Solved

Secure FTP setup

Posted on 2011-03-14
14
2,254 Views
Last Modified: 2012-06-21
I’m trying to get secure ftp working on SBS 2011. Here’s what I’ve done so far:
FTP is installed on the server, and I see that windows firewall already has a rule for “FTP Server Secure (FTP SSL traffic in)” which uses port 990, and it allows incoming ftp traffic on ports 1024-65535.
On the router I opened port 990, directing its traffic to the server.
I added the DNS forward lookup entry for ftp.domain.com.
On the server, under IIS, I set up an FTP site, called ftp.domain.com that binds to port 990.
On the ftp site, I turned on basic authentication, and the default domain is set to the domain. I set the outside ip address under ftp firewall support, and under FTP SSL settings  I set it to allow ssl connections and use the 3rd party certificate.  
Under IIS manager permissions, I set my windows account as enabled for log in.
That’s all I’m aware of needing to do on the server.

Then on the client (which is presently inside the domain), I set up filezilla as this is capable of secure ftp.
It is configured to go to ftp.domain.com (or 192.168.0.2 when inside the domain) using port 990, with my user name as user/password.

It times out when it tries to connect.

I tried to use filezilla to connect using “FTPS – ftp over explicit TLS/SSL” using the internal ip address, and it says:
Status:                      Connecting to 192.168.0.2:990...
Status:                      Connection established, waiting for welcome message...
Error:                        Could not connect to server

I was following along with a SBS 2008 tutorial at http://www.smallbizserver.net/Articles/tabid/266/Id/322/PageID/574/How-to-install-FTP-75-on-a-SBS-2008-server.aspx and when I tried to browse to ftp://localhost while on the server, it says the page can’t be displayed. Tried this with the firewall off, with the same result.

Found instructions at http://blogs.iis.net/jaroslad/archive/2007/09/29/windows-firewall-setup-for-microsoft-ftp-publishing-service-for-iis-7-0.aspx and it recommended running these commands:

1)      sc sidtype ftpsvc unrestricted
2)      net stop ftpsvc
3)      net start ftpsvc
4)      netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in
5)      netsh advfirewall set global Statefulftp disable
6)      C:\Windows\system32>netsh advfirewall show global
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck                        0:Disabled
SAIdleTimeMin                         5min
DefaultExemptions                     NeighborDiscovery,DHCP
IPsecThroughNAT                       Never
AuthzUserGrp                          None
AuthzComputerGrp                      None

StatefulFTP                           Disable
StatefulPPTP                          Disable

Main Mode:
KeyLifetime                           480min,0sess
SecMethods                            DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH                               No

Categories:
BootTimeRuleCategory                  Windows Firewall
FirewallRuleCategory                  Windows Firewall
StealthRuleCategory                   Windows Firewall
ConSecRuleRuleCategory                Windows Firewall

Ok.

Can anyone spot problems, or recommend a fix?
0
Comment
Question by:JeReLo
  • 9
  • 5
14 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 35143031
Hi,

just to be sure that windows firewall is not contributing factor, have you tried temporarily disabling the firewall?

Cheers.
0
 
LVL 37

Expert Comment

by:meverest
ID: 35143037
Oh, sorry - I see that you did! :-}
0
 
LVL 37

Expert Comment

by:meverest
ID: 35143069
try enabling error trace in filezilla client to get some more detail on where it gets up to.
0
 

Author Comment

by:JeReLo
ID: 35144184
how do I enable error trace? I can't find where to do this.
0
 

Author Comment

by:JeReLo
ID: 35144192
I switched to using port 21, and corrected the address of the "external firewall" to use the internal ip address, and then I was able to make some progress. Now the process hangs up as follows:
Status: Connected

Status: Retrieving directory listing...

Command: PWD

Response: 257 "/" is current directory.

Command: TYPE I

Response: 200 Type set to I.

Command: PASV

Response: 227 Entering Passive Mode (192,168,0,1,19,136).

Command: LIST

Response: 150 Opening BINARY mode data connection.

Error: GnuTLS error -53: Error in the push function.

Error: Connection timed out

Error: Failed to retrieve directory listing

0
 
LVL 37

Expert Comment

by:meverest
ID: 35144887
Hi!

Looks like some more firewall issues - note the PASV command response:

>> Response: 227 Entering Passive Mode (192,168,0,1,19,136)

that is the server instructing the client to connect to '192.168.0.1' on port 5000 (19 *256 +136)

So, it seems like either:

a. port 5000 is not open to the ftp server, or
b. 192.168.0.1 is not available

are you attempting a connection from the LAN, or an external host?

Regards,  Mike.
0
 

Author Comment

by:JeReLo
ID: 35149956
I'm attempting a connection from the lan (or within the domain). Later I will confirm settings from outside lan.
In the router firewall I have opened ports 5000 to 5010.
In Windows firewall on the ftp server, I see a pre-installed rule called "FTP server passive (FTP passive traffic-in) that allows tcp traffic on ports 1024 - 65535.
In Windows firewall on the client I created an outgoing rule for filezilla that opens ports 5000-5010.

Now when I try to connect it shows:
Command:      PASV
Response:      227 Entering Passive Mode (192,168,0,1,19,140).
Command:      LIST
Response:      150 Opening BINARY mode data connection.
Error:      GnuTLS error -53: Error in the push function.

In response to your troubleshooting, I can confirm that 192.168.0.1 is available (via ping, and as the router it facilitates the successful earlier ftp traffic). As far as point a. goes, I think I've made port 5000 open to the ftp server.

I wonder if there is a command that could be used diagnostically to confirm port 5000 is unblocked.
Can you confirm that the steps I took would normally be sufficient to configure the ports?
Any other ideas I could try?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:JeReLo
ID: 35150319
One more idea to clarify. When we say 192.168.0.1:5000 is the passive port, this actually refers to the IP address of the router, which is configured to redirect port 5000 to the ftp server.

I began wondering if the list problem could also be a problem on the ftp server, in terms of permissions to list the directory contents. I used icacls to give permissions to network service, but then noticed that the ftp site runs as defaultapplicationpool. Would this require me to adjust file permission?
0
 

Author Comment

by:JeReLo
ID: 35150448
It's mystifying because I tried allowing all incoming and outgoing ports (within domain) on the server and client - thinking this would eliminate all firewall interference, but the same problem remains. Then I wondered if the firewall on the router was the problem. I set ports 5000-5010 to redirect to the server, but maybe these should redirect to the client??? What do you think?
0
 
LVL 37

Accepted Solution

by:
meverest earned 500 total points
ID: 35152993
Hi!

You are right in the first instance.  Classic (Active) ftp requires that the SERVER opens a connection TO THE CLIENT using port 20 to transfer data.  Because of the fact that these days ftp clients are almost always hidden behind a firewall or NAT router, any attempt by the ftp server to open a connection to the client will almost certainly fail.  Some router systems have a special ftp 'helper' that will detect when an internal client has a port 21 (ftp cmd) connection open, and then when it receives a connection request coming back from that server, will automatically redirect it back to the client.

But without support for that kind of 'helper' passive (PASV) mode ftp is required.  In this case, instead of the ftp server making the connection back to the client, it simply provides instruction on how the client should connect to the server - which is provided by that response to 'PASV' command:

 227 Entering Passive Mode (192,168,0,1,19,140).

translated to english, it says "Hey client, open a connection to me on address 192.168.0.1 or tcp port 19*256+140", so then the client *should* make that connection, and when it does, the server will send the requested data (file or directory list etc) over than connection.

There are lots of things that can go wrong in this instance.  One common issue is that if the ftp client has connected to the server on a different IP address than that pasv response, some clients will ignore that definition and just try to connect on the same address that the main ftp cmd connection is made to.  The reason that is done is because if the ftp server is also behind a port forwarded firewall, and is quoting it's /lan/ ip address, then the connection will break! ;-) - and that is why many ftp server software provides an option to define the firewall IP address to override the lan address.

But that's just some background info that I hope will get your brain on the right track to understand what might be happening here and at least give you a chance to work out whether it;s a network or application problem happening to you :-}

So the best way to prove that the ftp server itself is working properly is to:

1. remove/disable all firewalls (ideally run the ftp client on the server console!)
2. connect to the ftp server using ACTIVE mode

if /that/ works, then you know that you need to look closer at the network configuration

if it doesn't work, then it's something to do with server configuration or permissions etc.

Cheers!  Mike.
0
 

Author Comment

by:JeReLo
ID: 35153357
Thanks, I never thought I could try it on the server, as you suggested. I did run it on the server and I get the same problem, which at least allows me to exclude the firewall as the problem.
Would you have any thoughts as to a next step?
Do you know how to give permission to ftp, which I think uses defaultapplication pool, when defaultapplicationpool is not actually listed as a user on the server...
0
 

Author Comment

by:JeReLo
ID: 35153972
I found something suggesting that I could use iis_iusrs as a substitute for the applicationpoolidentity, so I added full control permission for iis_iusrs to inetpub\ftproot.
But the problem remains, when listing using filezilla on the server itself.
0
 

Author Comment

by:JeReLo
ID: 35170324
I finally sprung for a technician to look into it, and he was able to log in from outside the domain. I then learned from DLink that the dir-825 just doesn't support ftp inside a lan. It does work outside the lan.

So, in the spirit of encouraging your willingness to join the conversation, and your careful writing to explain some basics, I'm happy to award points and close the file.
0
 

Author Closing Comment

by:JeReLo
ID: 35170335
did not provide A because answer was not a solution. No solution was possible given the hardware limitations. An A would have been merited if hardware limitation was identified as the cause of the error.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now