Solved

Using SSL FTP Through Netgear 318 Firewall

Posted on 2006-07-07
10
1,091 Views
Last Modified: 2008-01-09
I'm having a difficult time using my Netgear FVS318 in conjunction with SSL ftp.  The outside users can successfully connect (user name, password, etc.), but are time out when the SSL ftp tries to establish the data channel.  I know that NAT and encrypted traffic are involved here and that the firewall is blocking it.  The ports are definately open on the netgear.  Is there a way that I can get it working without removing the netgear?  

Also, I tried the "CCC" option on the client ftp desktops with no results.
0
Comment
Question by:bhunger
  • 3
  • 3
  • 3
10 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
What I would suggest, assuming your ftp server supports it, is setting up a specific port range for passive FTP.  Then configuring your firwall to allow through all traffic to that port range to your ftp server.

0
 
LVL 18

Expert Comment

by:decoleur
Comment Utility
bhunger-

how do you know what you know?

what ports do you have open on the firewall and on the ftp server?

what kinds of logs are generated when a user tryies to connect? on the server? on the firewall?

this should be a pretty simple problem to troubleshoot, but i like to get the big picture.

there is a big difference between Secure FTP and FTP over SSL, my preference is FTP over SSL because you only need one port open (SSH).

hope tis helps

-t
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Umm I a bit confused.  Did you mean to say "my preference is ftp over SSH"

FTP over SSL is normal FTP encrypted with SSL, it needs a command/control port and a data transfer port.  So you need two ports.

SSH'ed FTP only needs one port.  

Some places will say the "Secure FTP" is SSH'ed FTP, some sites say it is FTP SSL'ed, and some just say its ftp (or ftp like) encrypted.
0
 
LVL 18

Expert Comment

by:decoleur
Comment Utility
you are right giltjr, my preference is to use ftp over ssh, actually i use scp which is essentially just that...

if memory serves, an interesting point is that with SFTP the data being transmitted is encrypted but the authentication process is not.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:bhunger
Comment Utility
Sorry about delayed update.  Out of town.

Well, it's an unbelievably vexing situation.  It turns out that the NAT on the client side weas the issue.  We removed the firewall here entirely and were getting the same.  IE., we were using the wan ip directly with no firewall-just to test the connection.  Same error, authentication would success, but the client could not successfully utilize the subsequent data port (yes, we tested specific ranges, etc.) The client was timing out while trying to read the ftp directory.  Ipswitch tech support sort of confirmed.  Setting up a SSL ftp config between two NAT networks is VERY problematic.

Unless anyone has actually accomplished this and can advise, we're going to switch to software based MSFT VPN, then utilize standard ftp (over the established vpn).

Thanks
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
Comment Utility
Generally you need to have a server and a client that support either the CCC or the EPSV command.  For most "stupid" filrewalls on the server side, EPSV should work and then you need to configure the server to only use specific ports for SSL'ed FTP.  Then configure the firewall allow inbound connections to that range of ports.  The client side should not need anything done as it will make the connection outbound.

If you have "smart" firewalls, then CCC would be better.  Smart firewalls will monitor the ftp control sessions and dynamically create rules for the data sessions.  The CCC option tells the server to issue the port command in clear text so that the firewalls can see it.

On a normal PORT command when in PASV mode the server tells the client the IP address and port to connect to.  When doing non-SSL'ed ftp, the firewall will see this and convert the IP address to the NAT'ed address.  However when this is encrypted, the firewall can't do this and passes the port command through.  The client will try using the non-nated address, which of course will not work.  With the EPSV command, only the port number is passed and the client will use the same address for the data connection as it is using for the control/command connection.

I have heard, but can't remember which one it was, that there is at least on client that when using SSL'ed FTp it will accecpt a normal PORT command, but it ignores the IP address in the PORT command and uses the IP address it is connected to on the control/command session.  I will try and find out what client it is.
0
 
LVL 18

Expert Comment

by:decoleur
Comment Utility
have you tried WinSCP as the client app?
0
 

Author Comment

by:bhunger
Comment Utility
No,  haven't tried it.  I've tried Coreftp LE.  

Again, I took the server side firewall and NAT completely out of the picture and got the same error.

I also tried a product (or protocol) called EFTP (encrypted ftp).  I installed the server on the server and tried the client from outside the network.  Same result- the client COULD log on , but couldn't see the file listing.

0
 

Author Comment

by:bhunger
Comment Utility
I've got it working.  The problem was not an open port issue (I opened the appropriate ports early on).  The issue turned out to be client firewalls on the client pcs.  Norton firewall and zone alarm will sometimes inhibit certain types of traffic, EVEN when they're turned off.

Thanks everybody.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now