Solved

How to connect securely?

Posted on 2007-04-10
25
702 Views
Last Modified: 2013-12-02
I downloaded Serv-U and setup a domain on my local box that has Vista installed.  I set the IP to an internal IP, security is SSL/TLS only on port 990.  I'm using CORE FTP to connect.  When I try to connect using port 990 and AUTH SSL option, I get this message:

can't establish connection to 192.168.66.1 port 990.

I then downloaded FTPVoyager (by people that made serv-u) and it says:

431 unable to negotiate secure command connection

If I set Serv-U to accept connections on port 21, and accept regular and SSL connections, I can connect without problems.  I'm also prompted to accept the certificate.

Why doesn't port 990 with "SSL only" not work?
0
Comment
Question by:brettr
  • 15
  • 10
25 Comments
 
LVL 2

Expert Comment

by:couritech
ID: 18887390
UDP port 990 uses UDP and is connectionless and does not guarantee reliable communication; it's up to the application that received the message on Port 990 to process any errors and verify correct delivery. If you use McAfee at the client it will block this port unless you specifically allow it to run in your rules (sees it as a virus).

A better idea may be to use Serv-U setup guides for port usage...

You should setup the IP for Passive mode to reflect the actual IP address and not the Internal IP address Serv-U sees.

To do this:
Select "Settings" under your domain
Select the "Advanced: tab. Here enter the external IP Address of the your internet connection or leave it blank.
Also set up the PASV port range option:
Under "Local Server" select "Settings" and then the "Advanced" tab. Here you will see the PASV port range option.
Open ports 2000 - 2010.
Open the same port range in your firewall, proxy server, or router.

Be sure your ISP is not bloking 2000 - 2010 as some do because of high bandwidth P2P file sahring prograns that also use this range
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887417
You should now be able to connect from any FTP Client using PASV mode.

However, if you are still unable to connect, disable the Block "FTP_bounce" attacks and FXP in the Serv-U options. According to Serv-U this option is known to cause complications.

0
 

Author Comment

by:brettr
ID: 18887448
Thanks but your option doesn't use SSL, which I want to use.  I can connect to the ftp server fine without SSL.  That's not the issue.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:couritech
ID: 18887461
Just talked to another admin who uses Serv-U and Core-FTP. He said you would absolutely have to use the following if your going to use port 990. He go this on the Core-FTP forums and he tested it. He had been previously told he had to use 989 on a Sambar server.... anyway-

Your server has to be set up for a clear data channel, the server's router must be set to forward requests on port 990. The Client must be set for encryption on the WAN address, put the data channel on 50001-50100. Client's router is set to trigger ports 50001-50100 for incoming on outgoing requests to port 990
0
 

Author Comment

by:brettr
ID: 18887497
Your making it overly complicated.  I have the ftp client and the server on the same machine.  Once I get that going, I'll work on external access.

Also, it isn't CORE FTP specific.  Rhinosoft makes VoyagerFTP and Serv-U.  I thought that might be a benefit but it didn't work out that way.
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887522
Sorry - thought you were going across the wire.... Have you enabled FTPS locally yet, and are you using Core FTP LE v1.3c 1446 build as the client (this has a known issue with port connects in the 1 - 4096 range)?
0
 

Author Comment

by:brettr
ID: 18887539
I'm using build 1447.6 but neither ftp client will connect.  So, it isn't an ftp client specific issue.

On Serv-U, I have these options:
- Allow only SSL/TSL sessions
- FTP port number 990
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887561
Are you using NAT on the router? If you have NAT set up it will have a problem translating the encryption. If you have NAT set up thenb try disabling it on the router and then refresh and try to connect. It shuold allow an implicit SSL/TLS connection then.
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887569
If you don't have NAT on your router then check your firewall, because this is definitely sounding like a translation issue now and sounds like this is because of the encryption requirement being levied? I don't know about Voyager in gerat detail, but would guess its tables cannot pass encrypted traffic though a  NAT box.
0
 

Author Comment

by:brettr
ID: 18887582
Again, no NAT.  It's all on "one" machine.  Firewall is off.  I've done much of everything that you can do to get it going.  Sorry.  
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887608
Whats the Version of Serv-U (Is it Serv-U secure)? You didn't say... I only assumed... (it is required).
0
 

Author Comment

by:brettr
ID: 18887621
I just downloaded all of the software this evening.  Serv-U version 6.4.0.2 (build is the same).
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887650
Gertting tough here then - its tricky... have you looked at the Local Area Connection settings and the advanced tab in particular to be sure you are set up to allow a secure connection into the NIC and opened the 990 port connect? You are also sure the firewall (Windows, etc) are disabled and you don't use McAfee or Norton "of anything of theirs" on the client?
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887663
I assume you went to http://www.serv-u.com/versions.asp and got the "secure" "professional" or "Corporate version? They all handle tables differently for SSL/TLs - just looking to clarifiy here if you missed getting one of these versions or if you got the right one - to figure out which one you have.
0
 

Author Comment

by:brettr
ID: 18887696
Actually, it's the trial version: http://www.serv-u.com/dn.asp.  I'm assuming it should have all features since there is a 30 day limit.

I don't know about secure connections into the NIC. I'm not sure which NIC related advanced tab you're referring to that mentions security.  No firewall or virus software is running.

To save time, do you know of any (trial/free) FTP servers that support SSL?  I imagine though that it will be the same problem.
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887731
Serv-U has a trial version of secure sofwtare that is free for 30 days - you just have to download it.

http://www.serv-u.com/versions.asp 

shows you the versions of the 5 that are available. I should have thought ahead about this - you were right - it was a simple thing - but the root cause of the failure in the end is often simple and most overlooked.

The trial for secure is 30 days. I'd try it and see if you like it - all seem to be pay to play these days. This is as good as any and you have experience now using the product?

Good luck!
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887736
the dn.asp does not support secure SSL
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887740
or SFTP
0
 

Author Comment

by:brettr
ID: 18887757
There isn't a trial for the secure version.  There is only one trial and they don't say which version that is.
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887824
Its corp by default, which supports SSL auithoring. If it isn't your NIC card settings and disallowing SFTP traffic, then I can't explain any reason why you wouold not be connecting unlkess you had prerviously had McAfee or Norton installed (even if they wre unloaded). The cause problems with these programs after removal and close port 990. They both have site uninstall tools to remove remnants, but since you make no mention I am about out of options. Sounds to me like you should have been up and running from the start.
0
 

Author Comment

by:brettr
ID: 18887834
Going to try phone tech support with RhinoSoft tomorrow.
0
 
LVL 2

Expert Comment

by:couritech
ID: 18887850
Sounds liuke your best support optoin?
0
 

Author Comment

by:brettr
ID: 18895774
Here's the solution:

Set Serv-U this way:
Security: Allow SSL/TSL and regular sessions
Port: 21 or 990

FTP client:
AUTH SSL
port 21 or 990

It fails when I set Serv-U to allow SSL/TSL only.  Not sure why.
0
 
LVL 2

Accepted Solution

by:
couritech earned 500 total points
ID: 18895790
Glad to hear it solved - post up for the next guy who needs it so we can put one in the knowledgbase. Good job!
0
 

Author Comment

by:brettr
ID: 18895797
If I get an answer on why SSL only doesn't work, I'll post back.  Thanks for all of the help.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
OnPage: Incident management and secure messaging on your smartphone
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question