At first I thought they were joking...FTPS...Never heard of it...you can't secure FTP without an application filtering firewall like ISA...that's right an FTP application filter. But twice recently something called FTPS has come to my attention and finally I had a situation where a client needed to access an FTPS server but couldn't.
ISA 2004 has an FTP Application Filter that inspects FTP traffic as it passes through. It also dynamically opens the high port required for the connection. There is an excellent article by Stefaan Pouseele called How the FTP Protocol Challenges Firewall Security over on the ISAserver.org website. In it Stefaan explains why FTP is insecure by design, how ISA can secure FTP for you and all of the details in between. It is an excellent article.
FTPS creates an interesting challenge though. FTPS was developed in an attempt to secure FTP transmission. It's FTP with SSL encrypted information running inside. The owners of an FTPS website assume that you are using a simple packet filtering 'el cheapo firewall and can't secure your own network. FTPS proposes to do this for you using SSL. But if you are using a quality application filtering firewall with an FTP filter like ISA 2004 then you'll run into a problem because the FTP application filter can't see into the SSL encrypted packets and will therefore deny them.
Solution 1: Disable the FTP Application filter. This will work IF FTPS is the only kind of FTP site you will ever need to connect to. If you disable the FTP filter all "normal" FTP traffic will be denied.
Solution 2: Create a new Access Rule for FTP for traffic going from your network to the FTPS destination that does not use the FTP filter.
Here's what your rule should look like:
Allow -- Selected Protocols, FTP. Highlight FTP, Press Edit, Uncheck the FTP Access Filter -- Traffic from your Internal Network --- Traffic to New, Address Range, Enter IP address of the FTPS server you need to reach -- SBS Internet Users or User group of your choice.
FTPS will now work to that destination for all but SecureNat clients. So make sure you've got the Firewall Client installed on all of your workstations.