Getting FTPS server to work behind a Firewall (NAT)

I am trying to get FTPS to work with server 2008.  I have configured everything according to the following article.
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

It works fine on the same network segement, but when i try it from the internet it gets stuck on 14:08:34      Status:      Initializing TLS...
14:08:55      Error:      Connection timed out

I have tried turning the firewall off on the windows 2008 server and that did not make a difference.  I have verified that i have port 21 and the passive ports 49152-65535 setup to NAT to the 2008 box.  I do not see any packets being denied in my firewall logs.

I have been using FileZilla version 3.1.3.1 to test.

Any ideas on why this fails?
Phytech AdminAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
dpk_walConnect With a Mentor Commented:
Is your server using different public IP than the IP of the external interface; if yes, then as you say:

>>  I think it is timing out waiting for the TLS request response from the server

it is expected; with static NAT; all incoming traffic would come on the public IP as defined but the traffic from the server would get NAT'ed out with the public IP of the external interface; if you wish to go out with the same public as it came in; then you must do 1-1 NAT instead.
Please note when you configure you would need to remove the alias/secondary IP from the external interface; and this specific IP could only be used with the said server.
If you are using version 9.x or higher of WSM/WFS software and do not want to do 1-1 NAT, then in the policy, you have configured to allow inbound traffic, go to Advanced->Dynamic NAT; check the box "All traffic in this policy"; then "Set source IP" as the public IP you have.

Please implement and update.

Thank you.
0
 
ScottGranadoCommented:
make sure you have port 990/tcp open on the firewall.  Also make sure this is the port you use to connect in filezilla
0
 
Phytech AdminAuthor Commented:
Thanks for the response...... I have tried port 990, but i think this is used for implicit FTPS and i believe the microsoft FTP server is using explicit FTPS which does send the information over port 21.  I confirmed this because if i try to connect internally to port 990 the server is not responding.  It responds fine on port 21 and connects using SSL.  

Like i said everything works fine if i am on the same network, or on a network that is connected via a net to net VPN.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
Phytech AdminAuthor Commented:
This is the Filezilla log for making the connection on same network all works fine:
16:38:22      Status:      Connecting to x.x.x.x:21...
16:38:22      Status:      Connection established, waiting for welcome message...
16:38:22      Response:      220 Microsoft FTP Service
16:38:22      Command:      AUTH TLS
16:38:22      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:38:22      Status:      Initializing TLS...
16:38:22      Status:      Verifying certificate...
16:38:35      Command:      USER xxxxx
16:38:35      Status:      TLS/SSL connection established.
16:38:35      Response:      331 Password required for xxxxx
16:38:35      Command:      PASS ***********
16:38:35      Response:      230 User logged in.
16:38:35      Command:      SYST
16:38:35      Response:      215 Windows_NT
16:38:35      Command:      FEAT
16:38:35      Response:      211-Extended features supported:
16:38:35      Response:       LANG EN*
16:38:35      Response:       UTF8
16:38:35      Response:       AUTH TLS;TLS-C;SSL;TLS-P;
16:38:35      Response:       PBSZ
16:38:35      Response:       PROT C;P;
16:38:35      Response:       CCC
16:38:35      Response:       HOST
16:38:35      Response:       SIZE
16:38:35      Response:       MDTM
16:38:35      Response:      211 END
16:38:35      Command:      OPTS UTF8 ON
16:38:35      Response:      200 OPTS UTF8 command successful - UTF8 encoding now ON.
16:38:35      Command:      PBSZ 0
16:38:35      Response:      200 PBSZ command successful.
16:38:35      Command:      PROT P
16:38:35      Response:      200 PROT command successful.
16:38:35      Status:      Connected
16:38:35      Status:      Retrieving directory listing...
16:38:35      Command:      PWD
16:38:35      Response:      257 "/" is current directory.
16:38:35      Command:      TYPE I
16:38:35      Response:      200 Type set to I.
16:38:35      Command:      PASV
16:38:35      Response:      227 Entering Passive Mode (216,x,x,x,x,135).
16:38:35      Command:      LIST
16:38:35      Response:      150 Opening BINARY mode data connection.

Log for going over the internet through a firewall NATing the information to another server.  It looks like it is hanging on the TLS/SSL negotiation.
16:40:38      Status:      Connecting to 216.x.x.x:21...
16:40:38      Status:      Connection established, waiting for welcome message...
16:40:38      Response:      220 Microsoft FTP Service
16:40:38      Command:      AUTH TLS
16:40:38      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:40:38      Status:      Initializing TLS...
0
 
Phytech AdminAuthor Commented:
16:40:59      Error:      Connection timed out
16:40:59      Error:      Could not connect to server
0
 
ScottGranadoCommented:
hmm, so it looks like you are authenticating but when you go into pasive mode for the list you are timing out.  have you tried setting filezilla to active mode?
0
 
Phytech AdminAuthor Commented:
I think the issue is before it is even trying to use passive or active mode, but yes i have tried active mode with the same results.  I think the issue is when the firewall is responding back to the client for the TLS request.  I suspect what is happening is our firewall is responding back to the TLS request with the internal server IP and not the external ip address of our firewall.  I think it is timing out waiting for the TLS request response from the server.  It never gets to the point of verifying the certificate.  We are using a watchguard firewall and i have a static NAT setup to handle this.  

Again thanks for your help!
0
 
Phytech AdminAuthor Commented:
Thanks for the update on how to set this up on the watchguard.  I verified that i had the policy setup correctly.  THe issue was when i was trying to test from an environment that had a net-to-net vpn already setup to the network that was hosting the ftp server.  If i came in from any other internet address it seems to work fine.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.