?
Solved

Cannot list contents of IIS FTP directory from outside of the office

Posted on 2011-02-24
8
Medium Priority
?
1,109 Views
Last Modified: 2012-06-21
I have set up FTP on our Windows 2008 server. I have turned off anonymous access, and I have enabled the feature to isolate users.

I have specified the FTP root as D:\FTP

Inside there, I have a folder that corresponds to my domain name, and inside there I have a folder for each user whom I want to give ftp access to.

Now, when I connect to the ftp server internally, I can log in, put files, get files and list the directory.

However, if I connect to the FTP server from the outside worls, although I can log in to the server ok, when I try to list the contents of the directory, the FTP client just hangs.

What am I missing?

ALSO whilst on the FTP subject, is it possible to create a user in Active Directory who ONLY has access to FTP and nothing else?

Thanks
0
Comment
Question by:Chris Millard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 5

Accepted Solution

by:
torvir earned 500 total points
ID: 34969221
This is a common problem when you are using standard FTP. You have to use passive FTP to get it to work.
An alternative could be to configure the firewall with deep inspection of FTP so that negotiated ports are allowed. It depends on the firewall if that is possible.
Go for passive FTP in the server. I'm a network guy so I can't tell you where to find it, but look after a parameter that says passive FTP or PASV.
0
 
LVL 16

Assisted Solution

by:AlexPace
AlexPace earned 500 total points
ID: 34969851
FTP uses two ports.  The common port 21 is the "control channel" where you send protocol commands to log in, change directory, request a file, and so forth.  The other port is the "data channel" which actually sends the contents of files and directory listings.  When you can log in but not list files that means the data channel is blocked.

When you want to transfer data in passive mode, your FTP client asks the server where to get the data and the server responds with an IP address and port number, then your client connects to that address and port to get the data.

When you want to transfer data in active mode, your FTP client tells the server what it wants and which port it will be watching.  The FTP server then initiates a connection back to the client computer on the port that the client requested.

So in either active or passive mode you wont be able to transfer files or directory listings if the data port is blocked by a firewall.  Like torvir said above this is a common problem and it is more likely that your firewall is blocking an external computer trying to connect back to you (active mode) than it blocking your connection to the external computer (active mode) but in either case the result is the same.

Look in your client logs for either the PORT or PASV command.  The last two numbers on the PORT command or the last two numbers in the server's response to the PASV command represent the port number for the data channel.  Convert them to hex, combine, then convert back to decimal.  For example if the last two numbers are 253, 41 you convert to hex:
253 = FD
41 = 29
combining them give you FD29
converting back to decimal:  FD29 = 64809

So in this example the data port was 64809
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34969929
So is it possible to tell the FTP server in IIS what port(s) to use for data?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Expert Comment

by:AlexPace
ID: 34970041
Most FTP servers allow you to specify a port range to use in response to a client's request to use passive mode.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34977744
An update. I've modified the port range.

I have a customer with a dedicated 1&1 Windows server. It's THAT server that cannot connect by FTP to my server.

I can connect to other FTP sites from the dedicated 1&1 server, and other servers can connect to my FTP.

So there is something not happy between my customers 1&1 server and my FTP server.
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 34980682
Post a copy of the protocol-level log file and we can help you figure out where it is broken.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 34980784
The problem appears to be with the firewall portion of the Draytek 2800 router. I've put Filezilla server on a PC, and changed the NAT in the router to point to the new PC. I had exactly the same issue. So what I have now done, as I need this working ASAP, is put the PC on a DMZ and now I can FTP to it quite happily.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 34980816
The problem was with the Draytek 2800 router.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question