Solved

FTP connection problems

Posted on 2004-09-15
6
151 Views
Last Modified: 2013-12-04
Hello Everybody,
                          I am running windows 2003 server with IIS 6.0 installed. I recently enabled TCP/IP filtering on the server and have kept open only the commonly used ports like 20,21,80, etc. Now the problem that I am facing is that whenever somebody tries to connect to the FTP using the Passive mode, then the user does not get the directory or file listing. When the user switches to PORT mode, then he is able to connect. Is there any way to allow passive mode without disturbing the existing settings.

Awaiting an early reply.

Thanks

Regards

Hiren Shah
0
Comment
Question by:HirenhShah
  • 2
6 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12072681
Your problem may lie in your TCP/IP filtering.  

Assuming you are using the default FTP port of 21...  When the client tries to initiate a PASV command, the server may assign a data transmission port (random) that your TCP filter is blocking.... therefore the client will make the control channel connection (on port 21) but then not receive anything on the data channel since your filtering is blocking the server from transmitting.  This would explain why when your client uses the PORT command (instead of PASV), it works - since the control channel (port 21) and the data channel (port 20) are not being blocked by the filter.

The TCP/IP filtering security you have implemented is a double-edged sword for PASV FTP.  You may be able to assign a static port for PASV transfers in IIS but that would be that same as running the client in PORT mode... static control and data channels.  In addition, by default IIS 6 uses ports 1024-5000 for PASV port assignment so by opening those ports up in TCP/IP filtering it will work - but then having all those ports open kinda defeats the purpose of TCP/IP filtering anyways.

If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx
0
 

Author Comment

by:HirenhShah
ID: 12081610
Hello,
           Well I have understood that unless I keep the port range 1024-5000 open for outside connections, nobody can connect to the FTP in PASV mode. However I am not very keen to keep these ports open. Can you suggest me what is the best way, i.e., should I keep the ports open or closed ?

Thanks

Regards

Hiren Shah
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 200 total points
ID: 12083437
Well with TCP/IP filtering (instead of using a firewall), I wouldn't leave all those ports available for external connections.  But if you really need your users to have PASV FTP, you can limit IIS to use only a certain amount of ports for PASV connections.

...If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx ...

Like I showed in my previous post... you can open up as little or more ports up for IIS - in my example, you can open up ports 1024-1030 in TCP/IP filtering and then restrict IIS to use only those ports (follow the link posted and read the instructions on how to restrict IIS ports).  This way only 6 people can use PASV at a time but you won't have to leave 4000 ports open to the outside.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now