Solved

Using SSL FTP Through Netgear 318 Firewall

Posted on 2006-07-07
10
1,098 Views
Last Modified: 2008-01-09
I'm having a difficult time using my Netgear FVS318 in conjunction with SSL ftp.  The outside users can successfully connect (user name, password, etc.), but are time out when the SSL ftp tries to establish the data channel.  I know that NAT and encrypted traffic are involved here and that the firewall is blocking it.  The ports are definately open on the netgear.  Is there a way that I can get it working without removing the netgear?  

Also, I tried the "CCC" option on the client ftp desktops with no results.
0
Comment
Question by:bhunger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
10 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 17061965
What I would suggest, assuming your ftp server supports it, is setting up a specific port range for passive FTP.  Then configuring your firwall to allow through all traffic to that port range to your ftp server.

0
 
LVL 18

Expert Comment

by:decoleur
ID: 17064905
bhunger-

how do you know what you know?

what ports do you have open on the firewall and on the ftp server?

what kinds of logs are generated when a user tryies to connect? on the server? on the firewall?

this should be a pretty simple problem to troubleshoot, but i like to get the big picture.

there is a big difference between Secure FTP and FTP over SSL, my preference is FTP over SSL because you only need one port open (SSH).

hope tis helps

-t
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17066144
Umm I a bit confused.  Did you mean to say "my preference is ftp over SSH"

FTP over SSL is normal FTP encrypted with SSL, it needs a command/control port and a data transfer port.  So you need two ports.

SSH'ed FTP only needs one port.  

Some places will say the "Secure FTP" is SSH'ed FTP, some sites say it is FTP SSL'ed, and some just say its ftp (or ftp like) encrypted.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 18

Expert Comment

by:decoleur
ID: 17066395
you are right giltjr, my preference is to use ftp over ssh, actually i use scp which is essentially just that...

if memory serves, an interesting point is that with SFTP the data being transmitted is encrypted but the authentication process is not.

0
 

Author Comment

by:bhunger
ID: 17177011
Sorry about delayed update.  Out of town.

Well, it's an unbelievably vexing situation.  It turns out that the NAT on the client side weas the issue.  We removed the firewall here entirely and were getting the same.  IE., we were using the wan ip directly with no firewall-just to test the connection.  Same error, authentication would success, but the client could not successfully utilize the subsequent data port (yes, we tested specific ranges, etc.) The client was timing out while trying to read the ftp directory.  Ipswitch tech support sort of confirmed.  Setting up a SSL ftp config between two NAT networks is VERY problematic.

Unless anyone has actually accomplished this and can advise, we're going to switch to software based MSFT VPN, then utilize standard ftp (over the established vpn).

Thanks
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 17177272
Generally you need to have a server and a client that support either the CCC or the EPSV command.  For most "stupid" filrewalls on the server side, EPSV should work and then you need to configure the server to only use specific ports for SSL'ed FTP.  Then configure the firewall allow inbound connections to that range of ports.  The client side should not need anything done as it will make the connection outbound.

If you have "smart" firewalls, then CCC would be better.  Smart firewalls will monitor the ftp control sessions and dynamically create rules for the data sessions.  The CCC option tells the server to issue the port command in clear text so that the firewalls can see it.

On a normal PORT command when in PASV mode the server tells the client the IP address and port to connect to.  When doing non-SSL'ed ftp, the firewall will see this and convert the IP address to the NAT'ed address.  However when this is encrypted, the firewall can't do this and passes the port command through.  The client will try using the non-nated address, which of course will not work.  With the EPSV command, only the port number is passed and the client will use the same address for the data connection as it is using for the control/command connection.

I have heard, but can't remember which one it was, that there is at least on client that when using SSL'ed FTp it will accecpt a normal PORT command, but it ignores the IP address in the PORT command and uses the IP address it is connected to on the control/command session.  I will try and find out what client it is.
0
 
LVL 18

Expert Comment

by:decoleur
ID: 17177758
have you tried WinSCP as the client app?
0
 

Author Comment

by:bhunger
ID: 17179207
No,  haven't tried it.  I've tried Coreftp LE.  

Again, I took the server side firewall and NAT completely out of the picture and got the same error.

I also tried a product (or protocol) called EFTP (encrypted ftp).  I installed the server on the server and tried the client from outside the network.  Same result- the client COULD log on , but couldn't see the file listing.

0
 

Author Comment

by:bhunger
ID: 17356508
I've got it working.  The problem was not an open port issue (I opened the appropriate ports early on).  The issue turned out to be client firewalls on the client pcs.  Norton firewall and zone alarm will sometimes inhibit certain types of traffic, EVEN when they're turned off.

Thanks everybody.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2010 Email server black listed 14 79
How to set share permission on folders - Everyone Permission 20 48
PGP software 3 38
Best in class privacy policy 6 48
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question