Solved

FTPS on Sonicwall 4060 Pro

Posted on 2009-05-11
4
1,377 Views
Last Modified: 2013-11-16
I have a Sonicwall Pro 4060 running the enhanced OS. This is the managed the same as all the pro series Sonicwalls.

I have an IIS 7 box running FTPS (FTP over SSL) and need to get that through the firewall. I have the IIS server working fine, defined the data channel ports and added those as a service, then to the NAT rules and firewall rules on the Sonicwall.

When I try to connect from outside the firewall, I can get past login, see and accept the certificate on the server, opens passive mode then stalls opening a binary mode connection.

The firewall shows that it is dropping the defined data channel ports, but lists no rule why that data would be dropped.

"05/11/2009 10:51:15.880 Notice Network Access TCP connection dropped x.x.x.x, 12522, X1 x.x.x.x, 54522, X1 TCP FTPS - Data Channel

Can anyone offer any help? I've going round and round with this for hours now.

Thanks,
Will
0
Comment
Question by:willp2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Expert Comment

by:ccomley
ID: 24362143
It sounds to me like you're doing everything right. You are allowing outbound as well as inbound traffic on those ports I take it?

FTP dying *after* login says that the initial "command" channel is opening but that the "data" channel opened when you make an actual transfer request is being blocked. It may be that "passive" mode isn't kicking in properly. OTOH, it *does* clearly recognise the port as part of your defined service or it wouldn't call it "FTPS Data Channel" in the log entry.

I'm wondering if it's an actual bug, in which case the best course would be to lodge a fault call on www.mysonicwall.com (assuming your unit is in support cover) and see what they have to say.

0
 
LVL 1

Author Comment

by:willp2
ID: 24364730
I am able to do straight FTP passive connections, just not FTPS connections. Unfortunatly they don't have support for this thing or I would have just called Sonicwall on this. I've actually disabled the firewall on the IIS server for testing to make sure outboud isn't being blocked.

I'll keep trying. Thanks for the input.

-Will
0
 
LVL 1

Accepted Solution

by:
willp2 earned 0 total points
ID: 24398177
Here's a bit more detail on this issue:

I can connect to the server in regular FTP with a passive connection with no problems.

In IIS I definded the FTPS Data channel port range and added that range to the firewall for access and NATing.

When I try to connect from the FTP client I get the following:

Response: 220 Microsoft FTP Service
Command: AUTH SSL
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: SSL connection established. Waiting for welcome message...
Command: USER XXXXX
Response: 331 Password required for XXXXXl.
Command: PASS **********
Response: 230 User logged in.
Command: FEAT
Response: 211-Extended features supported:
Response: LANG EN*
Response: UTF8
Response: AUTH TLS;TLS-C;SSL;TLS-P;
Response: PBSZ
Response: PROT C;P;
Response: CCC
Response: HOST
Response: SIZE
Response: MDTM
Response: REST STREAM
Response: 211 END
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Command: SYST
Response: 215 Windows_NT
Command: PBSZ 0
Response: 200 PBSZ command successful.
Command: PROT P
Response: 200 PROT command successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A.
Command: PASV
Response: 227 Entering Passive Mode (x,x,x,x,220,233).
Command: LIST
Response: 150 Opening ASCII mode data connection.
Error: Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
Error: Could not retrieve directory listing


Then on the firewall I get a log entry showing that the data channel traffic was dropped, but not related to a rule

05/15/2009 09:09:26.192 Notice Network Access TCP connection dropped x.x.x.x. (IP of client), 59194, X1 x.x.x.x (External IP), 56551, X1 TCP FTPS - Data Channel


Any idea why the firewall is dropping this traffic?

Thanks very much for any help you can offer!

0
 

Expert Comment

by:okacs
ID: 24686121
What was the solution?
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question