Checking live log , that displayed some connections be killed. But can't find further detail.Investigating the "ssl ftp" again.
Placed a laptop out of protected network. It can access the site successfully . It is implicit that issue caused by ISA. From
microsoft , i found the following:
ISA Server does not support outbound secure FTP connections
Symptom: Clients require access to FTP servers over Secure FTP (FTPS).
Issue: ISA Server does not support outbound FTP over SSL/TLS (FTPS) connections. FTPS uses an encrypted control channel. For standard FTP traffic, ISA Server uses the FTP filter to monitor FTP communication. Outbound Secure Sockets Layer (SSL) connections cannot be seen by ISA Server, and therefore ISA Server cannot adjust traffic policy in reaction to PASV and PORT FTP commands.
Solution: Although there may be a workaround by installing Firewall Client software and creating a custom FTP protocol definition that is not bound to the FTP application filter, this is not supported.
Symptom: Clients require access to FTP servers over Secure FTP (FTPS).
Issue: ISA Server does not support outbound FTP over SSL/TLS (FTPS) connections. FTPS uses an encrypted control channel. For standard FTP traffic, ISA Server uses the FTP filter to monitor FTP communication. Outbound Secure Sockets Layer (SSL) connections cannot be seen by ISA Server, and therefore ISA Server cannot adjust traffic policy in reaction to PASV and PORT FTP commands.
Solution: Although there may be a workaround by installing Firewall Client software and creating a custom FTP protocol definition that is not bound to the FTP application filter, this is not supported.
It says , FTPS not be supported by standard ftp filter as SSL encryption. Then, could we define a custom ftp filter and disalbe the standard ftp filter for my new access rule to accessing FTPS ??? It seems it is alternative for applying ftp filter.???
Finally, i found the answer. refer the blog post: http://blogs.isaserver.org/pouseele/2006/10/08/solving-the-secure-ftp-dilemma-with-isa-server-2004-and-2006/
What i need to do just add a new access rule to deny normal ftp traffic from the destination ftp server to my protected network behind the access rule modified newly .Schematically the information of access rule as follow that found in above BLOG POST.
access rule sample:
1. permit all users to destination tcp 21 tcp 990 and other high-number ports(for pasv).
2.deny ftp protocol (normal) from users to destination (to deny the traffic from destination tcp 21 to mine)