Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 839
  • Last Modified:

Can't access certain FTP site

One of the database applications needs to have some updates installed.  However when the vendor rep remotes in to update it and starts it the software says that it can't connect to the site to get the download.  He is saying that our firewall or something is blocking ftp traffic.  However (from this server) I can access some of my friends FTP sites and even Microsofts FTP site.  But whats confusing me is that from outside out network we can access the ftp site that he gave up.  It is however asking for a login when someone goes there.  But if you try from inside our company network you can't connect to it at all.  We've checked our sonicwall and no one can find any rules that would be causing this.  Anyone have any ideas?
0
adml_shake
Asked:
adml_shake
  • 3
  • 3
  • 2
  • +2
6 Solutions
 
init2winit_DanCommented:
on the remote FTP server check ban or auto ban setting
0
 
jimmyray7Commented:
Is it running on a custom port?  There is an option on the sonicwall to block non-standard FTP ports.  It's disabled by default I think.   That's the only thing I can think of.
0
 
Fr0zTCommented:
FTP is a little more tricky than most people give it credit for.  You might think all you need to do is allow ports 20 and 21 inbound and thats it but it's not so simple.  When FTP is running in PASV mode(default) a client comes in on port 21, then the server picks a port at random from the Ephemeral port range which on a windows machine will be something like 1025-4999.  Then it tells the client that is the port it must come on to get it's data.  The problem is that if the server doesn't have that port open, then the client will get blocked.  The best way to deal with this is to have your firewall do inspection on FTP traffic.  Any decent firewall should do this.  If you just have a cheap firewall that can't do it, then what I recommend you do is change then port range your FTP server is using to send data to a much smaller port range, then open those ports to the server. Use an obscure port range.  In Microsoft Servers you have to modify the registry to do that.
http://support.microsoft.com/kb/555022

Another problem could be that the clients firewall restricts outbound ports and also does not support FTP inspection, so it won't allow an outbound connection on the Ephemeral port range.  One possibility would be to change the Ephemeral port range to 1 port, something common like port 53(DNS) or 80(HTTP) or 443(HTTPS).  THIS WILL ONLY WORK IF YOU DON'T HAVE THOSE SERVICES RUNNING ALREADY. Also the major impact with this would be that only 1 client at a time would be able to connect.

The other option is to try and use FTP Active mode, which would require the server to be able to talk directly to the client, and if the client has a firewall that won't work either...

All that being said, FTP is a very unsecure protocol, I wouldn't use it in production environment for anything.  Use SCP instead.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
adml_shakeAuthor Commented:
It's not running on a custom port that i know of.  The tech I talked to never mentioned anything about that.  And like I said nobody outside of the network seemed to have any problems when they just put in the default ftp address to this company.  

Does the autoban setting kick in if too many failed login attempts are tried?  I'm wondering if this database app tried to go out and get the update it's self, but since a log in seems to be required our IP was banned because the software didn't have it, but kept trying to log in.

0
 
Fr0zTCommented:
From this link:
http://help.mysonicwall.com/sw/eng/general/ui1/6600/Access/Services.htm

FTP

Force inbound and outbound FTP data connections to use the default port: 20 - The default SonicWALl configuration allows FTP connections from port 20 but remaps outbound traffic to a port such as 1024. If the check box is selected, any FTP data connection through the SonicWALL must come from port 20 or the connection is dropped. The event is then logged as an event on the SonicWALL.

Make sure that is not checked.  There could be a difference between connecting to Active or Passive FTP servers, which is why it might work for you in some cases, and not in others.
0
 
digitapCommented:
Do you have any of the security services licensed on the sonicwall?  The intrusion prevention service, will block some FTP access if it sees it as intrusive.  I typically create an exception for the internal IP or the public one so it bypasses this service for FTP...or, I allow FTP traffic to be detected but not blocked.  To test, you could login to the sonicwall admin console, then try to access the FTP site from that computer.  The sonicwall allows the workstation connected to the admin console to bypass all the security services for the duration of the login.  If it's successful, then you know what it is.
0
 
Fr0zTCommented:
It's definitely an Inspection / Blocking rule on your Sonicwall.  Iether FTP traffic is not being inspected, or it is being inspected and it's being dropped as digitap suggested. Do you have outbound traffic rules because generally if the database application server was allowed to go outbound on ports 1025-65535 to the FTP server it should work unless the Sonicwall is inspecting and forcing Active as I suggested earlier.

The reason you are able to use FTP to other servers is because when you FTP to a Microsoft FTP server, it first tries to use Passive FTP, but if that fails it will default back to Active.  Your Sonicwall only wants to see Active FTP connections, probably because of the option I mentioned in my last comment.  So the FTP connection will be established.  The database application FTP server probably only uses Passive, and will not attempt an active connection so the Sonicwall refuses it.  To test this use an FTP client like CoreFTP, connect to an FTP site that works from behind your Sonicwall, it will probably show that the connection failed in PASV and accepted in Active.  Then from home use it to connect to the database application FTP site and you will see it will be PASV, then try forcing it to use Active and it probably won't work.  That test would confirm the problem.
0
 
adml_shakeAuthor Commented:
Well after some digging around and talking to someone else in our company who is our un-official sonicwall guy he took a look at it and thought that it just needed rebooted (it's a old sonicwall) and so we did it that night and it seems to have cleared the issue up.  Thanks for your help everyone.  I learned some new stuff about FTP through this issue.
0
 
adml_shakeAuthor Commented:
Didn't give me the resolution we used to solve our problem.  But was still full of good tips and helpful information.
0
 
digitapCommented:
well...it's always the one thing that you never think of or think has already been done!  Glad you got it resolved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now