absong
asked on
FTPS over Sonicwall
My company has an FTP server behind our Sonicwall firewall (Pro 1260), allowing our clients to FTP using passive mode. It seems to work fine when the client connect using regular FTP. However, when clients try to connect using FTP over SSL (FTPS), their connection gets refused. Is there anything wrong with my settings?
Firewall: Sonicwall Pro 1260
FTP Server: FileZilla Server 0.9.22 beta
Firewall: Sonicwall Pro 1260
FTP Server: FileZilla Server 0.9.22 beta
jasonpaine
tools > internet options > advanced > check use passive ftp.
ASKER
Does that work for FTPS too? Our firewall already allows passive FTP. It's the SSL that's not working.
Create a service object in Firewall > Services covering the TCP port range configured for data transfers on the FTP server.
Create a WAN to LAN rule in Firewall > Access Rules allowing the new service inbound to the firewall's WAN Primary IP.
Create an inbound NAT policy translating the destination from the WAN Primary IP to the LAN address of the specific computer that will initiate the FTP sessions.
Create a WAN to LAN rule in Firewall > Access Rules allowing the new service inbound to the firewall's WAN Primary IP.
Create an inbound NAT policy translating the destination from the WAN Primary IP to the LAN address of the specific computer that will initiate the FTP sessions.
Have you opened the correct port for FTPS services
ftps-data 989/tcp # FTP over SSL (data)
ftps 990/tcp # FTP over SSL
ftps-data 989/tcp # FTP over SSL (data)
ftps 990/tcp # FTP over SSL
OR
View the sonicwall log to look for any traffic or port has been dropped for FTPS connection.
View the sonicwall log to look for any traffic or port has been dropped for FTPS connection.
ASKER
Sorry for the late reply, was out for the holidays. Happy New Year, btw.
I opened up all the ports for the FTP server, and that still does not work. It's still refusing connection.
Command: PASV
Response: 227 Entering Passive Mode (xxx,xx,xxx,xxx,4,13)
Command: LIST
Response: 425 Can't open data connection.
Error: Could not retrieve directory listing
Status: Disconnected from server
> View the sonicwall log to look for any traffic or port has been dropped for FTPS connection.
I checked the log earlier, and sometimes it would report TCP packet drop on the FTP server (but sometimes it won't report anything). I'll have to write down the log entries later.
Do you think SonicWall is dropping the packets because the content is encrypted, and SonicWall does not understand it, therefore discarding it as an intrusion?
I opened up all the ports for the FTP server, and that still does not work. It's still refusing connection.
Command: PASV
Response: 227 Entering Passive Mode (xxx,xx,xxx,xxx,4,13)
Command: LIST
Response: 425 Can't open data connection.
Error: Could not retrieve directory listing
Status: Disconnected from server
> View the sonicwall log to look for any traffic or port has been dropped for FTPS connection.
I checked the log earlier, and sometimes it would report TCP packet drop on the FTP server (but sometimes it won't report anything). I'll have to write down the log entries later.
Do you think SonicWall is dropping the packets because the content is encrypted, and SonicWall does not understand it, therefore discarding it as an intrusion?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One more, What's kind of your FTP server ? Your FTP server is supported the PSAV mode ? Do you need to change "PSAV" mode on your FTP tools.
More info:
Why PASV Poses Problems for Firewalls
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html#PASVFirewallProblems
More info:
Why PASV Poses Problems for Firewalls
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html#PASVFirewallProblems
ASKER
These sound like good ideas. I'll test this from home tonight. And let you guys know.
ASKER
Hi, I tried the suggestions mentioned earlier. I unchecked FTP bounce attack protection, and disabled Intrusion Prevention (it was not enabled in the first place) and I am still having problem with the connection. Here are the log entries I found:
When using implicit connection on port 990:
Priority: Notice
Category: Network Access
Message: TCP connection dropped
Source: 129.44.18x.xxx, 3870, WAN (admin)
Dest: 129.44.16x.xxx, 990, WAN
Notes: TCP FTPS
When using explicit connection on port 21:
Priority:Notice
Category: Network Access
Message: TCP connection dropped
Source: 129.44.18x.xxx, 3694, WAN (admin)
Dest: 129.44.16x.xxx, 4399, WAN
Notes: TCP iMesh
It works fine if I try to connect using non-SSL FTP.
And FTP over SSL works outside of the firewall.
When using implicit connection on port 990:
Priority: Notice
Category: Network Access
Message: TCP connection dropped
Source: 129.44.18x.xxx, 3870, WAN (admin)
Dest: 129.44.16x.xxx, 990, WAN
Notes: TCP FTPS
When using explicit connection on port 21:
Priority:Notice
Category: Network Access
Message: TCP connection dropped
Source: 129.44.18x.xxx, 3694, WAN (admin)
Dest: 129.44.16x.xxx, 4399, WAN
Notes: TCP iMesh
It works fine if I try to connect using non-SSL FTP.
And FTP over SSL works outside of the firewall.
ASKER
rhinoceros:
If I understand the article correctly, FTPS should work if I open up the appropriate ports on the FTP server.
Under Access Rules, WAN > FTP server, I set server to "Any". This does not seem to help either.
If I understand the article correctly, FTPS should work if I open up the appropriate ports on the FTP server.
Under Access Rules, WAN > FTP server, I set server to "Any". This does not seem to help either.
If set "Any" (WAN > FTP server), I must not run this service...
No one will set it without security, rite ?
No one will set it without security, rite ?
Priority: Notice
Category: Network Access
Message: TCP connection dropped
Source: 129.44.18x.xxx, 3870, WAN (admin)
Dest: 129.44.16x.xxx, 990, WAN
Notes: TCP FTPS
How about your Access Rules (WAN > WAN) ?
e.g. Any 129.44.16x.xxx Any Allow All
Category: Network Access
Message: TCP connection dropped
Source: 129.44.18x.xxx, 3870, WAN (admin)
Dest: 129.44.16x.xxx, 990, WAN
Notes: TCP FTPS
How about your Access Rules (WAN > WAN) ?
e.g. Any 129.44.16x.xxx Any Allow All
ASKER
>If set "Any" (WAN > FTP server), I must not run this service...
>No one will set it without security, rite ?
Well, I set it to "Any" for testing purpose.
>No one will set it without security, rite ?
Well, I set it to "Any" for testing purpose.
ASKER
> How about your Access Rules (WAN > WAN) ?
> e.g. Any 129.44.16x.xxx Any Allow All
Good question. Hmm, the Dest address should have been translated into 192.168.100.xxx, I wonder why that did not happen.
But the log might be recording the untranslated address though. I have to dig some more on this.
> e.g. Any 129.44.16x.xxx Any Allow All
Good question. Hmm, the Dest address should have been translated into 192.168.100.xxx, I wonder why that did not happen.
But the log might be recording the untranslated address though. I have to dig some more on this.
ASKER
My apologies for not being responsive enough. I'll have to pick this up later. Points are awarded based on some of the good ideas suggested. Thanks.
I had the same issue but I got it to work today. This is what I found...
Because FTP utilizes a dynamic secondary port (for data channels), many firewalls were designed to snoop FTP protocol control messages in order to determine what secondary data connections they need to allow. However, if the FTP control connection is encrypted using TLS/SSL, the firewall cannot determine the TCP port number of a data connection negotiated between the client and FTP server.
Therefore, in many firewalled networks, an FTPS deployment will fail when an unencrypted FTP deployment will work, but this problem can be solved with the use of a limited range of ports for data and configuring the firewall to open these (TCP) ports.
On the Firewall (I am using a Sonicwall Pro 2040)
From the Firewall>Services page, create a new service with a port range for your passive FTP connection. Example: "FTP (Passive Range)" = TCP ports 1024-1030. If you have already created a custom service group (Example” My WAN Services”) that allows the types of access you want and made the appropriate entries with that group on the Firewall>Access Rules page, simply add the new service to that group and you are done. Otherwise, it is probably easiest to run the Public Server Wizard.
On the FTP Server (I am using WS_FTP Server):
From the top menu, select Host > Host Settings > Firewall Settings. The Firewall - Passive Connection Settings page opens. Enter the same port range in the “Port/Port Range” field as you did on the firewall. ("1024-1030") Under my installation, I left the “IP address” field blank. (If you specify a port or port range and not an IP address, the server will use its own IP address and only the specified ports.)
I know this is an old post, but it didn't look like there was a final solution. I hope this helps.
Because FTP utilizes a dynamic secondary port (for data channels), many firewalls were designed to snoop FTP protocol control messages in order to determine what secondary data connections they need to allow. However, if the FTP control connection is encrypted using TLS/SSL, the firewall cannot determine the TCP port number of a data connection negotiated between the client and FTP server.
Therefore, in many firewalled networks, an FTPS deployment will fail when an unencrypted FTP deployment will work, but this problem can be solved with the use of a limited range of ports for data and configuring the firewall to open these (TCP) ports.
On the Firewall (I am using a Sonicwall Pro 2040)
From the Firewall>Services page, create a new service with a port range for your passive FTP connection. Example: "FTP (Passive Range)" = TCP ports 1024-1030. If you have already created a custom service group (Example” My WAN Services”) that allows the types of access you want and made the appropriate entries with that group on the Firewall>Access Rules page, simply add the new service to that group and you are done. Otherwise, it is probably easiest to run the Public Server Wizard.
On the FTP Server (I am using WS_FTP Server):
From the top menu, select Host > Host Settings > Firewall Settings. The Firewall - Passive Connection Settings page opens. Enter the same port range in the “Port/Port Range” field as you did on the firewall. ("1024-1030") Under my installation, I left the “IP address” field blank. (If you specify a port or port range and not an IP address, the server will use its own IP address and only the specified ports.)
I know this is an old post, but it didn't look like there was a final solution. I hope this helps.