A FileZilla FTP server was published with Forefront TMG 2010 with a non-web server publishing rule.
The FTP server was accessible with IE9 as FTP client but not with the Filezilla FTP client, which received a 550 Access is denied message; the logs on TMG do not show anything specific.
Below you can see the log from the Filezilla FTP client.
As can be noted I’ve marked with orange some commands from that log.
First we can see the FEAT command(displays the feature list) issued by the FTP client. Note that the FTP server says it supports the MLSD command.
However when the client tries this command the server responds with the 550 Access is denied message(which usually indicates that you do not have permission to perform the action you are attempting).
If a Wireshark trace is taken on the FTP server we would see from it that the server actually does not receive the MLSD command.
The FTP filter from Forefront TMG 2010 blocks that command.
IE9 works because is using the LIST command instead on MLSD, more info about the MLSD command here.
By default on TMG's FTP server publishing rule the Read-Only check box(right-click the FTP server publishing rule and click Configure FTP) is checked(this means that only read access (list and download) is allowed):
If this check box will be unchecked, the FTP filter will not reject anymore the MLSD command.
It’s not particularly clear why TMG associates MLSD with write access(it's true that in the past some server's like FileZilla and Cerberus had some security issues, see this and this).
MLSD was intended to be a replacement for the LIST command, and is used for the purpose of sending a directory listing(a data connection is established between the client and the server for this).
Probably this could have been avoided if the FTP filter would have modified the server’s response to the client’s FEAT command and remove the MLSD command from it as was not allowed in the first place; or if the FTP client would “fall back” to LIST.