Solved

Getting FTPS server to work behind a Firewall (NAT)

Posted on 2008-10-08
8
2,124 Views
Last Modified: 2012-05-05
I am trying to get FTPS to work with server 2008.  I have configured everything according to the following article.
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

It works fine on the same network segement, but when i try it from the internet it gets stuck on 14:08:34      Status:      Initializing TLS...
14:08:55      Error:      Connection timed out

I have tried turning the firewall off on the windows 2008 server and that did not make a difference.  I have verified that i have port 21 and the passive ports 49152-65535 setup to NAT to the 2008 box.  I do not see any packets being denied in my firewall logs.

I have been using FileZilla version 3.1.3.1 to test.

Any ideas on why this fails?
0
Comment
Question by:Phytech Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 2

Expert Comment

by:ScottGranado
ID: 22672853
make sure you have port 990/tcp open on the firewall.  Also make sure this is the port you use to connect in filezilla
0
 

Author Comment

by:Phytech Admin
ID: 22673493
Thanks for the response...... I have tried port 990, but i think this is used for implicit FTPS and i believe the microsoft FTP server is using explicit FTPS which does send the information over port 21.  I confirmed this because if i try to connect internally to port 990 the server is not responding.  It responds fine on port 21 and connects using SSL.  

Like i said everything works fine if i am on the same network, or on a network that is connected via a net to net VPN.
0
 

Author Comment

by:Phytech Admin
ID: 22673798
This is the Filezilla log for making the connection on same network all works fine:
16:38:22      Status:      Connecting to x.x.x.x:21...
16:38:22      Status:      Connection established, waiting for welcome message...
16:38:22      Response:      220 Microsoft FTP Service
16:38:22      Command:      AUTH TLS
16:38:22      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:38:22      Status:      Initializing TLS...
16:38:22      Status:      Verifying certificate...
16:38:35      Command:      USER xxxxx
16:38:35      Status:      TLS/SSL connection established.
16:38:35      Response:      331 Password required for xxxxx
16:38:35      Command:      PASS ***********
16:38:35      Response:      230 User logged in.
16:38:35      Command:      SYST
16:38:35      Response:      215 Windows_NT
16:38:35      Command:      FEAT
16:38:35      Response:      211-Extended features supported:
16:38:35      Response:       LANG EN*
16:38:35      Response:       UTF8
16:38:35      Response:       AUTH TLS;TLS-C;SSL;TLS-P;
16:38:35      Response:       PBSZ
16:38:35      Response:       PROT C;P;
16:38:35      Response:       CCC
16:38:35      Response:       HOST
16:38:35      Response:       SIZE
16:38:35      Response:       MDTM
16:38:35      Response:      211 END
16:38:35      Command:      OPTS UTF8 ON
16:38:35      Response:      200 OPTS UTF8 command successful - UTF8 encoding now ON.
16:38:35      Command:      PBSZ 0
16:38:35      Response:      200 PBSZ command successful.
16:38:35      Command:      PROT P
16:38:35      Response:      200 PROT command successful.
16:38:35      Status:      Connected
16:38:35      Status:      Retrieving directory listing...
16:38:35      Command:      PWD
16:38:35      Response:      257 "/" is current directory.
16:38:35      Command:      TYPE I
16:38:35      Response:      200 Type set to I.
16:38:35      Command:      PASV
16:38:35      Response:      227 Entering Passive Mode (216,x,x,x,x,135).
16:38:35      Command:      LIST
16:38:35      Response:      150 Opening BINARY mode data connection.

Log for going over the internet through a firewall NATing the information to another server.  It looks like it is hanging on the TLS/SSL negotiation.
16:40:38      Status:      Connecting to 216.x.x.x:21...
16:40:38      Status:      Connection established, waiting for welcome message...
16:40:38      Response:      220 Microsoft FTP Service
16:40:38      Command:      AUTH TLS
16:40:38      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:40:38      Status:      Initializing TLS...
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 

Author Comment

by:Phytech Admin
ID: 22673991
16:40:59      Error:      Connection timed out
16:40:59      Error:      Could not connect to server
0
 
LVL 2

Expert Comment

by:ScottGranado
ID: 22674080
hmm, so it looks like you are authenticating but when you go into pasive mode for the list you are timing out.  have you tried setting filezilla to active mode?
0
 

Author Comment

by:Phytech Admin
ID: 22674138
I think the issue is before it is even trying to use passive or active mode, but yes i have tried active mode with the same results.  I think the issue is when the firewall is responding back to the client for the TLS request.  I suspect what is happening is our firewall is responding back to the TLS request with the internal server IP and not the external ip address of our firewall.  I think it is timing out waiting for the TLS request response from the server.  It never gets to the point of verifying the certificate.  We are using a watchguard firewall and i have a static NAT setup to handle this.  

Again thanks for your help!
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22685414
Is your server using different public IP than the IP of the external interface; if yes, then as you say:

>>  I think it is timing out waiting for the TLS request response from the server

it is expected; with static NAT; all incoming traffic would come on the public IP as defined but the traffic from the server would get NAT'ed out with the public IP of the external interface; if you wish to go out with the same public as it came in; then you must do 1-1 NAT instead.
Please note when you configure you would need to remove the alias/secondary IP from the external interface; and this specific IP could only be used with the said server.
If you are using version 9.x or higher of WSM/WFS software and do not want to do 1-1 NAT, then in the policy, you have configured to allow inbound traffic, go to Advanced->Dynamic NAT; check the box "All traffic in this policy"; then "Set source IP" as the public IP you have.

Please implement and update.

Thank you.
0
 

Author Closing Comment

by:Phytech Admin
ID: 31504393
Thanks for the update on how to set this up on the watchguard.  I verified that i had the policy setup correctly.  THe issue was when i was trying to test from an environment that had a net-to-net vpn already setup to the network that was hosting the ftp server.  If i came in from any other internet address it seems to work fine.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question