Cannot list contents of IIS FTP directory from outside of the office

Posted on 2011-02-24
Medium Priority
Last Modified: 2012-06-21
I have set up FTP on our Windows 2008 server. I have turned off anonymous access, and I have enabled the feature to isolate users.

I have specified the FTP root as D:\FTP

Inside there, I have a folder that corresponds to my domain name, and inside there I have a folder for each user whom I want to give ftp access to.

Now, when I connect to the ftp server internally, I can log in, put files, get files and list the directory.

However, if I connect to the FTP server from the outside worls, although I can log in to the server ok, when I try to list the contents of the directory, the FTP client just hangs.

What am I missing?

ALSO whilst on the FTP subject, is it possible to create a user in Active Directory who ONLY has access to FTP and nothing else?

Question by:Chris Millard
  • 4
  • 3

Accepted Solution

torvir earned 500 total points
ID: 34969221
This is a common problem when you are using standard FTP. You have to use passive FTP to get it to work.
An alternative could be to configure the firewall with deep inspection of FTP so that negotiated ports are allowed. It depends on the firewall if that is possible.
Go for passive FTP in the server. I'm a network guy so I can't tell you where to find it, but look after a parameter that says passive FTP or PASV.
LVL 16

Assisted Solution

AlexPace earned 500 total points
ID: 34969851
FTP uses two ports.  The common port 21 is the "control channel" where you send protocol commands to log in, change directory, request a file, and so forth.  The other port is the "data channel" which actually sends the contents of files and directory listings.  When you can log in but not list files that means the data channel is blocked.

When you want to transfer data in passive mode, your FTP client asks the server where to get the data and the server responds with an IP address and port number, then your client connects to that address and port to get the data.

When you want to transfer data in active mode, your FTP client tells the server what it wants and which port it will be watching.  The FTP server then initiates a connection back to the client computer on the port that the client requested.

So in either active or passive mode you wont be able to transfer files or directory listings if the data port is blocked by a firewall.  Like torvir said above this is a common problem and it is more likely that your firewall is blocking an external computer trying to connect back to you (active mode) than it blocking your connection to the external computer (active mode) but in either case the result is the same.

Look in your client logs for either the PORT or PASV command.  The last two numbers on the PORT command or the last two numbers in the server's response to the PASV command represent the port number for the data channel.  Convert them to hex, combine, then convert back to decimal.  For example if the last two numbers are 253, 41 you convert to hex:
253 = FD
41 = 29
combining them give you FD29
converting back to decimal:  FD29 = 64809

So in this example the data port was 64809
LVL 17

Author Comment

by:Chris Millard
ID: 34969929
So is it possible to tell the FTP server in IIS what port(s) to use for data?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

LVL 16

Expert Comment

ID: 34970041
Most FTP servers allow you to specify a port range to use in response to a client's request to use passive mode.
LVL 17

Author Comment

by:Chris Millard
ID: 34977744
An update. I've modified the port range.

I have a customer with a dedicated 1&1 Windows server. It's THAT server that cannot connect by FTP to my server.

I can connect to other FTP sites from the dedicated 1&1 server, and other servers can connect to my FTP.

So there is something not happy between my customers 1&1 server and my FTP server.
LVL 16

Expert Comment

ID: 34980682
Post a copy of the protocol-level log file and we can help you figure out where it is broken.
LVL 17

Author Comment

by:Chris Millard
ID: 34980784
The problem appears to be with the firewall portion of the Draytek 2800 router. I've put Filezilla server on a PC, and changed the NAT in the router to point to the new PC. I had exactly the same issue. So what I have now done, as I need this working ASAP, is put the PC on a DMZ and now I can FTP to it quite happily.
LVL 17

Author Closing Comment

by:Chris Millard
ID: 34980816
The problem was with the Draytek 2800 router.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question