[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

FTP connection problems

Posted on 2004-09-15
6
Medium Priority
?
163 Views
Last Modified: 2013-12-04
Hello Everybody,
                          I am running windows 2003 server with IIS 6.0 installed. I recently enabled TCP/IP filtering on the server and have kept open only the commonly used ports like 20,21,80, etc. Now the problem that I am facing is that whenever somebody tries to connect to the FTP using the Passive mode, then the user does not get the directory or file listing. When the user switches to PORT mode, then he is able to connect. Is there any way to allow passive mode without disturbing the existing settings.

Awaiting an early reply.

Thanks

Regards

Hiren Shah
0
Comment
Question by:HirenhShah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 7

Expert Comment

by:LimeSMJ
ID: 12072681
Your problem may lie in your TCP/IP filtering.  

Assuming you are using the default FTP port of 21...  When the client tries to initiate a PASV command, the server may assign a data transmission port (random) that your TCP filter is blocking.... therefore the client will make the control channel connection (on port 21) but then not receive anything on the data channel since your filtering is blocking the server from transmitting.  This would explain why when your client uses the PORT command (instead of PASV), it works - since the control channel (port 21) and the data channel (port 20) are not being blocked by the filter.

The TCP/IP filtering security you have implemented is a double-edged sword for PASV FTP.  You may be able to assign a static port for PASV transfers in IIS but that would be that same as running the client in PORT mode... static control and data channels.  In addition, by default IIS 6 uses ports 1024-5000 for PASV port assignment so by opening those ports up in TCP/IP filtering it will work - but then having all those ports open kinda defeats the purpose of TCP/IP filtering anyways.

If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx
0
 

Author Comment

by:HirenhShah
ID: 12081610
Hello,
           Well I have understood that unless I keep the port range 1024-5000 open for outside connections, nobody can connect to the FTP in PASV mode. However I am not very keen to keep these ports open. Can you suggest me what is the best way, i.e., should I keep the ports open or closed ?

Thanks

Regards

Hiren Shah
0
 
LVL 7

Accepted Solution

by:
LimeSMJ earned 800 total points
ID: 12083437
Well with TCP/IP filtering (instead of using a firewall), I wouldn't leave all those ports available for external connections.  But if you really need your users to have PASV FTP, you can limit IIS to use only a certain amount of ports for PASV connections.

...If you have a small number of users, you may open up just a few high ports for PASV requests (like 1024-1030).  You'd need to open those ports in TCP/IP filtering and setup IIS to use that range.... http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_CFG_18.mspx ...

Like I showed in my previous post... you can open up as little or more ports up for IIS - in my example, you can open up ports 1024-1030 in TCP/IP filtering and then restrict IIS to use only those ports (follow the link posted and read the instructions on how to restrict IIS ports).  This way only 6 people can use PASV at a time but you won't have to leave 4000 ports open to the outside.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question