Solved

Cannot connect to FTP sites requiring a login and password

Posted on 2004-09-11
8
245 Views
Last Modified: 2010-04-19
All clients are getting an error 521 when trying to login to any ftp site on the internet that requires a password.

I am running a single Windows server 2003
DHCP
DNS
Routing and remote access
NAT
Basic firewall on the internet side

The ftp software is returning the private ip address 192.168......

It seems I'm missing something basic in my configuration of Routing and remote access.
Is there not a simple method to ensure ip addresses are converted from private to public when sent out to the internet
and converted back to the appropriate private ip address on return?

Thanks!
Goodj
0
Comment
Question by:goodj
8 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 12056731
>>Basic firewall on the internet side

OK how is it set up? is it optimised for active or passive FTP?

Passive and Active FTP

There are two types of FTP (File Transfer Protocol) these are Active and Passive

Active FTP

Pros (good for network administrators)
Cons (not so good for the client)

The FTP server will try and make a connection on a lot of high port numbers (these could well be blocked on the clients side Firewall)


Passive FTP

Pros (good for the client)
Cons (Not good for the network administrators)

The client makes the connection to the FTP server, and one will be a high port number that will almost certainly be blocked by the network firewall (server side)


Solution

To strike a happy medium, administrators can make their FTP servers available to many clients by supporting passive FTP; reserving a range of port numbers does this, in this way all other ports can be firewalled, thus decreasing the security risk

Luckily, there is somewhat of a compromise. Since administrators running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. Specifying a limited port range for the FTP server to use can minimize the exposure of high-level ports on the server. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.

*****Links*****
http://slacksite.com/other/ftp.html
http://www.cisco.com/en/US/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a7.html

*********Also*************

Are your clients accessing FTP sites through their browser? if so do you have a proxy server?
0
 
LVL 10

Expert Comment

by:jhautani
ID: 12059319
As you are running RRAS and NAT you have a multihomed server. If possible configure your FTP software to listen to only the internet side IP.
Or configure your NAT to forward FTP from internet to the server's private address.

hope this helps
0
 
LVL 4

Expert Comment

by:sloopeth
ID: 12063730
stupid answer please ignore if annapropriate - is this machine an sbs or domain controller? if so try the domain\username for the ftp site username - i saw this on a similar post with the same problem.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:goodj
ID: 12101159
Thanks for all your input.  Wound up on the phone with Microsoft on this one for over 9 hours.  They discovered that this is actually a bug in Windows Server 2003 with NAT on a multi-homed DC.  The fix is going to be included in SP1.
I disabled NAT, Routing and Remote Access & the 2nd NIC on the server.  Set up NAT on my firewall instead.  All is now working.
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 13795723
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 13899389
Mods - I had trouble with this one. I suggested PAQ/No Refund as the asker has answered himself, but has not requested a closure in the CS forum, despite a hint to a fortnight ago.
0
 

Accepted Solution

by:
PAQ_Man earned 0 total points
ID: 13932588
PAQed with points refunded (500)

PAQ_Man
Community Support Moderator
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now