Secure FTP setup

Posted on 2011-03-14
Medium Priority
Last Modified: 2012-06-21
I’m trying to get secure ftp working on SBS 2011. Here’s what I’ve done so far:
FTP is installed on the server, and I see that windows firewall already has a rule for “FTP Server Secure (FTP SSL traffic in)” which uses port 990, and it allows incoming ftp traffic on ports 1024-65535.
On the router I opened port 990, directing its traffic to the server.
I added the DNS forward lookup entry for ftp.domain.com.
On the server, under IIS, I set up an FTP site, called ftp.domain.com that binds to port 990.
On the ftp site, I turned on basic authentication, and the default domain is set to the domain. I set the outside ip address under ftp firewall support, and under FTP SSL settings  I set it to allow ssl connections and use the 3rd party certificate.  
Under IIS manager permissions, I set my windows account as enabled for log in.
That’s all I’m aware of needing to do on the server.

Then on the client (which is presently inside the domain), I set up filezilla as this is capable of secure ftp.
It is configured to go to ftp.domain.com (or when inside the domain) using port 990, with my user name as user/password.

It times out when it tries to connect.

I tried to use filezilla to connect using “FTPS – ftp over explicit TLS/SSL” using the internal ip address, and it says:
Status:                      Connecting to
Status:                      Connection established, waiting for welcome message...
Error:                        Could not connect to server

I was following along with a SBS 2008 tutorial at http://www.smallbizserver.net/Articles/tabid/266/Id/322/PageID/574/How-to-install-FTP-75-on-a-SBS-2008-server.aspx and when I tried to browse to ftp://localhost while on the server, it says the page can’t be displayed. Tried this with the firewall off, with the same result.

Found instructions at http://blogs.iis.net/jaroslad/archive/2007/09/29/windows-firewall-setup-for-microsoft-ftp-publishing-service-for-iis-7-0.aspx and it recommended running these commands:

1)      sc sidtype ftpsvc unrestricted
2)      net stop ftpsvc
3)      net start ftpsvc
4)      netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in
5)      netsh advfirewall set global Statefulftp disable
6)      C:\Windows\system32>netsh advfirewall show global
Global Settings:
StrongCRLCheck                        0:Disabled
SAIdleTimeMin                         5min
DefaultExemptions                     NeighborDiscovery,DHCP
IPsecThroughNAT                       Never
AuthzUserGrp                          None
AuthzComputerGrp                      None

StatefulFTP                           Disable
StatefulPPTP                          Disable

Main Mode:
KeyLifetime                           480min,0sess
SecMethods                            DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH                               No

BootTimeRuleCategory                  Windows Firewall
FirewallRuleCategory                  Windows Firewall
StealthRuleCategory                   Windows Firewall
ConSecRuleRuleCategory                Windows Firewall


Can anyone spot problems, or recommend a fix?
Question by:JeReLo
  • 9
  • 5
LVL 37

Expert Comment

ID: 35143031

just to be sure that windows firewall is not contributing factor, have you tried temporarily disabling the firewall?

LVL 37

Expert Comment

ID: 35143037
Oh, sorry - I see that you did! :-}
LVL 37

Expert Comment

ID: 35143069
try enabling error trace in filezilla client to get some more detail on where it gets up to.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 35144184
how do I enable error trace? I can't find where to do this.

Author Comment

ID: 35144192
I switched to using port 21, and corrected the address of the "external firewall" to use the internal ip address, and then I was able to make some progress. Now the process hangs up as follows:
Status: Connected

Status: Retrieving directory listing...

Command: PWD

Response: 257 "/" is current directory.

Command: TYPE I

Response: 200 Type set to I.

Command: PASV

Response: 227 Entering Passive Mode (192,168,0,1,19,136).

Command: LIST

Response: 150 Opening BINARY mode data connection.

Error: GnuTLS error -53: Error in the push function.

Error: Connection timed out

Error: Failed to retrieve directory listing

LVL 37

Expert Comment

ID: 35144887

Looks like some more firewall issues - note the PASV command response:

>> Response: 227 Entering Passive Mode (192,168,0,1,19,136)

that is the server instructing the client to connect to '' on port 5000 (19 *256 +136)

So, it seems like either:

a. port 5000 is not open to the ftp server, or
b. is not available

are you attempting a connection from the LAN, or an external host?

Regards,  Mike.

Author Comment

ID: 35149956
I'm attempting a connection from the lan (or within the domain). Later I will confirm settings from outside lan.
In the router firewall I have opened ports 5000 to 5010.
In Windows firewall on the ftp server, I see a pre-installed rule called "FTP server passive (FTP passive traffic-in) that allows tcp traffic on ports 1024 - 65535.
In Windows firewall on the client I created an outgoing rule for filezilla that opens ports 5000-5010.

Now when I try to connect it shows:
Command:      PASV
Response:      227 Entering Passive Mode (192,168,0,1,19,140).
Command:      LIST
Response:      150 Opening BINARY mode data connection.
Error:      GnuTLS error -53: Error in the push function.

In response to your troubleshooting, I can confirm that is available (via ping, and as the router it facilitates the successful earlier ftp traffic). As far as point a. goes, I think I've made port 5000 open to the ftp server.

I wonder if there is a command that could be used diagnostically to confirm port 5000 is unblocked.
Can you confirm that the steps I took would normally be sufficient to configure the ports?
Any other ideas I could try?

Author Comment

ID: 35150319
One more idea to clarify. When we say is the passive port, this actually refers to the IP address of the router, which is configured to redirect port 5000 to the ftp server.

I began wondering if the list problem could also be a problem on the ftp server, in terms of permissions to list the directory contents. I used icacls to give permissions to network service, but then noticed that the ftp site runs as defaultapplicationpool. Would this require me to adjust file permission?

Author Comment

ID: 35150448
It's mystifying because I tried allowing all incoming and outgoing ports (within domain) on the server and client - thinking this would eliminate all firewall interference, but the same problem remains. Then I wondered if the firewall on the router was the problem. I set ports 5000-5010 to redirect to the server, but maybe these should redirect to the client??? What do you think?
LVL 37

Accepted Solution

meverest earned 1500 total points
ID: 35152993

You are right in the first instance.  Classic (Active) ftp requires that the SERVER opens a connection TO THE CLIENT using port 20 to transfer data.  Because of the fact that these days ftp clients are almost always hidden behind a firewall or NAT router, any attempt by the ftp server to open a connection to the client will almost certainly fail.  Some router systems have a special ftp 'helper' that will detect when an internal client has a port 21 (ftp cmd) connection open, and then when it receives a connection request coming back from that server, will automatically redirect it back to the client.

But without support for that kind of 'helper' passive (PASV) mode ftp is required.  In this case, instead of the ftp server making the connection back to the client, it simply provides instruction on how the client should connect to the server - which is provided by that response to 'PASV' command:

 227 Entering Passive Mode (192,168,0,1,19,140).

translated to english, it says "Hey client, open a connection to me on address or tcp port 19*256+140", so then the client *should* make that connection, and when it does, the server will send the requested data (file or directory list etc) over than connection.

There are lots of things that can go wrong in this instance.  One common issue is that if the ftp client has connected to the server on a different IP address than that pasv response, some clients will ignore that definition and just try to connect on the same address that the main ftp cmd connection is made to.  The reason that is done is because if the ftp server is also behind a port forwarded firewall, and is quoting it's /lan/ ip address, then the connection will break! ;-) - and that is why many ftp server software provides an option to define the firewall IP address to override the lan address.

But that's just some background info that I hope will get your brain on the right track to understand what might be happening here and at least give you a chance to work out whether it;s a network or application problem happening to you :-}

So the best way to prove that the ftp server itself is working properly is to:

1. remove/disable all firewalls (ideally run the ftp client on the server console!)
2. connect to the ftp server using ACTIVE mode

if /that/ works, then you know that you need to look closer at the network configuration

if it doesn't work, then it's something to do with server configuration or permissions etc.

Cheers!  Mike.

Author Comment

ID: 35153357
Thanks, I never thought I could try it on the server, as you suggested. I did run it on the server and I get the same problem, which at least allows me to exclude the firewall as the problem.
Would you have any thoughts as to a next step?
Do you know how to give permission to ftp, which I think uses defaultapplication pool, when defaultapplicationpool is not actually listed as a user on the server...

Author Comment

ID: 35153972
I found something suggesting that I could use iis_iusrs as a substitute for the applicationpoolidentity, so I added full control permission for iis_iusrs to inetpub\ftproot.
But the problem remains, when listing using filezilla on the server itself.

Author Comment

ID: 35170324
I finally sprung for a technician to look into it, and he was able to log in from outside the domain. I then learned from DLink that the dir-825 just doesn't support ftp inside a lan. It does work outside the lan.

So, in the spirit of encouraging your willingness to join the conversation, and your careful writing to explain some basics, I'm happy to award points and close the file.

Author Closing Comment

ID: 35170335
did not provide A because answer was not a solution. No solution was possible given the hardware limitations. An A would have been merited if hardware limitation was identified as the cause of the error.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question