Rouchie
asked on
Firewall rules for FTP+SSL Explicit
Hi
I would like to enable FTP+SSL Explicit on my server. I have downloaded a trial version of Ability FTP Server, as this supports "file banning" functionality which I need. My problem is that (I think) my firewall is preventing users being able to log in to this FTP server. Connections are simply timing out, and Ability FTP Server shows no evidence of users being connected.
My firewall is hosted so I can't edit the rules directly, however, the hosts can do this for me.
Can somebody please tell me what I need my firewall to allow, to enable FTP+SSL Explicit to work correctly?
Many thanks.
I would like to enable FTP+SSL Explicit on my server. I have downloaded a trial version of Ability FTP Server, as this supports "file banning" functionality which I need. My problem is that (I think) my firewall is preventing users being able to log in to this FTP server. Connections are simply timing out, and Ability FTP Server shows no evidence of users being connected.
My firewall is hosted so I can't edit the rules directly, however, the hosts can do this for me.
Can somebody please tell me what I need my firewall to allow, to enable FTP+SSL Explicit to work correctly?
Many thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the detailed responses. You might have to excuse my lack of knowledge here while I try to digest your points.
>> Are you using NAT or is the server address public?
The server is public, well at least I presume so. It's a fixed IP anyway that I can access directly from any client machine. My ftp domain name is mapped to that IP also.
>> Define your SSL FTP server to use specific port(s)
I think for convenience (to the clients) this is going to be the most straightforward option. The FTP server software has an option where I can set the PASV PORT RANGE. The default values are 1024-5000, but these are greyed out at present because the range option is not active.
Should I therefore reduce this number to 10 ports, as you suggest?
>> If the client side is behind a firewall it will need to define rules to allow those ports outbound to your IP address.
I've checked in certain client titles (FileZilla/FireFTP) and there is only one box to specify the FTP port. Would clients be instructed to input a port range into that single box? Is that even possible to do?
>> Are you using NAT or is the server address public?
The server is public, well at least I presume so. It's a fixed IP anyway that I can access directly from any client machine. My ftp domain name is mapped to that IP also.
>> Define your SSL FTP server to use specific port(s)
I think for convenience (to the clients) this is going to be the most straightforward option. The FTP server software has an option where I can set the PASV PORT RANGE. The default values are 1024-5000, but these are greyed out at present because the range option is not active.
Should I therefore reduce this number to 10 ports, as you suggest?
>> If the client side is behind a firewall it will need to define rules to allow those ports outbound to your IP address.
I've checked in certain client titles (FileZilla/FireFTP) and there is only one box to specify the FTP port. Would clients be instructed to input a port range into that single box? Is that even possible to do?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay thanks again. Just one more thing...
A while back I set up standard FTP using Ability FTP server and it worked fine. The firewall on my server was set to use Port 21, which I gather from your replies is the command channel. Please tell me, does standard (non secure) FTP still require the port range that FTPS uses (i.e. 5000-5049)?
A while back I set up standard FTP using Ability FTP server and it worked fine. The firewall on my server was set to use Port 21, which I gather from your replies is the command channel. Please tell me, does standard (non secure) FTP still require the port range that FTPS uses (i.e. 5000-5049)?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you both for your input!
Are you using NAT or is the server address public?