FTP - Connections Problems

Hope you can help.  I'm using a sonicwall tz170 firewall.  Here goes:

I had FTP problems with 3 customers.  Basically they were unable to complete the data connection into our FTP server, the connection just locked up.  I tried all sorts including opening up our firewall for high-ports, ftp ports 20 & 21 for there specific FTP public IP addresses.  This still didn't resolve the issue.

I found a setting in the firewall which "Forces Inbound & Outbound FTP traffic to default to Port 20".  This then resolved the above problem for these 3 customers.

However, this has had a knock on affect with a different customer, where we send the file across into there FTP site, via an automated batch file.  The same is now happening here, the data connection is locking up for me.  I'm fairly confident removing the setting "Forces Inbound & Outbound FTP traffic to default to Port 20" which remove this problem.

We are in the same boat as this customer, where they don't want to change things that will affect other customers, and I'm the same here.  Plus from a security point of view, with all these back door threats\trojans, I'm very reluctant to continue to leave a server open for high-ports.

Does anyone have any suggestions ?  I'm thinking of upgrading to the sonicOS enhanced edition, if this will give me more options with ftp ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
sounds like some clients are connecting actively and some are connecting passively

Passive and Active FTP

There are two types of FTP (File Transfer Protocol) these are Active and Passive

Active FTP

Pros (good for network administrators)
Cons (not so good for the client)

The FTP server will try and make a connection on a lot of high port numbers (these could well be blocked on the clients side Firewall)

Passive FTP

Pros (good for the client)
Cons (Not good for the network administrators)

The client makes the connection to the FTP server, and one will be a high port number that will almost certainly be blocked by the network firewall (server side)


To strike a happy medium, administrators can make their FTP servers available to many clients by supporting passive FTP; reserving a range of port numbers does this, in this way all other ports can be firewalled, thus decreasing the security risk

Luckily, there is somewhat of a compromise. Since administrators running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. Specifying a limited port range for the FTP server to use can minimize the exposure of high-level ports on the server. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stevendunneAuthor Commented:
I spoke to the network admin at the other end and his ftp is "active".

Am I causing all the problems by enabling "Forces Inbound & Outbound FTP traffic to default to Port 20" ?

If the other side enable passive ftp, will I have problem as I have this "Forces Inbound & Outbound FTP traffic to default to Port 20" setting in place ?

Finally, how do I check if my ftp is passive\active and how could I change ?
Pete LongTechnical ConsultantCommented:
>>Finally, how do I check if my ftp is passive\active and how could I change ?

if your passive you will have a lot of high (above 1024) ports open o the firewall
If you want to avoid opening a boatload of high ports on your server, you could probably force passive FTP to use a specific port (the server normally just picks a random port and tells the client to initiate the data connection with that).

For IIS the following article might be useful to you: http://support.microsoft.com/?kbid=810639.

You'd then just need to open the port that you chose on the firewall.

Most ftp clients can connect to in passive mode by issue a literal command: PASV (that'll put the FTP server in passive mode).

I hope that helps.
Pete LongTechnical ConsultantCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.