Filezilla server SSL/TLS

masdf123
masdf123 used Ask the Experts™
on
Hi,

I have setup exactly the way this person has setup here. And the same problem is happening.

Can someone please suggest a solution

http://forum.filezilla-project.org/viewtopic.php?f=6&t=19462

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior infrastructure engineer
Top Expert 2012
Commented:
How about port 20 for the ftp data connection?

Commented:
In the linked thread, the servrer requested that the browser connect on port 5008 the first time and 5009 the second time.

Author

Commented:
Do I need to open port 20?
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
opening port 20 doesn't work either.
Top Expert 2014

Commented:
Unless you are doing active ftp, you don't need port 20 open.  In fact even if you opened it, you probably did it wrong.  When doing active ftp the server initiates a outbound connection with the source port of 20 to a high port on the client.

Just to make sure.  On your router/firewall you have ports 5000-5100 setup so that when a inbound request comes in with those ports as a target port, it will forward to your ftp server?

You are doing this from a PC that is on the Internet, not one that is on the same network as the ftp server, right?

Author

Commented:
Ports 5000-5100 are open and forwarding to the FTP server. I am testing from a PC outside the network.
Top Expert 2014

Commented:
O.K, then on the ftp server you need to run a packet capture to see if anything is actually making it back to the ftp server.

I suggest using wireshark (http://www.wireshark.org).

If you see nothing getting back to the server, then either your router/gateway is not fordwarding correction, the router being used the the testing PC is not forwarding it correctly, or your ISP is blocking the traffic.

Is your ISP account a home account or a business account?  Some ISP's will block some traffic when you have a home account.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
So the connection is going through a PIX/ASA. Anything showing in the logs there?
Commented:
The client logs show a failure to open the data channel but they can't show why it failed because we don't know where it is blocked.  The block could be on the client's network firewall, the server's network firewall, or the ISP in between.  

If you could enable detailed logging on the server that would help us see what the server sees that would help.

Author

Commented:
ports 5000 to 5100 are needed to be opened on the ftp server firewall right?
Commented:
In the linked thread, the raw FTP conversation stops after the server responds to the client's request for a passive move transfer.  The server told the client to open a data channel connection back to the server on port 5008 but the client was unable to do it.  

Maybe the client's firewall or internet security software does not allow this outgoing connection on this port.  Maybe the server's firewall does not allow incoming connections on this port.  Maybe the server's firewall NAT for this port is horked up.  Maybe the firewall is "protocol aware" and is actively blocking FTP.  Although unlikely, maybe either the client or server's ISP is getting in the way.  

Too many maybes to even make an educated guess.  You an stab in the dark and hope to get lucky or you an get a server log containing raw protocol information and try to see what the server sees.  If you get the log but don't understand it, don't be afraid to post it here, perhaps we can help decipher it... be sure to remove any logged passwords though before posting it.
Top Expert 2014
Commented:
The server's firewall/router has to allow 5000-5100 inbound and depending on the type of firewall/router you also may need to do port forwarding.

The clients firewall has to allow outbound connections from any source port to the destination port 5000-5100.

Because this is SSL'ed firewalls/routers can NOT see inside the packets and so they can't see the PASV command and dynamically allow the traffic through.  The ports 5000-5100 must "blindly" be allowed out.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial