Improve company productivity with a Business Account.Sign Up

x
?
Solved

FTPS on Sonicwall 4060 Pro

Posted on 2009-05-11
4
Medium Priority
?
1,402 Views
Last Modified: 2013-11-16
I have a Sonicwall Pro 4060 running the enhanced OS. This is the managed the same as all the pro series Sonicwalls.

I have an IIS 7 box running FTPS (FTP over SSL) and need to get that through the firewall. I have the IIS server working fine, defined the data channel ports and added those as a service, then to the NAT rules and firewall rules on the Sonicwall.

When I try to connect from outside the firewall, I can get past login, see and accept the certificate on the server, opens passive mode then stalls opening a binary mode connection.

The firewall shows that it is dropping the defined data channel ports, but lists no rule why that data would be dropped.

"05/11/2009 10:51:15.880 Notice Network Access TCP connection dropped x.x.x.x, 12522, X1 x.x.x.x, 54522, X1 TCP FTPS - Data Channel

Can anyone offer any help? I've going round and round with this for hours now.

Thanks,
Will
0
Comment
Question by:willp2
  • 2
4 Comments
 
LVL 17

Expert Comment

by:ccomley
ID: 24362143
It sounds to me like you're doing everything right. You are allowing outbound as well as inbound traffic on those ports I take it?

FTP dying *after* login says that the initial "command" channel is opening but that the "data" channel opened when you make an actual transfer request is being blocked. It may be that "passive" mode isn't kicking in properly. OTOH, it *does* clearly recognise the port as part of your defined service or it wouldn't call it "FTPS Data Channel" in the log entry.

I'm wondering if it's an actual bug, in which case the best course would be to lodge a fault call on www.mysonicwall.com (assuming your unit is in support cover) and see what they have to say.

0
 
LVL 1

Author Comment

by:willp2
ID: 24364730
I am able to do straight FTP passive connections, just not FTPS connections. Unfortunatly they don't have support for this thing or I would have just called Sonicwall on this. I've actually disabled the firewall on the IIS server for testing to make sure outboud isn't being blocked.

I'll keep trying. Thanks for the input.

-Will
0
 
LVL 1

Accepted Solution

by:
willp2 earned 0 total points
ID: 24398177
Here's a bit more detail on this issue:

I can connect to the server in regular FTP with a passive connection with no problems.

In IIS I definded the FTPS Data channel port range and added that range to the firewall for access and NATing.

When I try to connect from the FTP client I get the following:

Response: 220 Microsoft FTP Service
Command: AUTH SSL
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: SSL connection established. Waiting for welcome message...
Command: USER XXXXX
Response: 331 Password required for XXXXXl.
Command: PASS **********
Response: 230 User logged in.
Command: FEAT
Response: 211-Extended features supported:
Response: LANG EN*
Response: UTF8
Response: AUTH TLS;TLS-C;SSL;TLS-P;
Response: PBSZ
Response: PROT C;P;
Response: CCC
Response: HOST
Response: SIZE
Response: MDTM
Response: REST STREAM
Response: 211 END
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Command: SYST
Response: 215 Windows_NT
Command: PBSZ 0
Response: 200 PBSZ command successful.
Command: PROT P
Response: 200 PROT command successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A.
Command: PASV
Response: 227 Entering Passive Mode (x,x,x,x,220,233).
Command: LIST
Response: 150 Opening ASCII mode data connection.
Error: Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
Error: Could not retrieve directory listing


Then on the firewall I get a log entry showing that the data channel traffic was dropped, but not related to a rule

05/15/2009 09:09:26.192 Notice Network Access TCP connection dropped x.x.x.x. (IP of client), 59194, X1 x.x.x.x (External IP), 56551, X1 TCP FTPS - Data Channel


Any idea why the firewall is dropping this traffic?

Thanks very much for any help you can offer!

0
 

Expert Comment

by:okacs
ID: 24686121
What was the solution?
0

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Watch the video to know how one can repair corrupt Exchange OST file effortlessly and convert OST emails to MS Outlook PST file format by using Kernel for OST to PST converter tool. It can convert OST to MSG, MBOX, EML to access them. It can migrate…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question