Solved

Getting FTPS server to work behind a Firewall (NAT)

Posted on 2008-10-08
8
2,039 Views
Last Modified: 2012-05-05
I am trying to get FTPS to work with server 2008.  I have configured everything according to the following article.
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

It works fine on the same network segement, but when i try it from the internet it gets stuck on 14:08:34      Status:      Initializing TLS...
14:08:55      Error:      Connection timed out

I have tried turning the firewall off on the windows 2008 server and that did not make a difference.  I have verified that i have port 21 and the passive ports 49152-65535 setup to NAT to the 2008 box.  I do not see any packets being denied in my firewall logs.

I have been using FileZilla version 3.1.3.1 to test.

Any ideas on why this fails?
0
Comment
Question by:Phytech Admin
  • 5
  • 2
8 Comments
 
LVL 2

Expert Comment

by:ScottGranado
ID: 22672853
make sure you have port 990/tcp open on the firewall.  Also make sure this is the port you use to connect in filezilla
0
 

Author Comment

by:Phytech Admin
ID: 22673493
Thanks for the response...... I have tried port 990, but i think this is used for implicit FTPS and i believe the microsoft FTP server is using explicit FTPS which does send the information over port 21.  I confirmed this because if i try to connect internally to port 990 the server is not responding.  It responds fine on port 21 and connects using SSL.  

Like i said everything works fine if i am on the same network, or on a network that is connected via a net to net VPN.
0
 

Author Comment

by:Phytech Admin
ID: 22673798
This is the Filezilla log for making the connection on same network all works fine:
16:38:22      Status:      Connecting to x.x.x.x:21...
16:38:22      Status:      Connection established, waiting for welcome message...
16:38:22      Response:      220 Microsoft FTP Service
16:38:22      Command:      AUTH TLS
16:38:22      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:38:22      Status:      Initializing TLS...
16:38:22      Status:      Verifying certificate...
16:38:35      Command:      USER xxxxx
16:38:35      Status:      TLS/SSL connection established.
16:38:35      Response:      331 Password required for xxxxx
16:38:35      Command:      PASS ***********
16:38:35      Response:      230 User logged in.
16:38:35      Command:      SYST
16:38:35      Response:      215 Windows_NT
16:38:35      Command:      FEAT
16:38:35      Response:      211-Extended features supported:
16:38:35      Response:       LANG EN*
16:38:35      Response:       UTF8
16:38:35      Response:       AUTH TLS;TLS-C;SSL;TLS-P;
16:38:35      Response:       PBSZ
16:38:35      Response:       PROT C;P;
16:38:35      Response:       CCC
16:38:35      Response:       HOST
16:38:35      Response:       SIZE
16:38:35      Response:       MDTM
16:38:35      Response:      211 END
16:38:35      Command:      OPTS UTF8 ON
16:38:35      Response:      200 OPTS UTF8 command successful - UTF8 encoding now ON.
16:38:35      Command:      PBSZ 0
16:38:35      Response:      200 PBSZ command successful.
16:38:35      Command:      PROT P
16:38:35      Response:      200 PROT command successful.
16:38:35      Status:      Connected
16:38:35      Status:      Retrieving directory listing...
16:38:35      Command:      PWD
16:38:35      Response:      257 "/" is current directory.
16:38:35      Command:      TYPE I
16:38:35      Response:      200 Type set to I.
16:38:35      Command:      PASV
16:38:35      Response:      227 Entering Passive Mode (216,x,x,x,x,135).
16:38:35      Command:      LIST
16:38:35      Response:      150 Opening BINARY mode data connection.

Log for going over the internet through a firewall NATing the information to another server.  It looks like it is hanging on the TLS/SSL negotiation.
16:40:38      Status:      Connecting to 216.x.x.x:21...
16:40:38      Status:      Connection established, waiting for welcome message...
16:40:38      Response:      220 Microsoft FTP Service
16:40:38      Command:      AUTH TLS
16:40:38      Response:      234 AUTH command ok. Expecting TLS Negotiation.
16:40:38      Status:      Initializing TLS...
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:Phytech Admin
ID: 22673991
16:40:59      Error:      Connection timed out
16:40:59      Error:      Could not connect to server
0
 
LVL 2

Expert Comment

by:ScottGranado
ID: 22674080
hmm, so it looks like you are authenticating but when you go into pasive mode for the list you are timing out.  have you tried setting filezilla to active mode?
0
 

Author Comment

by:Phytech Admin
ID: 22674138
I think the issue is before it is even trying to use passive or active mode, but yes i have tried active mode with the same results.  I think the issue is when the firewall is responding back to the client for the TLS request.  I suspect what is happening is our firewall is responding back to the TLS request with the internal server IP and not the external ip address of our firewall.  I think it is timing out waiting for the TLS request response from the server.  It never gets to the point of verifying the certificate.  We are using a watchguard firewall and i have a static NAT setup to handle this.  

Again thanks for your help!
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22685414
Is your server using different public IP than the IP of the external interface; if yes, then as you say:

>>  I think it is timing out waiting for the TLS request response from the server

it is expected; with static NAT; all incoming traffic would come on the public IP as defined but the traffic from the server would get NAT'ed out with the public IP of the external interface; if you wish to go out with the same public as it came in; then you must do 1-1 NAT instead.
Please note when you configure you would need to remove the alias/secondary IP from the external interface; and this specific IP could only be used with the said server.
If you are using version 9.x or higher of WSM/WFS software and do not want to do 1-1 NAT, then in the policy, you have configured to allow inbound traffic, go to Advanced->Dynamic NAT; check the box "All traffic in this policy"; then "Set source IP" as the public IP you have.

Please implement and update.

Thank you.
0
 

Author Closing Comment

by:Phytech Admin
ID: 31504393
Thanks for the update on how to set this up on the watchguard.  I verified that i had the policy setup correctly.  THe issue was when i was trying to test from an environment that had a net-to-net vpn already setup to the network that was hosting the ftp server.  If i came in from any other internet address it seems to work fine.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question