Getting FTPS server to work behind a Firewall (NAT)

Posted on 2008-10-08
Last Modified: 2012-05-05
I am trying to get FTPS to work with server 2008.  I have configured everything according to the following article.

It works fine on the same network segement, but when i try it from the internet it gets stuck on 14:08:34      Status:      Initializing TLS...
14:08:55      Error:      Connection timed out

I have tried turning the firewall off on the windows 2008 server and that did not make a difference.  I have verified that i have port 21 and the passive ports 49152-65535 setup to NAT to the 2008 box.  I do not see any packets being denied in my firewall logs.

I have been using FileZilla version to test.

Any ideas on why this fails?
Question by:Phytech Admin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2

Expert Comment

ID: 22672853
make sure you have port 990/tcp open on the firewall.  Also make sure this is the port you use to connect in filezilla

Author Comment

by:Phytech Admin
ID: 22673493
Thanks for the response...... I have tried port 990, but i think this is used for implicit FTPS and i believe the microsoft FTP server is using explicit FTPS which does send the information over port 21.  I confirmed this because if i try to connect internally to port 990 the server is not responding.  It responds fine on port 21 and connects using SSL.  

Like i said everything works fine if i am on the same network, or on a network that is connected via a net to net VPN.

Author Comment

by:Phytech Admin
ID: 22673798
This is the Filezilla log for making the connection on same network all works fine:
16:38:22      Status:      Connecting to x.x.x.x:21...
16:38:22      Status:      Connection established, waiting for welcome message...
16:38:22      Response:      220 Microsoft FTP Service
16:38:22      Command:      AUTH TLS
16:38:22      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:38:22      Status:      Initializing TLS...
16:38:22      Status:      Verifying certificate...
16:38:35      Command:      USER xxxxx
16:38:35      Status:      TLS/SSL connection established.
16:38:35      Response:      331 Password required for xxxxx
16:38:35      Command:      PASS ***********
16:38:35      Response:      230 User logged in.
16:38:35      Command:      SYST
16:38:35      Response:      215 Windows_NT
16:38:35      Command:      FEAT
16:38:35      Response:      211-Extended features supported:
16:38:35      Response:       LANG EN*
16:38:35      Response:       UTF8
16:38:35      Response:       AUTH TLS;TLS-C;SSL;TLS-P;
16:38:35      Response:       PBSZ
16:38:35      Response:       PROT C;P;
16:38:35      Response:       CCC
16:38:35      Response:       HOST
16:38:35      Response:       SIZE
16:38:35      Response:       MDTM
16:38:35      Response:      211 END
16:38:35      Command:      OPTS UTF8 ON
16:38:35      Response:      200 OPTS UTF8 command successful - UTF8 encoding now ON.
16:38:35      Command:      PBSZ 0
16:38:35      Response:      200 PBSZ command successful.
16:38:35      Command:      PROT P
16:38:35      Response:      200 PROT command successful.
16:38:35      Status:      Connected
16:38:35      Status:      Retrieving directory listing...
16:38:35      Command:      PWD
16:38:35      Response:      257 "/" is current directory.
16:38:35      Command:      TYPE I
16:38:35      Response:      200 Type set to I.
16:38:35      Command:      PASV
16:38:35      Response:      227 Entering Passive Mode (216,x,x,x,x,135).
16:38:35      Command:      LIST
16:38:35      Response:      150 Opening BINARY mode data connection.

Log for going over the internet through a firewall NATing the information to another server.  It looks like it is hanging on the TLS/SSL negotiation.
16:40:38      Status:      Connecting to 216.x.x.x:21...
16:40:38      Status:      Connection established, waiting for welcome message...
16:40:38      Response:      220 Microsoft FTP Service
16:40:38      Command:      AUTH TLS
16:40:38      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:40:38      Status:      Initializing TLS...
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

by:Phytech Admin
ID: 22673991
16:40:59      Error:      Connection timed out
16:40:59      Error:      Could not connect to server

Expert Comment

ID: 22674080
hmm, so it looks like you are authenticating but when you go into pasive mode for the list you are timing out.  have you tried setting filezilla to active mode?

Author Comment

by:Phytech Admin
ID: 22674138
I think the issue is before it is even trying to use passive or active mode, but yes i have tried active mode with the same results.  I think the issue is when the firewall is responding back to the client for the TLS request.  I suspect what is happening is our firewall is responding back to the TLS request with the internal server IP and not the external ip address of our firewall.  I think it is timing out waiting for the TLS request response from the server.  It never gets to the point of verifying the certificate.  We are using a watchguard firewall and i have a static NAT setup to handle this.  

Again thanks for your help!
LVL 32

Accepted Solution

dpk_wal earned 500 total points
ID: 22685414
Is your server using different public IP than the IP of the external interface; if yes, then as you say:

>>  I think it is timing out waiting for the TLS request response from the server

it is expected; with static NAT; all incoming traffic would come on the public IP as defined but the traffic from the server would get NAT'ed out with the public IP of the external interface; if you wish to go out with the same public as it came in; then you must do 1-1 NAT instead.
Please note when you configure you would need to remove the alias/secondary IP from the external interface; and this specific IP could only be used with the said server.
If you are using version 9.x or higher of WSM/WFS software and do not want to do 1-1 NAT, then in the policy, you have configured to allow inbound traffic, go to Advanced->Dynamic NAT; check the box "All traffic in this policy"; then "Set source IP" as the public IP you have.

Please implement and update.

Thank you.

Author Closing Comment

by:Phytech Admin
ID: 31504393
Thanks for the update on how to set this up on the watchguard.  I verified that i had the policy setup correctly.  THe issue was when i was trying to test from an environment that had a net-to-net vpn already setup to the network that was hosting the ftp server.  If i came in from any other internet address it seems to work fine.

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Run ColdFusion website locally 1 44
IIS URL Rewrite/Redirect Rule Help 4 43
ColdFusion 9 CF Administrator and Request Filtering 3 55
IIS on Server 2012 R2 Datacenter 5 121
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question