You may receive a 550 Access is denied message to a MLSD command when accessing a FTP server published by Forefront TMG 2010

A FileZilla FTP server was published with Forefront TMG 2010 with a non-web server publishing rule.

The FTP server was accessible with IE9 as FTP client but not with the Filezilla FTP client, which received a 550 Access is denied message; the logs on TMG do not show anything specific.
Below you can see the log from the Filezilla FTP client.

ftp_msld

As can be noted I’ve marked with orange some commands from that log.

First we can see the FEAT command(displays the feature list) issued by the FTP client. Note that the FTP server says it supports the MLSD command.

However when the client tries this command the server responds with the 550 Access is denied message(which usually indicates that you do not have permission to perform the action you are attempting).

If a Wireshark trace is taken on the FTP server we would see from it that the server actually does not receive the MLSD command.
The FTP filter from Forefront TMG 2010 blocks that command.

IE9 works because is using the LIST command instead on MLSD, more info about the MLSD command here.

By default on TMG's FTP server publishing rule the Read-Only check box(right-click the FTP server publishing rule and click Configure FTP) is checked(this means that only read access (list and download) is allowed):

ftp_msld_read_only

If this check box will be unchecked, the FTP filter will not reject anymore the MLSD command.
It’s not particularly clear why TMG associates MLSD with write access(it's true that in the past some server's like FileZilla and Cerberus had some security issues, see this and this).
MLSD was intended to be a replacement for the LIST command, and is used for the purpose of sending a directory listing(a data connection is established between the client and the server for this).

Probably this could have been avoided if the FTP filter would have modified the server’s response to the client’s FEAT command and remove the MLSD command from it as was not allowed in the first place; or if the FTP client would “fall back” to LIST.

Comments (2) -

  • Paulo Oliveira

    5/10/2011 7:51:40 PM |

    Hi Adrian,

    the reason why TMG FTP Filter does not allow MLSD command is because it is not allowed (inlcuded) on the default FTP commands allowed to be used when read-only is configured. The only commands previously allowed are: ABOR, ACCT, CDUP, CWD /0, FEAT, HELP, LANG, LIST, MODE, NLST, NOOP, PASS, PASV, PORT, PWD /0, QUIT, REIN, REST, RETR, SITE, STRU, SYST, TYPE, USER, XDUP, XCWD, XPWD, SMNT.
    But, you can add MLSD to the allowed command list running the script on this link: msdn.microsoft.com/en-us/library/dd435753.aspx

    This is a better approach then enable write-access (in case it is not wanted).

    Regards,
    Paulo Oliveira.

    • adimcev

      5/10/2011 9:22:48 PM |

      Hi Paulo,

      Thanks for the link.
      Was pretty obvious that MLSD was not included within the list of default FTP commands allowed to be used when read-only is configured since TMG blocked it. Smile

      It would have been nice to have TMG reply to client's FEAT command with the lists of the commands allowed, basically now it says to the client you can do that, but later you cannot.
      The RFC for FTP extensions is 4 years old, so a block situation was just around the corner.
      You can have various FTP servers behind TMG, each advertising support for some commands, but since TMG is on the path as a sort of a proxy, it should reply with its own list of allowed commands.

      Thanks,
      Adrian

Comments are closed