Getting FTPS server to work behind a Firewall (NAT)
I am trying to get FTPS to work with server 2008. I have configured everything according to the following article.
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
It works fine on the same network segement, but when i try it from the internet it gets stuck on 14:08:34 Status: Initializing TLS...
14:08:55 Error: Connection timed out
I have tried turning the firewall off on the windows 2008 server and that did not make a difference. I have verified that i have port 21 and the passive ports 49152-65535 setup to NAT to the 2008 box. I do not see any packets being denied in my firewall logs.
I have been using FileZilla version 3.1.3.1 to test.
Any ideas on why this fails?
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
It works fine on the same network segement, but when i try it from the internet it gets stuck on 14:08:34 Status: Initializing TLS...
14:08:55 Error: Connection timed out
I have tried turning the firewall off on the windows 2008 server and that did not make a difference. I have verified that i have port 21 and the passive ports 49152-65535 setup to NAT to the 2008 box. I do not see any packets being denied in my firewall logs.
I have been using FileZilla version 3.1.3.1 to test.
Any ideas on why this fails?
ScottGranado
make sure you have port 990/tcp open on the firewall. Also make sure this is the port you use to connect in filezilla
ASKER
Thanks for the response...... I have tried port 990, but i think this is used for implicit FTPS and i believe the microsoft FTP server is using explicit FTPS which does send the information over port 21. I confirmed this because if i try to connect internally to port 990 the server is not responding. It responds fine on port 21 and connects using SSL.
Like i said everything works fine if i am on the same network, or on a network that is connected via a net to net VPN.
Like i said everything works fine if i am on the same network, or on a network that is connected via a net to net VPN.
ASKER
This is the Filezilla log for making the connection on same network all works fine:
16:38:22 Status: Connecting to x.x.x.x:21...
16:38:22 Status: Connection established, waiting for welcome message...
16:38:22 Response: 220 Microsoft FTP Service
16:38:22 Command: AUTH TLS
16:38:22 Response: 234 AUTH command ok. Expecting TLS Negotiation.
16:38:22 Status: Initializing TLS...
16:38:22 Status: Verifying certificate...
16:38:35 Command: USER xxxxx
16:38:35 Status: TLS/SSL connection established.
16:38:35 Response: 331 Password required for xxxxx
16:38:35 Command: PASS ***********
16:38:35 Response: 230 User logged in.
16:38:35 Command: SYST
16:38:35 Response: 215 Windows_NT
16:38:35 Command: FEAT
16:38:35 Response: 211-Extended features supported:
16:38:35 Response: LANG EN*
16:38:35 Response: UTF8
16:38:35 Response: AUTH TLS;TLS-C;SSL;TLS-P;
16:38:35 Response: PBSZ
16:38:35 Response: PROT C;P;
16:38:35 Response: CCC
16:38:35 Response: HOST
16:38:35 Response: SIZE
16:38:35 Response: MDTM
16:38:35 Response: 211 END
16:38:35 Command: OPTS UTF8 ON
16:38:35 Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
16:38:35 Command: PBSZ 0
16:38:35 Response: 200 PBSZ command successful.
16:38:35 Command: PROT P
16:38:35 Response: 200 PROT command successful.
16:38:35 Status: Connected
16:38:35 Status: Retrieving directory listing...
16:38:35 Command: PWD
16:38:35 Response: 257 "/" is current directory.
16:38:35 Command: TYPE I
16:38:35 Response: 200 Type set to I.
16:38:35 Command: PASV
16:38:35 Response: 227 Entering Passive Mode (216,x,x,x,x,135).
16:38:35 Command: LIST
16:38:35 Response: 150 Opening BINARY mode data connection.
Log for going over the internet through a firewall NATing the information to another server. It looks like it is hanging on the TLS/SSL negotiation.
16:40:38 Status: Connecting to 216.x.x.x:21...
16:40:38 Status: Connection established, waiting for welcome message...
16:40:38 Response: 220 Microsoft FTP Service
16:40:38 Command: AUTH TLS
16:40:38 Response: 234 AUTH command ok. Expecting TLS Negotiation.
16:40:38 Status: Initializing TLS...
16:38:22 Status: Connecting to x.x.x.x:21...
16:38:22 Status: Connection established, waiting for welcome message...
16:38:22 Response: 220 Microsoft FTP Service
16:38:22 Command: AUTH TLS
16:38:22 Response: 234 AUTH command ok. Expecting TLS Negotiation.
16:38:22 Status: Initializing TLS...
16:38:22 Status: Verifying certificate...
16:38:35 Command: USER xxxxx
16:38:35 Status: TLS/SSL connection established.
16:38:35 Response: 331 Password required for xxxxx
16:38:35 Command: PASS ***********
16:38:35 Response: 230 User logged in.
16:38:35 Command: SYST
16:38:35 Response: 215 Windows_NT
16:38:35 Command: FEAT
16:38:35 Response: 211-Extended features supported:
16:38:35 Response: LANG EN*
16:38:35 Response: UTF8
16:38:35 Response: AUTH TLS;TLS-C;SSL;TLS-P;
16:38:35 Response: PBSZ
16:38:35 Response: PROT C;P;
16:38:35 Response: CCC
16:38:35 Response: HOST
16:38:35 Response: SIZE
16:38:35 Response: MDTM
16:38:35 Response: 211 END
16:38:35 Command: OPTS UTF8 ON
16:38:35 Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
16:38:35 Command: PBSZ 0
16:38:35 Response: 200 PBSZ command successful.
16:38:35 Command: PROT P
16:38:35 Response: 200 PROT command successful.
16:38:35 Status: Connected
16:38:35 Status: Retrieving directory listing...
16:38:35 Command: PWD
16:38:35 Response: 257 "/" is current directory.
16:38:35 Command: TYPE I
16:38:35 Response: 200 Type set to I.
16:38:35 Command: PASV
16:38:35 Response: 227 Entering Passive Mode (216,x,x,x,x,135).
16:38:35 Command: LIST
16:38:35 Response: 150 Opening BINARY mode data connection.
Log for going over the internet through a firewall NATing the information to another server. It looks like it is hanging on the TLS/SSL negotiation.
16:40:38 Status: Connecting to 216.x.x.x:21...
16:40:38 Status: Connection established, waiting for welcome message...
16:40:38 Response: 220 Microsoft FTP Service
16:40:38 Command: AUTH TLS
16:40:38 Response: 234 AUTH command ok. Expecting TLS Negotiation.
16:40:38 Status: Initializing TLS...
ASKER
16:40:59 Error: Connection timed out
16:40:59 Error: Could not connect to server
16:40:59 Error: Could not connect to server
hmm, so it looks like you are authenticating but when you go into pasive mode for the list you are timing out. have you tried setting filezilla to active mode?
ASKER
I think the issue is before it is even trying to use passive or active mode, but yes i have tried active mode with the same results. I think the issue is when the firewall is responding back to the client for the TLS request. I suspect what is happening is our firewall is responding back to the TLS request with the internal server IP and not the external ip address of our firewall. I think it is timing out waiting for the TLS request response from the server. It never gets to the point of verifying the certificate. We are using a watchguard firewall and i have a static NAT setup to handle this.
Again thanks for your help!
Again thanks for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the update on how to set this up on the watchguard. I verified that i had the policy setup correctly. THe issue was when i was trying to test from an environment that had a net-to-net vpn already setup to the network that was hosting the ftp server. If i came in from any other internet address it seems to work fine.