We help IT Professionals succeed at work.

server 2008r2 FTPS connection issue

hello, im trying to setup a secure FTP on my windows server 2008r2. so far, everything works great internally, but when i try to connect externaly, it doesnt not work.

using filezilla ftp client and it starts connecting, then fails with the following errors:

Status:      Resolving address of my domain
Status:      Connecting to my external ip:990...
Status:      Connection established, initializing TLS...
Status:      Verifying certificate...
Status:      TLS/SSL connection established, waiting for welcome message...
Response:      220 Microsoft FTP Service
Command:      USER ***
Response:      331 Password required for ***.
Command:      PASS **********
Response:      230 User logged in.
Command:      SYST
Response:      215 Windows_NT
Command:      FEAT
Response:      211-Extended features supported:
Response:       LANG EN*
Response:       UTF8
Response:       AUTH TLS;TLS-C;SSL;TLS-P;
Response:       PBSZ
Response:       PROT C;P;
Response:       CCC
Response:       HOST
Response:       SIZE
Response:       MDTM
Response:       REST STREAM
Response:      211 END
Command:      OPTS UTF8 ON
Response:      200 OPTS UTF8 command successful - UTF8 encoding now ON.
Command:      PBSZ 0
Response:      200 PBSZ command successful.
Command:      PROT P
Response:      200 PROT command successful.
Status:      Connected
Status:      Retrieving directory listing...
Command:      PWD
Response:      257 "/" is current directory.
Command:      TYPE I
Response:      200 Type set to I.
Command:      PASV
Response:      227 Entering Passive Mode (10,0,0,39,246,213).  
Status:      Server sent passive reply with unroutable address. Using server address instead.
Command:      LIST
Response:      150 Opening BINARY mode data connection.

I see that "passive mode" shows me the local ip of the ftp server, but i went to the options on the ftp server and changed it to the external ip and still gets stuck at the "150 Opening BINARY mode data connection". using an ASA 5505 as my firewall, with the 990 port open and fowarded to my ftp server.

thanks for the help
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

You probably need to set the client for Active mode. Passive mode is for anonymous accounts.

See the following article about this:


.... Thinkpads_User


article didnt help out very much, i have all the ports listed on that allowed and fowarded to the server, also tried the client on both active and passive and no luck
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Try another client. You can try WS_FTP Pro (Ipswitch) for free as a trial. This is what I use and it works well. Also, whether neither mode worked above, you probably should set up for Active mode anyway as this is not anonymous.

.... Thinkpads_User
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

The last question I saw about using FTPS in Filezilla, the asker finally gave up and went with SFTP on port 22.  Never got FTPS to work even though you can select it somewhere in the software.

Passive Mode is not just for anonymous accounts, it is becoming the default mode in most FTP clients these days because it is overall more likely to work with firewalls than active mode.

Examining your log makes the problem crystal clear.  The server is returning an internal 10.x.x.x address when the client requests a location to open a data channel.  This works fine inside your firewall because you can reach 10.x.x.x but that is a private address.  There are two ways to solve this problem:

1. Some firewalls can snoop the FTP control channel and automatically replace internal addresses with external addresses on the fly.  They basically replace where your server told the client to connect with an alternate address and then do port forwarding when the client actually tries to connect back to the external address.  Your firewall may already do this but it can't when the control channel is encrypted.  Some people get around this by clearing the control channel after passing the login credential.  Clients can do this by sending CCC but you might not want to unencrypt your control channel.

2. Configure the FTP Server to use an external address on PASV response.  The item to configure this should be on the same page where you configure the passive port range.


HI Alex, i already configured the Windows FTP settings to use the external address on the pasv. i already resolved the issue just by using a different FTP server named FreeFTPd and all current firewall settings as before.  thanks for the help tho.


I've requested that this question be closed as follows:

Accepted answer: 0 points for Comptx's comment http:/Q_27479540.html#37252754

for the following reason:

self solved by using another ftp software
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
I suggested using different FTP software in my post (ID:37241127), so I do not think "used another FTP software" is your own solution. .... Thinkpads_User


you are right, thanks.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Thank you. Much appreciated!  I know changing software is pain, but I am glad you got it sorted out.

.... Thinkpads_User