Solved

FTPS on Sonicwall 4060 Pro

Posted on 2009-05-11
4
1,362 Views
Last Modified: 2013-11-16
I have a Sonicwall Pro 4060 running the enhanced OS. This is the managed the same as all the pro series Sonicwalls.

I have an IIS 7 box running FTPS (FTP over SSL) and need to get that through the firewall. I have the IIS server working fine, defined the data channel ports and added those as a service, then to the NAT rules and firewall rules on the Sonicwall.

When I try to connect from outside the firewall, I can get past login, see and accept the certificate on the server, opens passive mode then stalls opening a binary mode connection.

The firewall shows that it is dropping the defined data channel ports, but lists no rule why that data would be dropped.

"05/11/2009 10:51:15.880 Notice Network Access TCP connection dropped x.x.x.x, 12522, X1 x.x.x.x, 54522, X1 TCP FTPS - Data Channel

Can anyone offer any help? I've going round and round with this for hours now.

Thanks,
Will
0
Comment
Question by:willp2
  • 2
4 Comments
 
LVL 16

Expert Comment

by:ccomley
ID: 24362143
It sounds to me like you're doing everything right. You are allowing outbound as well as inbound traffic on those ports I take it?

FTP dying *after* login says that the initial "command" channel is opening but that the "data" channel opened when you make an actual transfer request is being blocked. It may be that "passive" mode isn't kicking in properly. OTOH, it *does* clearly recognise the port as part of your defined service or it wouldn't call it "FTPS Data Channel" in the log entry.

I'm wondering if it's an actual bug, in which case the best course would be to lodge a fault call on www.mysonicwall.com (assuming your unit is in support cover) and see what they have to say.

0
 
LVL 1

Author Comment

by:willp2
ID: 24364730
I am able to do straight FTP passive connections, just not FTPS connections. Unfortunatly they don't have support for this thing or I would have just called Sonicwall on this. I've actually disabled the firewall on the IIS server for testing to make sure outboud isn't being blocked.

I'll keep trying. Thanks for the input.

-Will
0
 
LVL 1

Accepted Solution

by:
willp2 earned 0 total points
ID: 24398177
Here's a bit more detail on this issue:

I can connect to the server in regular FTP with a passive connection with no problems.

In IIS I definded the FTPS Data channel port range and added that range to the firewall for access and NATing.

When I try to connect from the FTP client I get the following:

Response: 220 Microsoft FTP Service
Command: AUTH SSL
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: SSL connection established. Waiting for welcome message...
Command: USER XXXXX
Response: 331 Password required for XXXXXl.
Command: PASS **********
Response: 230 User logged in.
Command: FEAT
Response: 211-Extended features supported:
Response: LANG EN*
Response: UTF8
Response: AUTH TLS;TLS-C;SSL;TLS-P;
Response: PBSZ
Response: PROT C;P;
Response: CCC
Response: HOST
Response: SIZE
Response: MDTM
Response: REST STREAM
Response: 211 END
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Command: SYST
Response: 215 Windows_NT
Command: PBSZ 0
Response: 200 PBSZ command successful.
Command: PROT P
Response: 200 PROT command successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A.
Command: PASV
Response: 227 Entering Passive Mode (x,x,x,x,220,233).
Command: LIST
Response: 150 Opening ASCII mode data connection.
Error: Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
Error: Could not retrieve directory listing


Then on the firewall I get a log entry showing that the data channel traffic was dropped, but not related to a rule

05/15/2009 09:09:26.192 Notice Network Access TCP connection dropped x.x.x.x. (IP of client), 59194, X1 x.x.x.x (External IP), 56551, X1 TCP FTPS - Data Channel


Any idea why the firewall is dropping this traffic?

Thanks very much for any help you can offer!

0
 

Expert Comment

by:okacs
ID: 24686121
What was the solution?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now