Solved

How to connect securely?

Posted on 2007-04-10
25
697 Views
Last Modified: 2013-12-02
I downloaded Serv-U and setup a domain on my local box that has Vista installed.  I set the IP to an internal IP, security is SSL/TLS only on port 990.  I'm using CORE FTP to connect.  When I try to connect using port 990 and AUTH SSL option, I get this message:

can't establish connection to 192.168.66.1 port 990.

I then downloaded FTPVoyager (by people that made serv-u) and it says:

431 unable to negotiate secure command connection

If I set Serv-U to accept connections on port 21, and accept regular and SSL connections, I can connect without problems.  I'm also prompted to accept the certificate.

Why doesn't port 990 with "SSL only" not work?
0
Comment
Question by:brettr
  • 15
  • 10
25 Comments
 
LVL 2

Expert Comment

by:couritech
Comment Utility
UDP port 990 uses UDP and is connectionless and does not guarantee reliable communication; it's up to the application that received the message on Port 990 to process any errors and verify correct delivery. If you use McAfee at the client it will block this port unless you specifically allow it to run in your rules (sees it as a virus).

A better idea may be to use Serv-U setup guides for port usage...

You should setup the IP for Passive mode to reflect the actual IP address and not the Internal IP address Serv-U sees.

To do this:
Select "Settings" under your domain
Select the "Advanced: tab. Here enter the external IP Address of the your internet connection or leave it blank.
Also set up the PASV port range option:
Under "Local Server" select "Settings" and then the "Advanced" tab. Here you will see the PASV port range option.
Open ports 2000 - 2010.
Open the same port range in your firewall, proxy server, or router.

Be sure your ISP is not bloking 2000 - 2010 as some do because of high bandwidth P2P file sahring prograns that also use this range
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
You should now be able to connect from any FTP Client using PASV mode.

However, if you are still unable to connect, disable the Block "FTP_bounce" attacks and FXP in the Serv-U options. According to Serv-U this option is known to cause complications.

0
 

Author Comment

by:brettr
Comment Utility
Thanks but your option doesn't use SSL, which I want to use.  I can connect to the ftp server fine without SSL.  That's not the issue.
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
Just talked to another admin who uses Serv-U and Core-FTP. He said you would absolutely have to use the following if your going to use port 990. He go this on the Core-FTP forums and he tested it. He had been previously told he had to use 989 on a Sambar server.... anyway-

Your server has to be set up for a clear data channel, the server's router must be set to forward requests on port 990. The Client must be set for encryption on the WAN address, put the data channel on 50001-50100. Client's router is set to trigger ports 50001-50100 for incoming on outgoing requests to port 990
0
 

Author Comment

by:brettr
Comment Utility
Your making it overly complicated.  I have the ftp client and the server on the same machine.  Once I get that going, I'll work on external access.

Also, it isn't CORE FTP specific.  Rhinosoft makes VoyagerFTP and Serv-U.  I thought that might be a benefit but it didn't work out that way.
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
Sorry - thought you were going across the wire.... Have you enabled FTPS locally yet, and are you using Core FTP LE v1.3c 1446 build as the client (this has a known issue with port connects in the 1 - 4096 range)?
0
 

Author Comment

by:brettr
Comment Utility
I'm using build 1447.6 but neither ftp client will connect.  So, it isn't an ftp client specific issue.

On Serv-U, I have these options:
- Allow only SSL/TSL sessions
- FTP port number 990
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
Are you using NAT on the router? If you have NAT set up it will have a problem translating the encryption. If you have NAT set up thenb try disabling it on the router and then refresh and try to connect. It shuold allow an implicit SSL/TLS connection then.
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
If you don't have NAT on your router then check your firewall, because this is definitely sounding like a translation issue now and sounds like this is because of the encryption requirement being levied? I don't know about Voyager in gerat detail, but would guess its tables cannot pass encrypted traffic though a  NAT box.
0
 

Author Comment

by:brettr
Comment Utility
Again, no NAT.  It's all on "one" machine.  Firewall is off.  I've done much of everything that you can do to get it going.  Sorry.  
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
Whats the Version of Serv-U (Is it Serv-U secure)? You didn't say... I only assumed... (it is required).
0
 

Author Comment

by:brettr
Comment Utility
I just downloaded all of the software this evening.  Serv-U version 6.4.0.2 (build is the same).
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 2

Expert Comment

by:couritech
Comment Utility
Gertting tough here then - its tricky... have you looked at the Local Area Connection settings and the advanced tab in particular to be sure you are set up to allow a secure connection into the NIC and opened the 990 port connect? You are also sure the firewall (Windows, etc) are disabled and you don't use McAfee or Norton "of anything of theirs" on the client?
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
I assume you went to http://www.serv-u.com/versions.asp and got the "secure" "professional" or "Corporate version? They all handle tables differently for SSL/TLs - just looking to clarifiy here if you missed getting one of these versions or if you got the right one - to figure out which one you have.
0
 

Author Comment

by:brettr
Comment Utility
Actually, it's the trial version: http://www.serv-u.com/dn.asp.  I'm assuming it should have all features since there is a 30 day limit.

I don't know about secure connections into the NIC. I'm not sure which NIC related advanced tab you're referring to that mentions security.  No firewall or virus software is running.

To save time, do you know of any (trial/free) FTP servers that support SSL?  I imagine though that it will be the same problem.
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
Serv-U has a trial version of secure sofwtare that is free for 30 days - you just have to download it.

http://www.serv-u.com/versions.asp

shows you the versions of the 5 that are available. I should have thought ahead about this - you were right - it was a simple thing - but the root cause of the failure in the end is often simple and most overlooked.

The trial for secure is 30 days. I'd try it and see if you like it - all seem to be pay to play these days. This is as good as any and you have experience now using the product?

Good luck!
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
the dn.asp does not support secure SSL
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
or SFTP
0
 

Author Comment

by:brettr
Comment Utility
There isn't a trial for the secure version.  There is only one trial and they don't say which version that is.
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
Its corp by default, which supports SSL auithoring. If it isn't your NIC card settings and disallowing SFTP traffic, then I can't explain any reason why you wouold not be connecting unlkess you had prerviously had McAfee or Norton installed (even if they wre unloaded). The cause problems with these programs after removal and close port 990. They both have site uninstall tools to remove remnants, but since you make no mention I am about out of options. Sounds to me like you should have been up and running from the start.
0
 

Author Comment

by:brettr
Comment Utility
Going to try phone tech support with RhinoSoft tomorrow.
0
 
LVL 2

Expert Comment

by:couritech
Comment Utility
Sounds liuke your best support optoin?
0
 

Author Comment

by:brettr
Comment Utility
Here's the solution:

Set Serv-U this way:
Security: Allow SSL/TSL and regular sessions
Port: 21 or 990

FTP client:
AUTH SSL
port 21 or 990

It fails when I set Serv-U to allow SSL/TSL only.  Not sure why.
0
 
LVL 2

Accepted Solution

by:
couritech earned 500 total points
Comment Utility
Glad to hear it solved - post up for the next guy who needs it so we can put one in the knowledgbase. Good job!
0
 

Author Comment

by:brettr
Comment Utility
If I get an answer on why SSL only doesn't work, I'll post back.  Thanks for all of the help.
0

Featured Post

How to Backup Ubuntu to Amazon S3

CloudBerry Backup offers automatic cloud backup and restoration for Linux. It has both GUI and command line interface (CLI) ensuring its flexibility in use. Find out more

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now