technicaexpert
asked on
ftp server cannot always establish connection with client from outside network (Internet)
A FTP server i have recently configured using IIS 5 (W2K Server) is very spotty when connecting from the internet. Inside of my network the server works perfect from a browser or a command prompt. However, when attempting to connect from the internet, in a browser I recieve "FTP Folder error. The connection to the server was reset." When attempting to connect from a command prompt, I recieve "Connected to (server name). Connection closed by remote host". My firewall is configured properly to allow ftp traffic to the private address for the server and to one to one NAT the public address to the private address. However my ftp site is not accessable. What is really baffling me is that continuous retries from the browser will eventually allow access. The same with the command prompt. It doesn't work all the time, but it does work sometimes.
Please Help!!! I am stumped!
Please Help!!! I am stumped!
purplepomegranite
What is the router on your network? And what connection do you use when testing the site externally?
ASKER
Sonicwall SOHO3 Firewall with a bellsouth cisco router. External tests are performed from my office and from my home.
can you temporally remove your firewall and give you windows server a public static IP and try it from Internet? just want to see if the firewall is on the way.
ASKER
no, sorry, but this business depends on having the firewall active for vpn clients
okay, can you put your FTP server in parallel with your firewall and temporally give it a public IP address? also does this windows server serve anything else? or just FTP?
Have you set up rules on your firewall to route both FTP ports (20 and 21) to your server?
ASKER
this windows server also serves exchange 2003 and acts as a print server. putting the server in parallel with the firewall would require me to pull wires because of how my infrastructure is setup. the router is quite some distance away from the cables coming from my server
ASKER
i have only routed port 21 to my server, but i will also route port 20 for troubleshooting purposes
ASKER
routing port 20 and 21 to my server did not resolve the issue
it also depends on if your firewall support passive FTP, since a connection has to be made from your FTP server to Internet client (active mode).
Port 20 is the FTP data port, 21 is the FTP control port - this is why both ports should be open. Having said this, port 20 is opened by the server (in response to the PORT command) not the client, so you shouldn't need a firewall rule for it. Sometimes worth a double-check though.
Have you checked your event logs (application, system) for any events at the time you connect to the FTP server externally?
Have you checked your event logs (application, system) for any events at the time you connect to the FTP server externally?
What you could do as a test would be to set your server up as the DMZ on the router. This would forward ALL traffic to the server (no need for the port forward rules). Obviously this only wants to be done as a short test to check whether it resolves the problem. If it does, then it is definitely something on the firewall causing the problem... if not, then it is more likely to be the server that is the cause of the problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
whenever you use the ftp command from a command prompt, isn't that using active ftp? if so , the problem persists even while using active ftp. however i have also read the article that was suggested and the problem persists.
Hi technicaexpert:
Below URL explains in details about MS IIS FTP server:
http://support.microsoft.com/?id=555022
Bottom line: Active or Passive is determined (choose) by client, not server.
1) Active mode: client request FTP server from TCP port 20 make connection 20 back to client on a specific port specified by "port" command.
This configure requires less open ports on FTP server, require server connect back to client. This may cause problem on client side: now a days, most user are using or sitting behind some sort of firewall and if that firewall can't understand or track ftp request well, it will simply blocked the incoming connection, which in this case, is the connection from FTP server to client.
2) Passive mode: client request FTP server give one of its data port back to client and then client make another connection to server's data port.
This configure requires more ports open on FTP server, as you can see, both connections are made from client to server, it has less requirement on client side. Mose FTP on Internet operate this way.
>>whenever you use the ftp command from a command prompt, isn't that using active ftp? if so , the problem persists even while using active ftp. however i have also read the article that was suggested and the problem persists.
what FTP client are you using? if it's MS command lind FTP, yes, it's always active mode, is this client sit behind a firewll? if yes, does it support stateful firewall? or can you try ftp to your server from a PC that directly connected on Internet? I think persist problem or not is not on your FTP server, it si on your client side.
Below URL explains in details about MS IIS FTP server:
http://support.microsoft.com/?id=555022
Bottom line: Active or Passive is determined (choose) by client, not server.
1) Active mode: client request FTP server from TCP port 20 make connection 20 back to client on a specific port specified by "port" command.
This configure requires less open ports on FTP server, require server connect back to client. This may cause problem on client side: now a days, most user are using or sitting behind some sort of firewall and if that firewall can't understand or track ftp request well, it will simply blocked the incoming connection, which in this case, is the connection from FTP server to client.
2) Passive mode: client request FTP server give one of its data port back to client and then client make another connection to server's data port.
This configure requires more ports open on FTP server, as you can see, both connections are made from client to server, it has less requirement on client side. Mose FTP on Internet operate this way.
>>whenever you use the ftp command from a command prompt, isn't that using active ftp? if so , the problem persists even while using active ftp. however i have also read the article that was suggested and the problem persists.
what FTP client are you using? if it's MS command lind FTP, yes, it's always active mode, is this client sit behind a firewll? if yes, does it support stateful firewall? or can you try ftp to your server from a PC that directly connected on Internet? I think persist problem or not is not on your FTP server, it si on your client side.
Did you try the DMZ approach? (Specify your server IP as the DMZ on your router).
Try lowering the MTU's to 1492 from 1500 from the location having this issue (home??? when you mean Internet???).
Any connection that uses PPPoE has these issues with FTP - usually a sign of an outdated firmware in a cheap home router...linksys, netgear...)
Any connection that uses PPPoE has these issues with FTP - usually a sign of an outdated firmware in a cheap home router...linksys, netgear...)
ASKER
firmware upgrade on firewall resolved issue.
Thank you all very much for your help!!!
Thank you all very much for your help!!!