FTP works internally but not externally - Retrieve of folder listing failed

Posted on 2006-05-04
Last Modified: 2007-12-19
I have searched your database and found this issue across many different categories and operating systems but with either no solutions.  I am runing Win2K3 and IIS FTP.  I have a DLINK DI-624M Router.  I have tried the WS-FTP client, command line FTP, and IE 6.0 but all give the same response.  I can connect via user/pwd to the FTP site using the internal IP or internal machine name of the FTP server, but not via the external IP or DNS.  I have tried Passive mode on WS-FTP client.   I have opened up Ports 20, 21, and even ranges 3800-3900 to allow the passive data response in the DLINK router but nothing seems to work.  I have even enabled the server to be on the DMZ vai the DLINK router but it still doesn't work.  My FTP site is completely unaccessible now from the outside.   It seems to be a router / firewall issue but I do not know how to resolve it.  Your expert assistance is needed.
Question by:getzeroedin
    LVL 19

    Expert Comment

    Is the Win2k3 server a Domain Controller?  I have a non-DC server working ok in this role, but a colleague who tried to set it up on a DC found lots of problems. It's probably a good idea to keep it off the DC anyway because of security.

    You say you think it is a router/firewall issue and you also say that you've "opened up ports 20 and 21", but please can you confirm your level of expertise on setting up the D-Link firewall/router. There are several places in the setup pages that you can "open" ports. The one you would need is the Virtual Servers page which is in the Advanced section.
    LVL 15

    Expert Comment

    Is this what you followed?

    I would think if it works internally, that the router is not forwarding for you.  You never did say if your Win2K3 server had a real live internet IP or an internal use IP like 192.168.1.x.  

    Make sure you forward ports 20, 21 from the WAN to the LAN, choosing the detination IP as the IP address of your Win2K3 server.

    Also check the event viewer on the w2K3 station and IIS log file for log-in related errors.  If you are reaching the server, you'll get log entries (whether it works or not).


    Author Comment

    Yes, the Win2k3 server is a domain controller.  It is the only server I have on the network.  Do I have another choice for domain controller? On the router, I am using the Virtual Server area under Advanced to identify the FTP ports.  There is also an area, Firewall, under Advanced, where I can open up ports and although I've tried opening them there too, it still doesn't work.  I am by no means an expert on the router, but I'm not a novice either.  I used to have a DLink DI-524 and I had not problems under this same configuration.


    I did also follow the directions from doc but that did not work either.  The Win2K3 server has a real live Internet IP as well as the internal IP.  This is all that the log contains after WS_FTP says "Connection closed: Retrieve of folder listing failed":

    #Software: Microsoft Internet Information Services 6.0
    #Version: 1.0
    #Date: 2006-05-05 19:48:53
    #Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
    19:48:53 [93]USER GTU 331 0
    19:48:53 [93]PASS - 230 0

    Any thoughts?

    It does turn out that the client is actually connecting and I can transfer files to the FTP server, although they can not be listed or seen once they are transferred.  Transferring to the server is not what I need though.  I need customers to retrieve from the server, hence, they need to see the file listing.
    LVL 19

    Expert Comment

    > "Win2K3 server has a real live Internet IP as well as the internal IP"
    Do you mean that you have two network cards enabled on this server - one LAN and one Internet? That would complicate matters somewhat. I assumed your server was behind the D-Link firewall. The public IP address should only be on the WAN interface of the D-Link and your Win2k3 server should only have an internal IP address like 192.168.x.y.  The D-Link will have a local IP address on its LAN interface such as 192.168.x.z and that address should be set as the default gateway on the TCP/IP network settings for the server LAN interface. I'll assume that is what you have.

    If you can transfer files to the FTP site from outside the LAN then you are getting through the firewall.
    (If you can do this without giving a password then so can anyone - you must not allow anonymous access with write permission or you will soon attract unwelcome attention).

    I would guess that your problem lies in the security settings of the target folder. When you use anonymous access, it defaults to access rights of the user called Internet Guest Account (IUSR_Servername). This can be changed in the properties of the FTP site, but I am guessing you have the default settings.

    Try this: Use Windows Explorer to navigate to the folder that you have set as your main ftp root folder. Right click and select Properties. Now select the "Security" tab. Is that Internet Guest Account in the list of "group or user names"? If not you should add it. Now click the mouse on Internet Guest Account and look in the box below to see what their permissions are. One of those permissions is "List Folder Content" - make sure it's ticked. I strongly recommend that you do not tick permissions for Modify or Write. In fact I would set them to Deny for that user. You can also disable write permissions in the FTP site properties form in the IIS manager.

     Good luck.

    Author Comment

    No, sorry I misunderstood your question about two IP addresses.  I only has one internal IP address. The router is assigned to the other and the Virtual Server grants access to the services of the other.

    Re: FTP access w/o password - I did have to give a password so I am not allowing anonymous access.

    I will look at the security properties for the Internet Guest Account and report back.  Thanks.

    Author Comment

    This problem was being caused by my DLink DI-624 router.  Either I don't know how to configure it properly (although I tried) or there is a bug in the router software (probably) because when I switched the router back to my older DI-524 and configured it for FTP under Virtual Server it resolved the problem immediatly.  

    You can close the issue.  Thanks.

    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
    I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now