iis7 and FTP7 - spotty connectivity

Posted on 2009-02-19
Last Modified: 2013-11-29
I recently setup a brand new Windows 2008 server running  iis7, FTP7.  I began having problems connecting as long as the server firewall was turned on.  There is an exception for port 21 enabled (checked) and the server is verified to be listening on port 21.  The server is natted through a SonicWall firewall and configured to allow FTP traffic to the inside address.   The kicker here is that a Microsoft Tech can connect through a DOS prompt and so can an outside consultant - WITH THE FIREWALL ON.  I could not - nor could another user unless the firewall is off.  Microsoft had me look into the whole passive mode enabled/disabled thing but I still could not connect whether I tried passive mode on or off - nor could I connect from two different locations.  I can only connect if the server's firewall is disabled. Typically, the error is time out related or a connection is made and none of the files in the directory appear.  I don't like having this server's firewall turned off to accommodate FTP functionality but, of course, the server is mission critical.  Any ideas?  
Question by:LTWadmin
    LVL 22

    Expert Comment

    This sounds like an FTP client issue.
    There is a settings when working with an FTP client called active/passive for connecting through firewalls.

    You want to enable passive mode.

    What this does is sets both out-going communications to port 21 (the default) but it also tells the server to respond on port 21.  In active mode the FTP server will pick another port (within a specified range, so you can make exceptions for this in your firewall if you want to open the ports) and then sends the port reference back to the client so that the client listens on that alternate port while talking on port 21.

    Chances are you are configured for active communications and the firewalls are not allowing the additional port usage and the support persons are configured for passive and are doing ALL communications via port 21.

    Try configuring your client for passive mode.

    Author Comment

    cj 1969: Thanks for the response.  As I mentioned above, I did toggle my clients for passive mode back and forth repeatedly.  
    LVL 22

    Expert Comment

    Sorry, my bad, I didn't read all of the question.
    Have you tried different machines?
    This could be a workstation issue.  Have you tried disabling the firewall on the workstation?
    If this works from other workstations and just not when you are connecting then this tells me it is either the machine or the account you are using to connect with.

    Author Comment

    cj: No problem:  You know that's one thing I didn't consider trying and it's a good suggestion.  Not meaning to sound like an ass about this but the problem with this speculation is that if it IS the problem, it wouldn't be practical for us to have to tell our world-wide partners to disable their workstation firewalls to connect to our FTP server.  It's obviously a "firewall related" thing and as I mentioned also - turning off the 2008 Server's firewall altogether rectify's the problem.  
    LVL 22

    Expert Comment

    If this was purely a firewall issue on the server then it does not make sense that it would work for some and not others.  The firewall should be machine agnostic and not care about the origination of the incoming connection.  So, this leads me to believe that the problem is something workstation or account related.  The Firewall might still be the "wall" that is blocking something from working, which is why stopping it makes things work ... but the symptoms indicate that the firewall is not the source of the problem since iFTP does work for some users.

    Ask any questions that come to mind ... there is no such thing as a bad or stupid question.  I don't claim to have all the answers and by tossing around the symptoms and some ideas hopefully we'll hit on the solution to the problem  :)

    Author Comment

    cj: Thanks again: It totaly makes no sense and thus far it has stumped local consultants and a *Microsoft Engineer...  I would agree that the fact that two different people in two different georgaphical locations on separate machines and clients could connect at different times - consistently - with the server's firewall on isn't proof positive that the firewall is the culprit.  

    * Here's what "John" the Microsoft Engineer offers in his last communication to me (Note: I did not try the "non-secure FTP traffic commands suggested):

    "Passive mode means that the client will try to connect to the FTP server on one of the ports in the range you specified whenever doing any kind of data transfer.  These ports will need to be open in the Windows Firewall (see below) and your SonicWall device.  Its just the opposite in Active mode-- the FTP server connects to the client for data transfer.  This connection may fail if the client machine is behind a firewall.  For this reason, most people are moving to Passive mode these days since its easier for you to open the necessary ports on the server side.

    Ive pasted some info below from this link.

    Using Windows Firewall with non-secure FTP traffic:

    To configure Windows Firewall to allow non-secure FTP traffic, use the following steps:
    1. Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.
    2. To open port 21 on the firewall, type the following syntax then hit enter:
    netsh advfirewall firewall add rule name="FTP (non-SSL)" action=allow protocol=TCP dir=in localport=21
    3. To enable stateful FTP filtering that will dynamically open ports for data connections, type the following syntax then hit enter: netsh advfirewall set global StatefulFtp enable

    More Information about Working with Firewalls:

    It is often challenging to create firewall rules for FTP server to work correctly, and the root cause for this challenge lies in the FTP protocol architecture. Each FTP client requires two connections to be maintained between client and server:
    " FTP commands are transferred over a primary connection called the Control Channel, which is typically the well-known FTP port 21.
    " FTP data transfers, such as directory listings or file upload/download, require a secondary connection called Data Channel.

    Opening port 21 in a firewall is an easy task, but this means that an FTP client will only be able to send commands, not transfer data. This means that the client will be able to use the Control Channel to successfully authenticate and create or delete directories, but the client will not be able to see directory listings or be able to upload/download files. This is because data connections for FTP server are not allowed to pass through the firewall until the Data Channel has been allowed through the firewall.
    Note: This may appear confusing to an FTP client, because the client will seem to be able to successfully log in to the server, but the connection may appear to timeout or stop responding when attempting to retrieve a directory listing from the server.
    The challenges of working with FTP and firewalls doesn't end with the requirement of a secondary data connection; to complicate things even more, there are actually two different ways on how to establish data connection:
    " Active Data Connections: In an active data connection, an FTP client sets up a port for data channel listening and the server initiates a connection to the port; this is typically from the server's port 20. Active data connections used to be the default way of connecting to FTP server; however, active data connections are no longer recommended because they do not work well in Internet scenarios.
    " Passive Data Connections: In a passive data connection, an FTP server sets up a port for data channel listening and the client initiates a connection to the port. Passive connections work much better in Internet scenarios and recommended by RFC 1579 (Firewall-Friendly FTP)".

    LVL 22

    Accepted Solution

    Hmmm ... I had to look up active/passive FTP definitions.
    I came come up with one scenario that incorporates a combination of things that might be causing the problem.
    1. If the ports that the server uses for passive FTP are blocked or in use by your machine then this would preclude passive from working for you but allow it for other people who's machine are not using these ports.
    2. Active works for you when you disable the firewall because your client machine can pick a port that is free, but is outside of the range opened on the server firewall ... hence disabling the firewall allows the port that your client machine wants to use to work.

    So, if this is the case then you need to determine what port set that the passive mode FTP is trying to use and determine what on your machine is blocking those ports and stop/disable it.

    Do you have an FTP server or something running on your client machine?

    Author Closing Comment

    cj - To date - the only way I was able to take care of this was by turning of the server's firewall so I think you were close.  We even put out for Microsoft support and they waffled on this one.  Bottom lines:  - Firewall on - connectivity spotty for different users in locales.  Firewall off - everyone conects fine.  All of the above despite attempt to toggle active/passive modes.  Believe me -  I sliced it and diced it well and repeatedly.  Thanks again for your help though!   I noticed no one else chimedin on this one either...  ;-)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will walk an individual through the process of upgrading their existing Backup Exec 2012 to 2014. Either install the CD\DVD into the drive and let it auto-start, or browse to the drive and double-click the Browser file: Select the ap…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now