Solved

Cannot list contents of IIS FTP directory from outside of the office

Posted on 2011-02-24
8
1,089 Views
Last Modified: 2012-06-21
I have set up FTP on our Windows 2008 server. I have turned off anonymous access, and I have enabled the feature to isolate users.

I have specified the FTP root as D:\FTP

Inside there, I have a folder that corresponds to my domain name, and inside there I have a folder for each user whom I want to give ftp access to.

Now, when I connect to the ftp server internally, I can log in, put files, get files and list the directory.

However, if I connect to the FTP server from the outside worls, although I can log in to the server ok, when I try to list the contents of the directory, the FTP client just hangs.

What am I missing?

ALSO whilst on the FTP subject, is it possible to create a user in Active Directory who ONLY has access to FTP and nothing else?

Thanks
0
Comment
Question by:Chris Millard
  • 4
  • 3
8 Comments
 
LVL 5

Accepted Solution

by:
torvir earned 250 total points
ID: 34969221
This is a common problem when you are using standard FTP. You have to use passive FTP to get it to work.
An alternative could be to configure the firewall with deep inspection of FTP so that negotiated ports are allowed. It depends on the firewall if that is possible.
Go for passive FTP in the server. I'm a network guy so I can't tell you where to find it, but look after a parameter that says passive FTP or PASV.
0
 
LVL 16

Assisted Solution

by:AlexPace
AlexPace earned 250 total points
ID: 34969851
FTP uses two ports.  The common port 21 is the "control channel" where you send protocol commands to log in, change directory, request a file, and so forth.  The other port is the "data channel" which actually sends the contents of files and directory listings.  When you can log in but not list files that means the data channel is blocked.

When you want to transfer data in passive mode, your FTP client asks the server where to get the data and the server responds with an IP address and port number, then your client connects to that address and port to get the data.

When you want to transfer data in active mode, your FTP client tells the server what it wants and which port it will be watching.  The FTP server then initiates a connection back to the client computer on the port that the client requested.

So in either active or passive mode you wont be able to transfer files or directory listings if the data port is blocked by a firewall.  Like torvir said above this is a common problem and it is more likely that your firewall is blocking an external computer trying to connect back to you (active mode) than it blocking your connection to the external computer (active mode) but in either case the result is the same.

Look in your client logs for either the PORT or PASV command.  The last two numbers on the PORT command or the last two numbers in the server's response to the PASV command represent the port number for the data channel.  Convert them to hex, combine, then convert back to decimal.  For example if the last two numbers are 253, 41 you convert to hex:
253 = FD
41 = 29
combining them give you FD29
converting back to decimal:  FD29 = 64809

So in this example the data port was 64809
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34969929
So is it possible to tell the FTP server in IIS what port(s) to use for data?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 16

Expert Comment

by:AlexPace
ID: 34970041
Most FTP servers allow you to specify a port range to use in response to a client's request to use passive mode.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34977744
An update. I've modified the port range.

I have a customer with a dedicated 1&1 Windows server. It's THAT server that cannot connect by FTP to my server.

I can connect to other FTP sites from the dedicated 1&1 server, and other servers can connect to my FTP.

So there is something not happy between my customers 1&1 server and my FTP server.
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 34980682
Post a copy of the protocol-level log file and we can help you figure out where it is broken.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34980784
The problem appears to be with the firewall portion of the Draytek 2800 router. I've put Filezilla server on a PC, and changed the NAT in the router to point to the new PC. I had exactly the same issue. So what I have now done, as I need this working ASAP, is put the PC on a DMZ and now I can FTP to it quite happily.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 34980816
The problem was with the Draytek 2800 router.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question