asked on
Juniper ScreenOS - how to get an explicit FTPS policy working
I'm trying to use explicit FTPS to upload files to my IIS 7 FTP server.
It all works fine if I create a firewall policy to allow any data through. However, as soon as I remove this policy and replace it with a policy that just allows FTP traffic, my FTP client connects to the FTP server just fine but hangs half way through - I believe when it hops to the encrypted port.
Can anyone provide instructions on how to get this to work?
It all works fine if I create a firewall policy to allow any data through. However, as soon as I remove this policy and replace it with a policy that just allows FTP traffic, my FTP client connects to the FTP server just fine but hangs half way through - I believe when it hops to the encrypted port.
Can anyone provide instructions on how to get this to work?
File Sharing SoftwareHardware FirewallsAnti-Virus Apps
Last Comment
TNGIT
ASKER
That didn't fix it.... I removed all that you said (AV, DI, Application Layer Gateway) and still the same thing.
I have a feeling it's because, from my understanding, authentication happens on port 21, and once authenticated the FTP server instructs the client to use a different port for data transfer. Could it be that because this instruction is encrypted the firewall cannot see which port to open? -where as normal (passive) FTP the same instruction it can see and respond by opening the necessary port?
I have a feeling it's because, from my understanding, authentication happens on port 21, and once authenticated the FTP server instructs the client to use a different port for data transfer. Could it be that because this instruction is encrypted the firewall cannot see which port to open? -where as normal (passive) FTP the same instruction it can see and respond by opening the necessary port?
I'm not experienced at all with FTPS, but the Wikipedia article says it works in passive and active mode. You can try the passive stuff, of course.
On the other hand, this is a typical Juniper Support case ...
On the other hand, this is a typical Juniper Support case ...
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I see, thanks sangamc.
This would mean that the FTPS ports - post the port21 authentication bit - would be left open all the time in order for this to work?
This would mean that the FTPS ports - post the port21 authentication bit - would be left open all the time in order for this to work?
If I'm right, it could work if you remove all AV, DI aso. checking (if any), and use no Application Layer Gateway in that policy.