Solved

FTP connection problems

Posted on 2004-09-15
6
155 Views
Last Modified: 2013-12-04
Hello Everybody,
                          I am running windows 2003 server with IIS 6.0 installed. I recently enabled TCP/IP filtering on the server and have kept open only the commonly used ports like 20,21,80, etc. Now the problem that I am facing is that whenever somebody tries to connect to the FTP using the Passive mode, then the user does not get the directory or file listing. When the user switches to PORT mode, then he is able to connect. Is there any way to allow passive mode without disturbing the existing settings.

Awaiting an early reply.

Thanks

Regards

Hiren Shah
0
Comment
Question by:HirenhShah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12072681
Your problem may lie in your TCP/IP filtering.  

Assuming you are using the default FTP port of 21...  When the client tries to initiate a PASV command, the server may assign a data transmission port (random) that your TCP filter is blocking.... therefore the client will make the control channel connection (on port 21) but then not receive anything on the data channel since your filtering is blocking the server from transmitting.  This would explain why when your client uses the PORT command (instead of PASV), it works - since the control channel (port 21) and the data channel (port 20) are not being blocked by the filter.

The TCP/IP filtering security you have implemented is a double-edged sword for PASV FTP.  You may be able to assign a static port for PASV transfers in IIS but that would be that same as running the client in PORT mode... static control and data channels.  In addition, by default IIS 6 uses ports 1024-5000 for PASV port assignment so by opening those ports up in TCP/IP filtering it will work - but then having all those ports open kinda defeats the purpose of TCP/IP filtering anyways.

If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx
0
 

Author Comment

by:HirenhShah
ID: 12081610
Hello,
           Well I have understood that unless I keep the port range 1024-5000 open for outside connections, nobody can connect to the FTP in PASV mode. However I am not very keen to keep these ports open. Can you suggest me what is the best way, i.e., should I keep the ports open or closed ?

Thanks

Regards

Hiren Shah
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 200 total points
ID: 12083437
Well with TCP/IP filtering (instead of using a firewall), I wouldn't leave all those ports available for external connections.  But if you really need your users to have PASV FTP, you can limit IIS to use only a certain amount of ports for PASV connections.

...If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx ...

Like I showed in my previous post... you can open up as little or more ports up for IIS - in my example, you can open up ports 1024-1030 in TCP/IP filtering and then restrict IIS to use only those ports (follow the link posted and read the instructions on how to restrict IIS ports).  This way only 6 people can use PASV at a time but you won't have to leave 4000 ports open to the outside.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question