Using the Windows Command-line FTP Client with Forefront Threat Management Gateway (TMG) 2010
When using the Windows command-line FTP client (ftp.exe) behind a TMG firewall, you may encounter the following errors:
502 Active FTP not allowed
425 Use PORT or PASV first
With the Firewall Client installed and enabled, you may receive the following message:
ftp: bind :Address already in use
If you attempt to send the PASV command, you’ll see that the remote FTP server accepts the command and enters passive mode. However, you will still be unable to list the working directory, with the connection failing or receiving one of the messages listed above.
By default, TMG does not support active mode FTP. I won’t go in to all of the details of the FTP protocol here, but understand that FTP is a complex protocol that uses a control channel and a data channel. With active mode FTP, the data connection is initiated by the FTP server, not the client. With passive mode FTP, the data connection is initiated by the client, which is not only more secure, but also more firewall and NAT friendly. You can learn more about the difference between active and passive mode FTP here.
The real problem is that the Windows command-line FTP client does not support passive mode FTP. The best way to resolve this issue is to use a client that supports passive mode FTP. If you must use the Windows command-line FTP client, you can configure the TMG firewall to support active mode FTP. As Yuri Diogenes points out in a recent blog post, this can be accomplished by opening the TMG management console, highlighting the System node in the navigation pane, then right-clicking on the FTP Access Filter and choosing properties. Select the Properties tab and check the box next to Allow active FTP access.