Solved

Unable to access FTP sites from 2000/XP clients, 98/ME can under same network same login.

Posted on 2006-07-06
43
22,341 Views
Last Modified: 2013-11-30
This one really has me stumped.

I took over administering the network for this small business a couple of years ago.  They are trying to setup their website (located off-site) and need to FTP to the host server to upload the site content.  For some reason they are unable to FTP from any computer running 2000/XP.  They have an old computer running 98 or Me (can't remember) and it is able to FTP just fine.  This is not isolated to this particular site.  I have tried Dell's FTP site, Symantec's, and they have tried several others specific to the services they provide.  There are a few FTP sites that they can connect to using a 2000/XP machine, but most will not work except on 98/Me.

Network Topology:
Single server running Windows 2000 SBS.
Server is configured as router/firewall, running ISA 2000.
Two switches on the network.
Most machines running XP, a couple run 2000 and one runs 98/Me for old legacy app (RealWorld).

I have gone through ISA and made sure FTP is available for port 21 inbound and outbound.  XP firewall is turned off.  I have even tried going through GPO's to see if that is having an effect and could't find anything.  I tried searching some on Google, but couldn't find anything similar to what the user's are experiencing.  The only thing I did find was from Microsoft and it didn't work:
To enable folder view for FTP sites, use the following steps:
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Advanced tab, click to select the Enable folder view for FTP sites check box.

If you can figure this one out you deserve some points!
0
Comment
Question by:pyroman1
  • 18
  • 11
  • 5
  • +6
43 Comments
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17054334
Is Windows Firewall disabled on the Windows XP machines?
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17054339
Also, what FTp client are you using?   Have you tried FTP in Passive mode?
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054340
You must have read this while I was editing.  Yes, Windows Firewall has been disabled.
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 17054341
What ftp client are you using?

Have you tried more than one?

Have you tried PASSV mode in a client that supports it?
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054342
IE, and I did try passive mode.
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 17054344
haha... rick beat me by one minute....
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 17054357
If you have firefox installed, I would go and get the fireftp extension https://addons.mozilla.org/firefox/684/ and try to see if you can ftp with it in normal and passv mode.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054372
I don't want to make things complicated for the users by making them learn how to use FireFox.  Trust me, that is a disaster waiting to happen.  You question did get me thinking about FTP software.  I'm downloading SmartFTP now to try it.
0
 
LVL 17

Assisted Solution

by:Jared Luker
Jared Luker earned 200 total points
ID: 17054404
No problem... the idea was just to try SOMETHING other than IE or the command line MS ftp client.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054407
Log from failed attempt via SmartFTP:

[17:38:56] SmartFTP v2.0.996.36
[17:38:56] Resolving host name "ftp.SITENAME.com"
[17:38:58] Connecting to IPADDRESS Port: 21
[17:39:00] No connection could be made because the target machine actively refused it.
[17:39:00] Client closed the connection.
[17:39:00] Active Help: http://www.smartftp.com/support/kb/index.php/58
0
 
LVL 5

Expert Comment

by:skaap2k
ID: 17054409
I have found other configuration settings in ISA server relating to FTP, especially with regards to uploading - I cannot remember exactly where, but they are there!

Rob
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 17054415
can you tracert out to that address on port 21?
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054417
They can't seem to download either.  It's really strange.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054443
I am not familiar with using tracert to a specific port, only telnet.  Can you give a syntax example?
0
 
LVL 1

Expert Comment

by:haszan
ID: 17054447
I have always had problem with SmartFTP with connections, currently using Filezilla, http://filezilla.sourceforge.net/ it is free and really good.

Haszan
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 17054450
I'm assuming that you are NATing to your machines behind the firewall.  Is it possible that the win98 machine is in some sort of DMZ or has more rights on the ISA server than the rest of the clients?
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054496
Correction on the older error log from SmartFTP, seems I was an idiot and misspelled the host name.  Here is the correct log:

[17:46:49] SmartFTP v2.0.996.36
[17:46:49] Resolving host name "HOSTNAME"
[17:46:49] Connecting to IPADDRESS Port: 21
[17:46:50] 220 COMPANYNAME FTP Server
[17:46:50] Connected to HOSTNAME.
[17:46:50] USER USERNAME
[17:46:50] 331 User name okay, need password.
[17:46:50] PASS (hidden)
[17:46:50] 230 User logged in, proceed.
[17:46:50] SYST
[17:46:50] 215 UNIX Type: L8
[17:46:50] FEAT
[17:46:50] 500 Syntax error, command unrecognized: 'FEAT'
[17:46:50] TYPE I
[17:46:51] 200 Type set to I.
[17:46:51] REST 0
[17:46:51] 350 Restarting at 0. Send STORE or RETRIEVE.
[17:46:51] PWD
[17:46:52] 257 "/" is current directory.
[17:46:52] TYPE A
[17:46:52] 200 Type set to A.
[17:46:52] PASV
[17:46:52] 227 Passive mode entered (IPADDRESS)
[17:46:52] Opening data connection to IPADDRESS Port: 18389
[17:46:52] LIST -aL
[17:46:53] 150 Opening ASCII mode data connection for /bin/ls.
[17:47:15] A socket operation was attempted to an unreachable host.
[17:47:55] Timeout (40s).
[17:47:55] Active Help: http://www.smartftp.com/support/kb/index.php/74
[17:47:55] Client closed the connection.
[17:47:55] Automatic failover of data connection mode from "Passive Mode (PASV)" to "Active Mode (PORT)".

The 98 machine is not on a DMZ and rights are user level.  I can't even FTP directly from the server.  We used to have more 98 machines and they all worked as well, I have slowly bee phasing them out and replacing with XP.
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 17054524
hmm... it is clear that you are connecting and loggging in.  That means that you have a green light on port 21.  That pretty much rules out ISA in my mind.  it looks like there are certain commands that are failing.  It seems that this is a problem with the operating system, but I'm not sure how the remote ftp server knows or even cares what OS you are using.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054542
Someone brought in their own laptop, running XP, and connected it straight to the Intenet (bypassing the server) and they were able to connect.  This is why I am offering max points, it is a real head scratcher and I just got unlimited points for the month.
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 17054554
That smartftp link shows this:

An established connection was aborted by the software in your host machine. Software caused connection abort

This error can occur when the local network system aborts a connection, such as when WinSock closes an established connection after data retransmission fails (receiver never acknowledges data sent on a data stream socket). Possibly due to a data transmission timeout or protocol error.

You may try to set the Connection Timeout higher (Default: 60s). If the problem persists change the Data Connection Mode in the Settings->Connection dialog from "Port Mode (PORT)" to "Passive Mode (PASV)

Try that same with with the toggle of what it is now (if PASV, then do normal)
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054580
I installed FileZilla as haszan suggested.  here is the error log:

Status:      Connecting to HOSTNAME ...
Status:      Connected with HOSTNAME. Waiting for welcome message...
Response:      220 COMPANYNAME FTP Server
Command:      USER USERNAME
Response:      331 User name okay, need password.
Command:      PASS ********
Response:      230 User logged in, proceed.
Command:      SYST
Response:      215 UNIX Type: L8
Command:      FEAT
Response:      500 Syntax error, command unrecognized: 'FEAT'
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE A
Response:      200 Type set to A.
Command:      PASV
Response:      227 Passive mode entered (IPADDRESS)
Command:      LIST
Response:      150 Opening ASCII mode data connection for /bin/ls.
Error:      Transfer channel can't be opened. Reason: A socket operation was attempted to an unreachable host.
Error:      Could not retrieve directory listing
Command:      TYPE I
Response:      226 Transfer complete.
Command:      REST 0
Response:      200 Type set to I.
Command:      PWD
Response:      350 Restarting at 0. Send STORE or RETRIEVE.
Command:      TYPE I
Response:      257 "/" is current directory.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 17

Expert Comment

by:Jared Luker
ID: 17054588
I would be interested in seeing if that same laptop could still connect when going through this ISA server.  If it can not, then there might be a gpo in place after all.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054606
I am accessing the site remotely, so I can't check that right now.  I plan to go in the office on Monday to have a look with my laptop.  I can access the site fine from my location.
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 17054614
Scratch my last comment... gpo's would not be a factor unless that laptop was a member of the domain.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054639
To be honest I wasn't there when the direct connection was made, but I don't think they told me the whole story.  They don't know the static IP configuration necessary to bypass the server.  It seems more likely that they did connect using the server as a firewall and just setup the proxy in IE.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054647
"That smartftp link shows this:

An established connection was aborted by the software in your host machine. Software caused connection abort

This error can occur when the local network system aborts a connection, such as when WinSock closes an established connection after data retransmission fails (receiver never acknowledges data sent on a data stream socket). Possibly due to a data transmission timeout or protocol error.

You may try to set the Connection Timeout higher (Default: 60s). If the problem persists change the Data Connection Mode in the Settings->Connection dialog from "Port Mode (PORT)" to "Passive Mode (PASV)

Try that same with with the toggle of what it is now (if PASV, then do normal)"

Tried this, same result.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17054655
I'm going home now.  Will check back tomorrow, if anyone thinks of anything post it and I'll give it a whirl.
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17055609
Don't you have to open port 20 for ftpdata also?
0
 
LVL 22

Assisted Solution

by:rickhobbs
rickhobbs earned 100 total points
ID: 17055621
In fact, I know you need 20 for active connections and the initial directory listing is usually active and then the transfer can occur in active or passive mode.
0
 
LVL 1

Expert Comment

by:KCDean
ID: 17055831
This looks to be a good read, should help you out.

http://www.argosoft.com/rootpages/FtpServer/FAQ.aspx


0
 
LVL 1

Expert Comment

by:KCDean
ID: 17055847
at the bottom of that link

Quote
"It is not enough for FTP to provide an access just to port 21. Port 21 is used only for control connections (sending login information, changing directories and so on), while, for data connections (directory listings and file transfers) is uses available ports on a server computer. So, you need to open more ports, more than one (21).

It would be the best not to use firewall, you will have less problems, but if you still want to use it, make sure that you are using FTP server, version 1.4.0.0 or higher, then, go to Tools - Options - Advanced, check Use Following Ports for Data Transfers box, and specify certain range of ports, e.g. 9090 low and 9099 high. Then, go to your firewall, and open ports between 9090 - 9099.

But, it is still not enough. When connecting to server, you must use FTP client, which supports passive transfers, and enable passive transfers for connections with your server (for example, in Internet explorer, you do it by going to Tools - Internet Options - Advanced, and putting a checkmark in Use Passive FTP box)."
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17055878
If I am reading this correctly, that pertains to running an FTP server, which is not the case.  My client is trying to access the FTP server, in addition it works on the 98 machine so I tend to agree with jared_luker that it is probably not an ISA issue.
0
 
LVL 7

Expert Comment

by:imacgouf
ID: 17055997
Hi,

From your log, if you notice under opening Data connection to IPADDRESS Port is 18389
Read this comments below as a reference case to the problem you facing since I presume your remote ftp server is running a unix/linux latform
http://www.fedoraforum.org/forum/archive/index.php/t-95011.html

17:46:49] SmartFTP v2.0.996.36
[17:46:49] Resolving host name "HOSTNAME"
[17:46:49] Connecting to IPADDRESS Port: 21
[17:46:50] 220 COMPANYNAME FTP Server
[17:46:50] Connected to HOSTNAME.
   |
   |
[17:46:52] TYPE A
[17:46:52] 200 Type set to A.
[17:46:52] PASV
[17:46:52] 227 Passive mode entered (IPADDRESS)
[17:46:52] Opening data connection to IPADDRESS Port: 18389
[17:46:52] LIST -aL
[17:46:53] 150 Opening ASCII mode data connection for /bin/ls.
[17:47:15] A socket operation was attempted to an unreachable host.
[17:47:55] Timeout (40s).

From the comment by
jcliburn  2006-02-11, 07:15 AM PST
Ftp sessions consist of two channels: a command channel and a data channel. The data channel employs varying ephemeral ports, which can be problematic in the presence of a firewall. You need to restrict the range of ports used by the server for ftp data connections. The following steps restrict the data channel to use ports xxxxx and xxxxx. You can specify a single port if you wish by setting the relevant max and min parameters equal.
0
 
LVL 27

Expert Comment

by:Nopius
ID: 17056049
> My client is trying to access the FTP server, in addition it works on the 98 machine so I tend to agree with jared_luker that it is probably not an ISA issue.

Win98 and Win XP may use different TCP port ranges for opening new connections and it may be the reason why firewall is not always working.
Read here for more details: http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html#Problems and http://support.microsoft.com/default.aspx?scid=kb;en-us;196271

So my suggestion is the same as KDCean said before, just try to follow his instrunctions and say what happens.
Also please tell us, do you have some sort of VPN client software in your client machines (it also may be a reason of the problem).

I'm shure, it's a firewall, network or ip range related problem :-)
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17056151
I can't specify which port the remote FTP servers will use, that is up to them.  Since not everyone will use the same port I can't predict and use port forwarding.  What I have done is the following:
Under Access Policy.
Site and Content Rules -> Allow all destinations, Allow all external destinations to Backoffice Internet Users group.  Deny access to certain blacklisted websites (games, pornography, sports).
Protocol Rules -> Allow all IP traffic.
IP Packet Filters -> TCP, Both directions, Local Port 21, Remote Port All Ports, Default External IP Address.  TCP, Both directions, Local Port All Ports, Remote Port 21, Default External IP Address. Plus a host of others that shouldn't matter, but if you want me to post them I will.

In conclusion, there is no way for me to specify a range to use for the Data Transfers on the server because that is not on my end.  The client is not using any VPN software.  I run RealVNC on the server to connect to it remotely and UltraVNC on my computer when connecting.  Everytime I try to connect using PASV mode the port number changes, the result does not.
0
 
LVL 7

Accepted Solution

by:
imacgouf earned 200 total points
ID: 17056230


Check out this for ISA 2000 infor:
FTP Client Access from an ISA Server Network
http://www.microsoft.com/technet/prodtechnol/isa/2000/maintain/isaftpci.mspx
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 17056234
To expand on the problem...

Usually if a connection is established on the clean side of the firewall, communication will be allowed bi-directionally on the port that communications were initiated.  If the ftp server side is trying to communicate with the ftp client on a port other than what was originally opened up, the firewall will deny access to those ports.  Maybe ISA can be set up so that if a connection is established to a remote site, that responses can be received on any port, or some range of ports so that the directory changes and downloads can get through the firewall.
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 17056380
This is all in the windows server setup, it is blocking FTP ports 21 and maybe 2121 to clients responding to the advanced packet filtering features on 2000 and XP.  Another example where 98 is more extensible than other OSs.  If you were using a hardware router for firewall and not a windows server, you would not have this problem. Try that just to prove it is the server setup, irrespective of the clients OSes.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17058758
At this point it seems imacgouf may be the closest to having found the solution.  The page linked to has the following information at the very bottom:
<<When you access an FTP server through Internet Explorer, the following error message is displayed:

"Windows cannot access this folder."

This may occur if folder view for FTP sites is enabled in Internet Explorer, because this causes Internet Explorer to attempt to bypass the Web proxy service. To disable folder view, follow the instructions in this article.>>

This completely contradicts the other article I found, but after disabling this feature my client was able to connect via FTP in IE.  (Note: I did follow all of the other steps in the article linked to, so that may have helped as well but it did not solve the problem on its own.) The view does not resemble a typical FTP folder view like that of browsing your folders in My Computer.  The client is going to try uploading files in this manner, if this does not work I will try using SmartFTP and/or FileZilla to see if they work.  Ultimately I want to make things easiest for the client by using IE as they don't really like learning new things.  I will post back when I hear from the client.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17059404
UPDATE:
SmartFTP and FileZilla both work using Active connection and specifying no proxy server.  This is likely due to the changes made by following the link above.  My client still hasn't emailed or called to let me know if they can upload using IE.
0
 
LVL 2

Author Comment

by:pyroman1
ID: 17059720
Final result:
I believe the article imacgouf linked to may have solved the problem, however it did not provide all of the information needed to completely get things working.  After following the steps listed in the article I had to perform the following additional steps to enable users to use IE for FTP access:

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Advanced tab, click to select the Enable folder view for FTP sites check box.
4. On the Advanced tab, clear the use Passive FTP (for firewall and DSL modem compatibility) check box.

Thanks to all for your assistance.
@imacgouf - The article you linked to provided a great amount of detail in properly configuring ISA for FTP client access.
@rickhobbs - You were first to mention opening port 20, the article mentioned previously provided exact steps.
@jared_luker  - Your suggestion to try another FTP program is what helped me determine that I should try turning off Passive FTP in IE to get Enable folder view to work.

I plan on splitting points amongst the three of you.  This was a long thread, so it is entirely possible I missed someone's comment which provided a suggestion before someone else's.  I am going to wait 24 hours to close this and split points with a B grade (I did have to figure out the end part or it would be an A).  If anyone feels they contributed something that I missed please post it here.

Again, thanks for the help!
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17086656
Glad to be of assistance.  Thank you!
0
 
LVL 7

Expert Comment

by:imacgouf
ID: 17088915
Most welcome. Good work to all. :) Thanks!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now