?
Solved

Need to allow access to FTP to users.  Using server as router and firewall.  Windows server 2003 Enterprise.

Posted on 2007-08-01
38
Medium Priority
?
745 Views
Last Modified: 2013-11-29
Hello

I'm having issues with FTP.   I'm able to ftp through the server but can't access ftp from any of the client pcs on the network.  
operating system=windows server 2003 R2 Enterprise Edition
I have a static ip address from road runner.
The server is setup to act as a router and provides internet for the users on the private network "NAT"
I do have the basic firewall enabled. I have disabled it and tested on a users computer and it still doesn't give me access to the outside ftp.  Is there access control lists I have to setup? If so how can I do this.  I have never used the server as a router and firewall.  Or do I need to setup Application Server, and if doing so will this allow users outside access to FTP?    I had to configure the server because our company decided to move in one weekend.  The server was purchased during the week and setup during the weekend.  I had no time to test....  I didn't have time to purchase a router, I'm in the process of this but need to allow ftp for the time being.    I do have a router it's a  cheap 3com 10/100.  We have a cat6 network.  If I were to put the router on the network will it affect the performance?  Should I keep using the server as the router or use the cheap 3com?  
 
0
Comment
Question by:livinlif3
  • 15
  • 11
  • 9
  • +2
38 Comments
 
LVL 1

Accepted Solution

by:
bslorence earned 1140 total points
ID: 19613376
It sounds like your Windows server is exposed directly to the Internet. I would NAT it -- give it a local IP and put it behind the 3com router. Let that device bear the brunt of the port scans, etc. that are probably hitting your Windows server right now. Then from the router's perspective your Windows server will be just one more client on the network.

What is it about the 3com and/or your Internet connection  that gives you concerns about performance? Do you have a super-fast Internet connection? I'm just wondering because the whole point of the 3com is probably to act as a router/NAT device -- seems like it might actually do the job better than Windows Server, which AFAIK really isn't intended for that sort of thing, at least not primarily. I don't have any evidence to back this up, just a gut feeling.
0
 
LVL 1

Assisted Solution

by:bslorence
bslorence earned 1140 total points
ID: 19613410
I guess I should add to "gut feeling" my own experience NAT'ing a 30-PC, 5-server network through the basic combination DSL-modem/router that came with our business DSL line. No performance problems here that I know of -- at least no one complains about trouble using the Internet. But then we're not that performance-intensive when it comes to the Internet -- we don't have much need for the Web. We have a basic 3.0 Mbps connection and it does us just fine.
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19613714
The internet connection is a level 2 with a static ip address from road runner.  We do a lot of ftp transfers throughout the day.  Right now I have subdirectory ftp sites on our host provider.  I would like to setup my own FTP site real soon. I have a heavy workload with sublimation printers throughout the day. What size router should I purchase for the business.  The company I'm employed for has about 35 users and they're expanding by the day.  I believe we're getting about 5 to 6 new employees this is why I'm afraid to use this small business office connect router.  I used it in my old building by was getting drops constantly throughout the day.  I figured I would setup the server as the router and firewall for a day or two till I get moved in and situated since I have other means of getting companies the information.  I basically don't want any drops throughout the day like the last few weeks in the old building.  I don't know if it was because we had the basic business account from road runner that only is meant for 10 users.  And the router kept locking up.  Not sure if it was the router looking for dhcp from provider or just the router was going.  Since I purchased the server last week and had to configure sat night before spending all of sunday night laying cable that was soposed to be done by another company and wasn't finished.  I didn't have time to figure this out.  What kind of router would you suggest for this business.  I have done some configuring of cisco routers in college but haven't in a real world situation like this.  I want something that is going to be stable and allow me to setup ftp to allow our users to connect to an outside ftp to our web-host.  I don't want to spend more then $700.  Eventually in a week or so setup in house ftp.  I probably should make sure I reinstall routing and remote access and make sure the basic firewall is turned off when I get the router?  Still don't understand why the users can't access ftp from web host when basic firewall on server is turned off....(this really erks me).... Should I reinstall NAT, after router purchase, and if so should I make both nics private network?  And put NAT on one of them?  Also what is the dhcp allocator in NAT.  Does this work with DHCP, or is it something built into NAT, what one should I use if this is the case.  My mind has severely been overloaded since this move and the growing of the business.   Any help would be appreciated since this is my first real deployment and IT job since I have been out of college.  I may have went a little overboard with typing this.  Sorry for that.   I do appreciate the help.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
LVL 3

Author Comment

by:livinlif3
ID: 19613751
It's also a cat 6 network.  I should mention I would rather have a snmp over command line for the router.  thanks for the help
0
 
LVL 1

Assisted Solution

by:bslorence
bslorence earned 1140 total points
ID: 19613799
What software are you using for FTP? The basic command-line client in Windows, a web browser, a stand-alone FTP client, or something else -- or have you tried several different things?  Are your FTP clients  trying to do passive or active FTP (I think different clients will have different defaults, but you can toggle passive-mode with the PASV command if you're using a command-line client).

What's your DSL line currently plugged into? Just a basic DSL modem? Is the 3com currently in the picture at all? Is it possible that the device that's bridging the DSL into your network is also preventing FTP traffic? You're assuming that the Windows server is preventing it -- have you tried running Wireshark (formerly known as Ethereal) on the server to see what's actually happening to the TCP traffic, on both sides of the NAT?

If the 3com was dropping your connection several times a day at the old office, you either had a problem with the connection or a defective 3com. It could be something as simple as a worn-out network jack in the 3com. Either way it shouldn't take long for you to find out, by testing, whether the 3com is going to have the same problem at the new office.

Once you have a router installed you should definitely turn off routing and NAT on the Windows server -- although I don't think that should require re-installing anything -- but, even without touching the Windows server, you should be able to redirect the clients through the stand-alone router simply by changing the "default gateway" in their IP configurations.
0
 
LVL 5

Assisted Solution

by:fmonroy
fmonroy earned 580 total points
ID: 19613810
FTP uses 2 different modes to transfer files; both use port 21 to exchange commands and responses but they use another port to transfer the files, it's handled these ways:
- Active (default on most clients): client sends a RETR or STOR command to start transferring the file, but before that it sends a PORT telling to the server that the client is listening on an IP/Port combination, and if you block incoming connections this will not work.
- Pasive: before sending the transfer commands, the client issue PASV command asking to the server for a IP/Port to connect to, the server answers and the client makes the outgoing connection.

For pasive mode to work you need to let client make outgoing connections on all ports, this is the default behavior on most Firewall / NAT scenarios where you only want to protect from outside intruders.

You can get active mode working too, but it requires advanced configuration into the Firewall/NAT Server and FTP clients to narrow the use of ports and to forward them; I recommend using pasive mode.

A good free FTP client that supports both modes is SmartFTP.

I hope this helps.


FM
0
 
LVL 1

Expert Comment

by:bslorence
ID: 19613819
I noticed that you mentioned cat6 before -- why? AFAIK, cat6 is just a wiring specification. The kind of cables you're using shouldn't have any bearing on the question -- but maybe I'm missing something?

Don't have much experience myself with SNMP, but most network devices seem to support it to one extent or another. You sure you didn't mean a web-based administrative interface?

0
 
LVL 5

Expert Comment

by:fmonroy
ID: 19613826
Basically use Pasive mode, this will allow outgoing transfers.
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19613856
I was doing some research for routers.  Being that it's a gigabyte ethernet do I need a gigabyte router?>  I have two dell unmanaged gigabyte switches.
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 19613863
What is your inet bandwidth?
I think you don't need to route 1 Gbps
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19613918
It isn't near 1 gbps.  I think I understand where you are getting at with a gigabyte router.
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19613921
I try to access through just a web browser on a client pc and it doesn't allow for ftp.  Would that be different then changing the settings on the ipswitch program used for ftp?
0
 
LVL 5

Assisted Solution

by:fmonroy
fmonroy earned 580 total points
ID: 19613940
to use passive FTP on web browser:
Open Internet Explorer from the Start Menu or command line.
On the Internet Explorer menu, click Tools to open the Tools menu.
On the Tools menu, click Internet Options. A new Internet Options window will appear on the screen.
In the Internet Options window, click the Advanced tab.
First, find the setting called Enable folder view for FTP sites (located near the top of the list of settings). Ensure this feature is disabled (unchecked). Passive FTP mode in Internet Explorer will not work unless this feature is disabled.
Next, find the setting called Use Passive FTP (located approximately halfway down in the list of settings).
To enable the Passive FTP feature, set the checkmark in the box next to the Use Passive FTP setting. To disable the feature, clear the checkmark. Alternately set and clear the checkmark by clicking once inside the checkbox.
Click OK or Apply to save the Passive FTP setting.
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19613967

Still can't access outside ftp even with explorer changes.

Finding Host stadriemblemscom.nationprotect.net ...
[2007.08.01 21:22:26.593] Connecting to 204.174.223.205:21
[2007.08.01 21:22:26.593] Connected to 204.174.223.205:21 in 0.000000 seconds, Waiting for Server Response
[2007.08.01 21:22:26.765] 220 ProFTPD 1.3.0 Server ready.
[2007.08.01 21:22:26.765] Host type (1): Automatic detect
[2007.08.01 21:22:26.765] USER stadriemblems
[2007.08.01 21:22:26.765] Error reading response from server.
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 19613996
do a test using smartftp... download from www.smartftp.com
0
 
LVL 5

Assisted Solution

by:kmotaweh
kmotaweh earned 80 total points
ID: 19614792
i think that you have to try accesing the ftp site from your command prompt and this will tell you by somehow what is the error and try to see you event viewer after that and tell me me what you have found
0
 
LVL 3

Assisted Solution

by:gb-sdc
gb-sdc earned 200 total points
ID: 19615973
I agree with one of the posters above: get yourself a router to do the NAT and use the Windows server for serving stuff.

In the mean time: have you configured the NAT to allow FTP? If I understand correctly, you have to explicitly allow services if you are using a Windows server to do the NAT for you.

Use: Control Panel > Administrative Tools > Rooting and Remote Access

Instructions and screenshots:

http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html

Hope this helps.
0
 
LVL 1

Expert Comment

by:bslorence
ID: 19618788
"Still can't access outside ftp even with explorer changes.

Finding Host x.y.z ...
[2007.08.01 21:22:26.593] Connecting to [host-ip]:21"

Where are you getting these log messages? Not from Internet Explorer?
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19619594
I tried to access ftp through command prompt (i put my username in then), it gives me the error connection closed by remote host.  I also added an ip address of a pc here on the network to allow ftp server access, still no connect from command prompt.(client pc)      I can connect through the server though.  I can't connect through the netnation web based ftp neither(on clients).  Is there something on the General tab on routing and remote access that needs to be configured.    Those error messages were from the smart ftp log.  This is pretty depressing.  thanks for the help.    
0
 
LVL 3

Assisted Solution

by:gb-sdc
gb-sdc earned 200 total points
ID: 19619697
Yes, see the link I posted above. You need to change the NAT/Basic Firewall > Remote Router > Service and Ports settings.
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 19619737
Please check event log and look for NAT/Basic Firewall events. Post here if any.
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19619886
The DHCP allocator has detected a DHCP server with IP address 10.94.64.1 on the same network as the interface with IP address 169.254.25.33. The allocator has disabled itself on the interface in order to avoid confusing DHCP clients.

The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.

The DHCP allocator has detected a DHCP server with IP address 10.94.64.1 on the same network as the interface with IP address 169.254.25.33. The allocator has disabled itself on the interface in order to avoid confusing DHCP clients.

The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.

The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.

These are the error codes i found.


When i configure the FTP Server under services and ports. incoming port should be 21 and outgoing port should be 20?  Using the private ip address of the client pc or on Nic2 of server?
0
 
LVL 1

Expert Comment

by:bslorence
ID: 19619946
SmartFTP's behavior doesn't have anything to do with the FTP settings in Internet Explorer; that's why I was confused by the post that started with "can't access outside ftp even with explorer changes" and then included log messages from SmartFTP.

When you ran SmartFTP and got as far as entering your username, what computer were you using? The server, or one of the clients?

Also, you haven't yet described how your network is connected to the Internet. There's got to be some network device that the DSL line is plugged into. Is that device able to do NAT and/or routing? If so, could it be causing some trouble here?
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 19619950
as you are connecting to ftp server on internet, you need outgoing access on port 21, do not open access to incoming ports yet, until you see that firewall is blocking them...

You have a NAT problem there, are there any other messages related to NAT?
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19619965
The server is used as the router and also NAT.
0
 
LVL 1

Expert Comment

by:bslorence
ID: 19620073
"The server is used as the router and also NAT."

I said "DSL" above but then remembered that you said "road runner" earlier; sorry. Where is the cable connected? Does it connect to a cable modem, which then plugs directly into the Windows server? Does this cable "modem" also do some routing/NAT or does it just bridge the cable signal to Ethernet?

I think you will save yourself a lot of headache and heartache if you go to the nearest office-supply or electronics retailer, drop $50-$150 on a decent-brand-name broadband router with a firewall, install it in your network, turn off routing and NAT on the Windows server, disable one of its network interfaces and assign the other one a static private IP, and reconfigure it and your clients to use the broadband router as their default gateway.

Then if you want to get fancy with a $700 Cisco router later, fine. But at least for now you'll have a working Internet connection and your Windows server won't be directly exposed to the Internet.
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19620126
Yeah, I'm connecting to an ftp server on the internet.  I did outgoing access on port 21. (still nothing )  Those were all the messages related to NAT.  
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19620197
road runner gave us a router but it's not configurable.  I've never had this problem, I don't like how I have no control over this problem with everything I've tried.  I think you guys are right about just getting a router.  I'm able to send files to the companies through mediafire, it isn't confidential data so it will do for a few days.  everything is operational.  Do you know of a good router that has a good web-based administrative interface.  I don't want to spend much time having to configure the router as I have heavy work duties.
0
 
LVL 1

Expert Comment

by:bslorence
ID: 19620321
What do you mean "it's not configurable"? Has RoadRunner disabled the administrative interface or withheld the password? Are you using the router, with whatever default configuration RoadRunner has imposed? Or is it powered-off and disconnected from the rest of your network?
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19620386
I'm using the router with the default configuration from roadrunner.  Do you think I should contact them to see if it's configurable?  The router doesn't even have a manufacturer name, it's very generic looking.  
0
 
LVL 1

Expert Comment

by:bslorence
ID: 19620391
are you sure it's a router and not just a cable modem?
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19620411
They told me over the phone that it was a router because I had them upgrade our account and give me a static ip address.
0
 
LVL 1

Expert Comment

by:bslorence
ID: 19620434
If it is a router, then yes, I would recommend trying to configure it. Check out broadbandreports.com -- click on FAQ and then, under "Provider Specific", click on "RoadRunner HSI Forum FAQ". You may find some information about the device there.
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19620497
They don't have any information on the router.  They do provide some useful information thou.  I thought at first maybe road runner was blocking the ports but I was able to FTP on the server, so that eliminated that theory.  
0
 
LVL 5

Assisted Solution

by:fmonroy
fmonroy earned 580 total points
ID: 19621146
get the cheap router as bslorence says, this will save your life
0
 
LVL 3

Author Comment

by:livinlif3
ID: 19627942
I just want to thank you guys for taking the time to help me with this problem. I purchased a Wireless-N Broadband Router from linksys. (owner wanted wireless)  I didn't want to fiddle with using the server as the router anymore.  I set it up yesterday here at the office and there has been no drops so far so good.  I don't see any decrease in performance...You guys were dead on with your responses, I truely appreciate the help you have given me.  
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 19627957
It's great you solved the problem.
Regards.
0
 
LVL 1

Expert Comment

by:bslorence
ID: 19628230
And FTP is working now...? ;-)
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Learn about cloud computing and its benefits for small business owners.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month16 days, 18 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question