Solved

Cannot list contents of IIS FTP directory from outside of the office

Posted on 2011-02-24
8
1,084 Views
Last Modified: 2012-06-21
I have set up FTP on our Windows 2008 server. I have turned off anonymous access, and I have enabled the feature to isolate users.

I have specified the FTP root as D:\FTP

Inside there, I have a folder that corresponds to my domain name, and inside there I have a folder for each user whom I want to give ftp access to.

Now, when I connect to the ftp server internally, I can log in, put files, get files and list the directory.

However, if I connect to the FTP server from the outside worls, although I can log in to the server ok, when I try to list the contents of the directory, the FTP client just hangs.

What am I missing?

ALSO whilst on the FTP subject, is it possible to create a user in Active Directory who ONLY has access to FTP and nothing else?

Thanks
0
Comment
Question by:Chris Millard
  • 4
  • 3
8 Comments
 
LVL 5

Accepted Solution

by:
torvir earned 250 total points
ID: 34969221
This is a common problem when you are using standard FTP. You have to use passive FTP to get it to work.
An alternative could be to configure the firewall with deep inspection of FTP so that negotiated ports are allowed. It depends on the firewall if that is possible.
Go for passive FTP in the server. I'm a network guy so I can't tell you where to find it, but look after a parameter that says passive FTP or PASV.
0
 
LVL 16

Assisted Solution

by:AlexPace
AlexPace earned 250 total points
ID: 34969851
FTP uses two ports.  The common port 21 is the "control channel" where you send protocol commands to log in, change directory, request a file, and so forth.  The other port is the "data channel" which actually sends the contents of files and directory listings.  When you can log in but not list files that means the data channel is blocked.

When you want to transfer data in passive mode, your FTP client asks the server where to get the data and the server responds with an IP address and port number, then your client connects to that address and port to get the data.

When you want to transfer data in active mode, your FTP client tells the server what it wants and which port it will be watching.  The FTP server then initiates a connection back to the client computer on the port that the client requested.

So in either active or passive mode you wont be able to transfer files or directory listings if the data port is blocked by a firewall.  Like torvir said above this is a common problem and it is more likely that your firewall is blocking an external computer trying to connect back to you (active mode) than it blocking your connection to the external computer (active mode) but in either case the result is the same.

Look in your client logs for either the PORT or PASV command.  The last two numbers on the PORT command or the last two numbers in the server's response to the PASV command represent the port number for the data channel.  Convert them to hex, combine, then convert back to decimal.  For example if the last two numbers are 253, 41 you convert to hex:
253 = FD
41 = 29
combining them give you FD29
converting back to decimal:  FD29 = 64809

So in this example the data port was 64809
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34969929
So is it possible to tell the FTP server in IIS what port(s) to use for data?
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 34970041
Most FTP servers allow you to specify a port range to use in response to a client's request to use passive mode.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 17

Author Comment

by:Chris Millard
ID: 34977744
An update. I've modified the port range.

I have a customer with a dedicated 1&1 Windows server. It's THAT server that cannot connect by FTP to my server.

I can connect to other FTP sites from the dedicated 1&1 server, and other servers can connect to my FTP.

So there is something not happy between my customers 1&1 server and my FTP server.
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 34980682
Post a copy of the protocol-level log file and we can help you figure out where it is broken.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34980784
The problem appears to be with the firewall portion of the Draytek 2800 router. I've put Filezilla server on a PC, and changed the NAT in the router to point to the new PC. I had exactly the same issue. So what I have now done, as I need this working ASAP, is put the PC on a DMZ and now I can FTP to it quite happily.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 34980816
The problem was with the Draytek 2800 router.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now