Getting FTPS server to work behind a Firewall (NAT)

I am trying to get FTPS to work with server 2008.  I have configured everything according to the following article.

It works fine on the same network segement, but when i try it from the internet it gets stuck on 14:08:34      Status:      Initializing TLS...
14:08:55      Error:      Connection timed out

I have tried turning the firewall off on the windows 2008 server and that did not make a difference.  I have verified that i have port 21 and the passive ports 49152-65535 setup to NAT to the 2008 box.  I do not see any packets being denied in my firewall logs.

I have been using FileZilla version to test.

Any ideas on why this fails?
Phytech AdminAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

dpk_walConnect With a Mentor Commented:
Is your server using different public IP than the IP of the external interface; if yes, then as you say:

>>  I think it is timing out waiting for the TLS request response from the server

it is expected; with static NAT; all incoming traffic would come on the public IP as defined but the traffic from the server would get NAT'ed out with the public IP of the external interface; if you wish to go out with the same public as it came in; then you must do 1-1 NAT instead.
Please note when you configure you would need to remove the alias/secondary IP from the external interface; and this specific IP could only be used with the said server.
If you are using version 9.x or higher of WSM/WFS software and do not want to do 1-1 NAT, then in the policy, you have configured to allow inbound traffic, go to Advanced->Dynamic NAT; check the box "All traffic in this policy"; then "Set source IP" as the public IP you have.

Please implement and update.

Thank you.
make sure you have port 990/tcp open on the firewall.  Also make sure this is the port you use to connect in filezilla
Phytech AdminAuthor Commented:
Thanks for the response...... I have tried port 990, but i think this is used for implicit FTPS and i believe the microsoft FTP server is using explicit FTPS which does send the information over port 21.  I confirmed this because if i try to connect internally to port 990 the server is not responding.  It responds fine on port 21 and connects using SSL.  

Like i said everything works fine if i am on the same network, or on a network that is connected via a net to net VPN.
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Phytech AdminAuthor Commented:
This is the Filezilla log for making the connection on same network all works fine:
16:38:22      Status:      Connecting to x.x.x.x:21...
16:38:22      Status:      Connection established, waiting for welcome message...
16:38:22      Response:      220 Microsoft FTP Service
16:38:22      Command:      AUTH TLS
16:38:22      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:38:22      Status:      Initializing TLS...
16:38:22      Status:      Verifying certificate...
16:38:35      Command:      USER xxxxx
16:38:35      Status:      TLS/SSL connection established.
16:38:35      Response:      331 Password required for xxxxx
16:38:35      Command:      PASS ***********
16:38:35      Response:      230 User logged in.
16:38:35      Command:      SYST
16:38:35      Response:      215 Windows_NT
16:38:35      Command:      FEAT
16:38:35      Response:      211-Extended features supported:
16:38:35      Response:       LANG EN*
16:38:35      Response:       UTF8
16:38:35      Response:       AUTH TLS;TLS-C;SSL;TLS-P;
16:38:35      Response:       PBSZ
16:38:35      Response:       PROT C;P;
16:38:35      Response:       CCC
16:38:35      Response:       HOST
16:38:35      Response:       SIZE
16:38:35      Response:       MDTM
16:38:35      Response:      211 END
16:38:35      Command:      OPTS UTF8 ON
16:38:35      Response:      200 OPTS UTF8 command successful - UTF8 encoding now ON.
16:38:35      Command:      PBSZ 0
16:38:35      Response:      200 PBSZ command successful.
16:38:35      Command:      PROT P
16:38:35      Response:      200 PROT command successful.
16:38:35      Status:      Connected
16:38:35      Status:      Retrieving directory listing...
16:38:35      Command:      PWD
16:38:35      Response:      257 "/" is current directory.
16:38:35      Command:      TYPE I
16:38:35      Response:      200 Type set to I.
16:38:35      Command:      PASV
16:38:35      Response:      227 Entering Passive Mode (216,x,x,x,x,135).
16:38:35      Command:      LIST
16:38:35      Response:      150 Opening BINARY mode data connection.

Log for going over the internet through a firewall NATing the information to another server.  It looks like it is hanging on the TLS/SSL negotiation.
16:40:38      Status:      Connecting to 216.x.x.x:21...
16:40:38      Status:      Connection established, waiting for welcome message...
16:40:38      Response:      220 Microsoft FTP Service
16:40:38      Command:      AUTH TLS
16:40:38      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:40:38      Status:      Initializing TLS...
Phytech AdminAuthor Commented:
16:40:59      Error:      Connection timed out
16:40:59      Error:      Could not connect to server
hmm, so it looks like you are authenticating but when you go into pasive mode for the list you are timing out.  have you tried setting filezilla to active mode?
Phytech AdminAuthor Commented:
I think the issue is before it is even trying to use passive or active mode, but yes i have tried active mode with the same results.  I think the issue is when the firewall is responding back to the client for the TLS request.  I suspect what is happening is our firewall is responding back to the TLS request with the internal server IP and not the external ip address of our firewall.  I think it is timing out waiting for the TLS request response from the server.  It never gets to the point of verifying the certificate.  We are using a watchguard firewall and i have a static NAT setup to handle this.  

Again thanks for your help!
Phytech AdminAuthor Commented:
Thanks for the update on how to set this up on the watchguard.  I verified that i had the policy setup correctly.  THe issue was when i was trying to test from an environment that had a net-to-net vpn already setup to the network that was hosting the ftp server.  If i came in from any other internet address it seems to work fine.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.