Secure FTP setup

I’m trying to get secure ftp working on SBS 2011. Here’s what I’ve done so far:
FTP is installed on the server, and I see that windows firewall already has a rule for “FTP Server Secure (FTP SSL traffic in)” which uses port 990, and it allows incoming ftp traffic on ports 1024-65535.
On the router I opened port 990, directing its traffic to the server.
I added the DNS forward lookup entry for ftp.domain.com.
On the server, under IIS, I set up an FTP site, called ftp.domain.com that binds to port 990.
On the ftp site, I turned on basic authentication, and the default domain is set to the domain. I set the outside ip address under ftp firewall support, and under FTP SSL settings  I set it to allow ssl connections and use the 3rd party certificate.  
Under IIS manager permissions, I set my windows account as enabled for log in.
That’s all I’m aware of needing to do on the server.

Then on the client (which is presently inside the domain), I set up filezilla as this is capable of secure ftp.
It is configured to go to ftp.domain.com (or 192.168.0.2 when inside the domain) using port 990, with my user name as user/password.

It times out when it tries to connect.

I tried to use filezilla to connect using “FTPS – ftp over explicit TLS/SSL” using the internal ip address, and it says:
Status:                      Connecting to 192.168.0.2:990...
Status:                      Connection established, waiting for welcome message...
Error:                        Could not connect to server

I was following along with a SBS 2008 tutorial at http://www.smallbizserver.net/Articles/tabid/266/Id/322/PageID/574/How-to-install-FTP-75-on-a-SBS-2008-server.aspx and when I tried to browse to ftp://localhost while on the server, it says the page can’t be displayed. Tried this with the firewall off, with the same result.

Found instructions at http://blogs.iis.net/jaroslad/archive/2007/09/29/windows-firewall-setup-for-microsoft-ftp-publishing-service-for-iis-7-0.aspx and it recommended running these commands:

1)      sc sidtype ftpsvc unrestricted
2)      net stop ftpsvc
3)      net start ftpsvc
4)      netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in
5)      netsh advfirewall set global Statefulftp disable
6)      C:\Windows\system32>netsh advfirewall show global
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck                        0:Disabled
SAIdleTimeMin                         5min
DefaultExemptions                     NeighborDiscovery,DHCP
IPsecThroughNAT                       Never
AuthzUserGrp                          None
AuthzComputerGrp                      None

StatefulFTP                           Disable
StatefulPPTP                          Disable

Main Mode:
KeyLifetime                           480min,0sess
SecMethods                            DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH                               No

Categories:
BootTimeRuleCategory                  Windows Firewall
FirewallRuleCategory                  Windows Firewall
StealthRuleCategory                   Windows Firewall
ConSecRuleRuleCategory                Windows Firewall

Ok.

Can anyone spot problems, or recommend a fix?
JeReLoAsked:
Who is Participating?
 
meverestConnect With a Mentor Commented:
Hi!

You are right in the first instance.  Classic (Active) ftp requires that the SERVER opens a connection TO THE CLIENT using port 20 to transfer data.  Because of the fact that these days ftp clients are almost always hidden behind a firewall or NAT router, any attempt by the ftp server to open a connection to the client will almost certainly fail.  Some router systems have a special ftp 'helper' that will detect when an internal client has a port 21 (ftp cmd) connection open, and then when it receives a connection request coming back from that server, will automatically redirect it back to the client.

But without support for that kind of 'helper' passive (PASV) mode ftp is required.  In this case, instead of the ftp server making the connection back to the client, it simply provides instruction on how the client should connect to the server - which is provided by that response to 'PASV' command:

 227 Entering Passive Mode (192,168,0,1,19,140).

translated to english, it says "Hey client, open a connection to me on address 192.168.0.1 or tcp port 19*256+140", so then the client *should* make that connection, and when it does, the server will send the requested data (file or directory list etc) over than connection.

There are lots of things that can go wrong in this instance.  One common issue is that if the ftp client has connected to the server on a different IP address than that pasv response, some clients will ignore that definition and just try to connect on the same address that the main ftp cmd connection is made to.  The reason that is done is because if the ftp server is also behind a port forwarded firewall, and is quoting it's /lan/ ip address, then the connection will break! ;-) - and that is why many ftp server software provides an option to define the firewall IP address to override the lan address.

But that's just some background info that I hope will get your brain on the right track to understand what might be happening here and at least give you a chance to work out whether it;s a network or application problem happening to you :-}

So the best way to prove that the ftp server itself is working properly is to:

1. remove/disable all firewalls (ideally run the ftp client on the server console!)
2. connect to the ftp server using ACTIVE mode

if /that/ works, then you know that you need to look closer at the network configuration

if it doesn't work, then it's something to do with server configuration or permissions etc.

Cheers!  Mike.
0
 
meverestCommented:
Hi,

just to be sure that windows firewall is not contributing factor, have you tried temporarily disabling the firewall?

Cheers.
0
 
meverestCommented:
Oh, sorry - I see that you did! :-}
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
meverestCommented:
try enabling error trace in filezilla client to get some more detail on where it gets up to.
0
 
JeReLoAuthor Commented:
how do I enable error trace? I can't find where to do this.
0
 
JeReLoAuthor Commented:
I switched to using port 21, and corrected the address of the "external firewall" to use the internal ip address, and then I was able to make some progress. Now the process hangs up as follows:
Status: Connected

Status: Retrieving directory listing...

Command: PWD

Response: 257 "/" is current directory.

Command: TYPE I

Response: 200 Type set to I.

Command: PASV

Response: 227 Entering Passive Mode (192,168,0,1,19,136).

Command: LIST

Response: 150 Opening BINARY mode data connection.

Error: GnuTLS error -53: Error in the push function.

Error: Connection timed out

Error: Failed to retrieve directory listing

0
 
meverestCommented:
Hi!

Looks like some more firewall issues - note the PASV command response:

>> Response: 227 Entering Passive Mode (192,168,0,1,19,136)

that is the server instructing the client to connect to '192.168.0.1' on port 5000 (19 *256 +136)

So, it seems like either:

a. port 5000 is not open to the ftp server, or
b. 192.168.0.1 is not available

are you attempting a connection from the LAN, or an external host?

Regards,  Mike.
0
 
JeReLoAuthor Commented:
I'm attempting a connection from the lan (or within the domain). Later I will confirm settings from outside lan.
In the router firewall I have opened ports 5000 to 5010.
In Windows firewall on the ftp server, I see a pre-installed rule called "FTP server passive (FTP passive traffic-in) that allows tcp traffic on ports 1024 - 65535.
In Windows firewall on the client I created an outgoing rule for filezilla that opens ports 5000-5010.

Now when I try to connect it shows:
Command:      PASV
Response:      227 Entering Passive Mode (192,168,0,1,19,140).
Command:      LIST
Response:      150 Opening BINARY mode data connection.
Error:      GnuTLS error -53: Error in the push function.

In response to your troubleshooting, I can confirm that 192.168.0.1 is available (via ping, and as the router it facilitates the successful earlier ftp traffic). As far as point a. goes, I think I've made port 5000 open to the ftp server.

I wonder if there is a command that could be used diagnostically to confirm port 5000 is unblocked.
Can you confirm that the steps I took would normally be sufficient to configure the ports?
Any other ideas I could try?
0
 
JeReLoAuthor Commented:
One more idea to clarify. When we say 192.168.0.1:5000 is the passive port, this actually refers to the IP address of the router, which is configured to redirect port 5000 to the ftp server.

I began wondering if the list problem could also be a problem on the ftp server, in terms of permissions to list the directory contents. I used icacls to give permissions to network service, but then noticed that the ftp site runs as defaultapplicationpool. Would this require me to adjust file permission?
0
 
JeReLoAuthor Commented:
It's mystifying because I tried allowing all incoming and outgoing ports (within domain) on the server and client - thinking this would eliminate all firewall interference, but the same problem remains. Then I wondered if the firewall on the router was the problem. I set ports 5000-5010 to redirect to the server, but maybe these should redirect to the client??? What do you think?
0
 
JeReLoAuthor Commented:
Thanks, I never thought I could try it on the server, as you suggested. I did run it on the server and I get the same problem, which at least allows me to exclude the firewall as the problem.
Would you have any thoughts as to a next step?
Do you know how to give permission to ftp, which I think uses defaultapplication pool, when defaultapplicationpool is not actually listed as a user on the server...
0
 
JeReLoAuthor Commented:
I found something suggesting that I could use iis_iusrs as a substitute for the applicationpoolidentity, so I added full control permission for iis_iusrs to inetpub\ftproot.
But the problem remains, when listing using filezilla on the server itself.
0
 
JeReLoAuthor Commented:
I finally sprung for a technician to look into it, and he was able to log in from outside the domain. I then learned from DLink that the dir-825 just doesn't support ftp inside a lan. It does work outside the lan.

So, in the spirit of encouraging your willingness to join the conversation, and your careful writing to explain some basics, I'm happy to award points and close the file.
0
 
JeReLoAuthor Commented:
did not provide A because answer was not a solution. No solution was possible given the hardware limitations. An A would have been merited if hardware limitation was identified as the cause of the error.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.