FTPS on Sonicwall 4060 Pro

I have a Sonicwall Pro 4060 running the enhanced OS. This is the managed the same as all the pro series Sonicwalls.

I have an IIS 7 box running FTPS (FTP over SSL) and need to get that through the firewall. I have the IIS server working fine, defined the data channel ports and added those as a service, then to the NAT rules and firewall rules on the Sonicwall.

When I try to connect from outside the firewall, I can get past login, see and accept the certificate on the server, opens passive mode then stalls opening a binary mode connection.

The firewall shows that it is dropping the defined data channel ports, but lists no rule why that data would be dropped.

"05/11/2009 10:51:15.880 Notice Network Access TCP connection dropped x.x.x.x, 12522, X1 x.x.x.x, 54522, X1 TCP FTPS - Data Channel

Can anyone offer any help? I've going round and round with this for hours now.

Thanks,
Will
LVL 1
willp2Asked:
Who is Participating?
 
willp2Author Commented:
Here's a bit more detail on this issue:

I can connect to the server in regular FTP with a passive connection with no problems.

In IIS I definded the FTPS Data channel port range and added that range to the firewall for access and NATing.

When I try to connect from the FTP client I get the following:

Response: 220 Microsoft FTP Service
Command: AUTH SSL
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: SSL connection established. Waiting for welcome message...
Command: USER XXXXX
Response: 331 Password required for XXXXXl.
Command: PASS **********
Response: 230 User logged in.
Command: FEAT
Response: 211-Extended features supported:
Response: LANG EN*
Response: UTF8
Response: AUTH TLS;TLS-C;SSL;TLS-P;
Response: PBSZ
Response: PROT C;P;
Response: CCC
Response: HOST
Response: SIZE
Response: MDTM
Response: REST STREAM
Response: 211 END
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Command: SYST
Response: 215 Windows_NT
Command: PBSZ 0
Response: 200 PBSZ command successful.
Command: PROT P
Response: 200 PROT command successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A.
Command: PASV
Response: 227 Entering Passive Mode (x,x,x,x,220,233).
Command: LIST
Response: 150 Opening ASCII mode data connection.
Error: Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
Error: Could not retrieve directory listing


Then on the firewall I get a log entry showing that the data channel traffic was dropped, but not related to a rule

05/15/2009 09:09:26.192 Notice Network Access TCP connection dropped x.x.x.x. (IP of client), 59194, X1 x.x.x.x (External IP), 56551, X1 TCP FTPS - Data Channel


Any idea why the firewall is dropping this traffic?

Thanks very much for any help you can offer!

0
 
ccomleyCommented:
It sounds to me like you're doing everything right. You are allowing outbound as well as inbound traffic on those ports I take it?

FTP dying *after* login says that the initial "command" channel is opening but that the "data" channel opened when you make an actual transfer request is being blocked. It may be that "passive" mode isn't kicking in properly. OTOH, it *does* clearly recognise the port as part of your defined service or it wouldn't call it "FTPS Data Channel" in the log entry.

I'm wondering if it's an actual bug, in which case the best course would be to lodge a fault call on www.mysonicwall.com (assuming your unit is in support cover) and see what they have to say.

0
 
willp2Author Commented:
I am able to do straight FTP passive connections, just not FTPS connections. Unfortunatly they don't have support for this thing or I would have just called Sonicwall on this. I've actually disabled the firewall on the IIS server for testing to make sure outboud isn't being blocked.

I'll keep trying. Thanks for the input.

-Will
0
 
okacsCommented:
What was the solution?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.