?
Solved

Cannot list contents of IIS FTP directory from outside of the office

Posted on 2011-02-24
8
Medium Priority
?
1,125 Views
Last Modified: 2012-06-21
I have set up FTP on our Windows 2008 server. I have turned off anonymous access, and I have enabled the feature to isolate users.

I have specified the FTP root as D:\FTP

Inside there, I have a folder that corresponds to my domain name, and inside there I have a folder for each user whom I want to give ftp access to.

Now, when I connect to the ftp server internally, I can log in, put files, get files and list the directory.

However, if I connect to the FTP server from the outside worls, although I can log in to the server ok, when I try to list the contents of the directory, the FTP client just hangs.

What am I missing?

ALSO whilst on the FTP subject, is it possible to create a user in Active Directory who ONLY has access to FTP and nothing else?

Thanks
0
Comment
Question by:Chris Millard
  • 4
  • 3
8 Comments
 
LVL 5

Accepted Solution

by:
torvir earned 500 total points
ID: 34969221
This is a common problem when you are using standard FTP. You have to use passive FTP to get it to work.
An alternative could be to configure the firewall with deep inspection of FTP so that negotiated ports are allowed. It depends on the firewall if that is possible.
Go for passive FTP in the server. I'm a network guy so I can't tell you where to find it, but look after a parameter that says passive FTP or PASV.
0
 
LVL 16

Assisted Solution

by:AlexPace
AlexPace earned 500 total points
ID: 34969851
FTP uses two ports.  The common port 21 is the "control channel" where you send protocol commands to log in, change directory, request a file, and so forth.  The other port is the "data channel" which actually sends the contents of files and directory listings.  When you can log in but not list files that means the data channel is blocked.

When you want to transfer data in passive mode, your FTP client asks the server where to get the data and the server responds with an IP address and port number, then your client connects to that address and port to get the data.

When you want to transfer data in active mode, your FTP client tells the server what it wants and which port it will be watching.  The FTP server then initiates a connection back to the client computer on the port that the client requested.

So in either active or passive mode you wont be able to transfer files or directory listings if the data port is blocked by a firewall.  Like torvir said above this is a common problem and it is more likely that your firewall is blocking an external computer trying to connect back to you (active mode) than it blocking your connection to the external computer (active mode) but in either case the result is the same.

Look in your client logs for either the PORT or PASV command.  The last two numbers on the PORT command or the last two numbers in the server's response to the PASV command represent the port number for the data channel.  Convert them to hex, combine, then convert back to decimal.  For example if the last two numbers are 253, 41 you convert to hex:
253 = FD
41 = 29
combining them give you FD29
converting back to decimal:  FD29 = 64809

So in this example the data port was 64809
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34969929
So is it possible to tell the FTP server in IIS what port(s) to use for data?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Expert Comment

by:AlexPace
ID: 34970041
Most FTP servers allow you to specify a port range to use in response to a client's request to use passive mode.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34977744
An update. I've modified the port range.

I have a customer with a dedicated 1&1 Windows server. It's THAT server that cannot connect by FTP to my server.

I can connect to other FTP sites from the dedicated 1&1 server, and other servers can connect to my FTP.

So there is something not happy between my customers 1&1 server and my FTP server.
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 34980682
Post a copy of the protocol-level log file and we can help you figure out where it is broken.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34980784
The problem appears to be with the firewall portion of the Draytek 2800 router. I've put Filezilla server on a PC, and changed the NAT in the router to point to the new PC. I had exactly the same issue. So what I have now done, as I need this working ASAP, is put the PC on a DMZ and now I can FTP to it quite happily.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 34980816
The problem was with the Draytek 2800 router.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question