is disabled by default. The Firewall Client can negotiate the use of a port through the SBS Internet access rule. But because the FTP application filter is set to read only for the SBS Internet access rule, these clients won't be able to upload files out of the network. To change this you'll need to configure the FTP filter for the SBS Internet access rule. Follow these steps: 1. | Right-click on the SBS Internet access rule, select Configure FTP, and uncheck the Read Only box (see Figure 24.14).
Figure 24.14. Unchecking Read Only in the FTP filter configuration allows FTP files to be uploaded out of the network. | 2. | Click OK; then click Apply when you are ready for the new rule to take effect.
| You've just created a rule that allows members of the FTP Users group to upload and download files. Best Practice: FTP Application Filter FTP is one of the oldest protocols. In the Internet's humble beginning security was not the issue that it is today; therefore, the FTP protocol wasn't designed to secure transmissions. The FTP application filter is designed to assist you in controlling who has the ability to upload or download using FTP. If FTP access is required, the best practice is to allow FTP access only for downloads to your network but not allow users to FTP data out of your network. If FTP out is also required, creating a user group whose members require FTP uploads is recommended. |
Publish a Web Server You have three choices for publishing a website. You can let your ISP or another hosting service do it for you. (Most small businesses do.) You can host the website on your SBS server, in which case the Connect to the Internet Wizard configures the necessary ISA server components for you. Or you can add a second server to your network and host the website there, in which case you'll need to configure ISA to direct the web requests to that server. Because this chapter is only about ISA, the chapter assumes that your IIS server is already configured and that your website is ready. The chapter also assumes that you've selected port 81 as the port that the website will be accessed on. Follow these steps to publish a website housed on a second server: Note Because port 80 is already in use on SBS, to avoid any potential conflicts you should publish your website on an alternate port. 1. | In Firewall Policy, select Publish a Web Server from the Task pane. Give your policy a descriptive name representing your website. In this example we'll use Project Status Website and assume that it's a website where clients can go to check the status of the prototype development for the widget that they designed. Click Next.
| 2. | The wizard has already selected Allow on this page, so click Next. In the Computer Name or IP Address box, enter the full name of the web server or its IP address. In the Path box enter /* if this is the only website on your server; otherwise, enter /folder name where folder name is the name of the folder that contains your website as shown in Figure 24.15. Click Next.
Figure 24.15. When configuring your web publishing rule, a subfolder can be specified if more than one website resides on your server. | 3. | The Accept Requests For box should already have selected This Domain Name (enter below). In the Public Name box enter the URL for your website, projectstatus.smallbizco.com. In the Path box enter the same path as before, /*. Click Next.
| 4. | In the Web Listener drop-down menu list, select SBS Web Listener. Click Next.
| 5. | Because you want all clients to be able to access the website, All Users is the appropriate choice. Click Next and then click Finished.
| 6. | Your rule is now listed in the Firewall Policy. Right-click on the rule you just created and move to the Bridging tab. Check Redirect Requests to HTTP Port and enter the alternate port number that you used in IIS when you set up the website. Click OK to save the changes.
| Best Practice: Making the Web Hosting Decision Making the decision on whether to host your website on SBS, buy an additional server, or let an offsite company host your website for you is one that should be carefully considered from a security standpoint. Assuming that you have the in-house talent to design and set up web hosting, the next decision is whether you also have the in-house talent to make sure that your website and the server that it runs on is secure and will remain that way through website revisions. Many capable small and large website hosting services are available that are reasonably priced. The question to ask them is not whether their web servers are secure but how often they are patched and which web server software they are running. All software requires patching. It only takes a moment to find out what the latest patch level is and compare this to what the web host you are considering is running. If they pass this test and have a good customer support reputation, you may well be better off letting these professionals host the website for you. |
|