Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

FTPS on Sonicwall 4060 Pro

Posted on 2009-05-11
4
Medium Priority
?
1,396 Views
Last Modified: 2013-11-16
I have a Sonicwall Pro 4060 running the enhanced OS. This is the managed the same as all the pro series Sonicwalls.

I have an IIS 7 box running FTPS (FTP over SSL) and need to get that through the firewall. I have the IIS server working fine, defined the data channel ports and added those as a service, then to the NAT rules and firewall rules on the Sonicwall.

When I try to connect from outside the firewall, I can get past login, see and accept the certificate on the server, opens passive mode then stalls opening a binary mode connection.

The firewall shows that it is dropping the defined data channel ports, but lists no rule why that data would be dropped.

"05/11/2009 10:51:15.880 Notice Network Access TCP connection dropped x.x.x.x, 12522, X1 x.x.x.x, 54522, X1 TCP FTPS - Data Channel

Can anyone offer any help? I've going round and round with this for hours now.

Thanks,
Will
0
Comment
Question by:willp2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Expert Comment

by:ccomley
ID: 24362143
It sounds to me like you're doing everything right. You are allowing outbound as well as inbound traffic on those ports I take it?

FTP dying *after* login says that the initial "command" channel is opening but that the "data" channel opened when you make an actual transfer request is being blocked. It may be that "passive" mode isn't kicking in properly. OTOH, it *does* clearly recognise the port as part of your defined service or it wouldn't call it "FTPS Data Channel" in the log entry.

I'm wondering if it's an actual bug, in which case the best course would be to lodge a fault call on www.mysonicwall.com (assuming your unit is in support cover) and see what they have to say.

0
 
LVL 1

Author Comment

by:willp2
ID: 24364730
I am able to do straight FTP passive connections, just not FTPS connections. Unfortunatly they don't have support for this thing or I would have just called Sonicwall on this. I've actually disabled the firewall on the IIS server for testing to make sure outboud isn't being blocked.

I'll keep trying. Thanks for the input.

-Will
0
 
LVL 1

Accepted Solution

by:
willp2 earned 0 total points
ID: 24398177
Here's a bit more detail on this issue:

I can connect to the server in regular FTP with a passive connection with no problems.

In IIS I definded the FTPS Data channel port range and added that range to the firewall for access and NATing.

When I try to connect from the FTP client I get the following:

Response: 220 Microsoft FTP Service
Command: AUTH SSL
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: SSL connection established. Waiting for welcome message...
Command: USER XXXXX
Response: 331 Password required for XXXXXl.
Command: PASS **********
Response: 230 User logged in.
Command: FEAT
Response: 211-Extended features supported:
Response: LANG EN*
Response: UTF8
Response: AUTH TLS;TLS-C;SSL;TLS-P;
Response: PBSZ
Response: PROT C;P;
Response: CCC
Response: HOST
Response: SIZE
Response: MDTM
Response: REST STREAM
Response: 211 END
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Command: SYST
Response: 215 Windows_NT
Command: PBSZ 0
Response: 200 PBSZ command successful.
Command: PROT P
Response: 200 PROT command successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A.
Command: PASV
Response: 227 Entering Passive Mode (x,x,x,x,220,233).
Command: LIST
Response: 150 Opening ASCII mode data connection.
Error: Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
Error: Could not retrieve directory listing


Then on the firewall I get a log entry showing that the data channel traffic was dropped, but not related to a rule

05/15/2009 09:09:26.192 Notice Network Access TCP connection dropped x.x.x.x. (IP of client), 59194, X1 x.x.x.x (External IP), 56551, X1 TCP FTPS - Data Channel


Any idea why the firewall is dropping this traffic?

Thanks very much for any help you can offer!

0
 

Expert Comment

by:okacs
ID: 24686121
What was the solution?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question