Avatar of yccdadmins
yccdadmins
 asked on

FTPS access from external and DMZ

Greetings all,

After a great deal of effort I have set up an IIS 7.5 FTPS server in my DMZ.  I am using User Isolation to keep things a little more secure and each user has their own virtual server.

During the build I had to configure FTP Firewall Support.  I entered a port range and then the external address of my FTP server.  Everything works great from the outside now.  Problem is I need people on the inside to get vendor that was placed on the FTP site.  The plan was to have employees on the inside login to the FTP server (from the inside network) with the same ID and pull data that was placed by the vendors.

Employees can connect to the FTP server in the DMZ fine but I get the following error:

Error:      Connection timed out
Error:      Failed to retrieve directory listing

We had the same error when connecting from the outside but it was resolved by:

1. Using Active instead of Passive
2.  Putting the correct IP address in the FTP Firewall Support section of IIS - I had incorrectly put the DMZ address and when I put the external address fo the FTP server in everything went fine

So now we have the issue when connecting from the inside (can't list) but I can't change firewall settings beause it breaks the outside.

Anyone had this issue before or have a good article they know of?

We have a rule set in the Cisco ASA that basically duplicates the ports and access to the FTP server.
Internet ProtocolsWindows Server 2008

Avatar of undefined
Last Comment
yccdadmins

8/22/2022 - Mon
yccdadmins

ASKER
By the way - IIS 7.5 running on 2008 R2 64.
yccdadmins

ASKER
Still looking for documents on accessing DMZ ftp server from inside and outside network but not much luck.
yccdadmins

ASKER
Another note.  When I set up the FTP server I set the isolated users to use virtual directories.  I had thought of simply sharing the folders and poking a hole to allow access from the inside but can't figure out how to share virtual folders.....
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
yccdadmins

ASKER
Another note - this is not a firewall issue.  Set the ASA to wide open from my system to the DMZ and tried to connect.  Logged in fine but list directory still does not work.
AlexPace

You need the logs to solve this without just guessing until you find something that works.

In Active Mode the client requests that the server initiate a connection back to the client on an IP address and port specified by the client.

That means your clients can't give their internal unroutable 10.x.x.x or 192.168.x.x addresses when they send the PORT command or else your server won't be able to reach them.  Your network firewall may be able to provide automatic port translastion by sniffing the FTP control channel and changing the PORT command on the fly.  It also means that your network firewall needs to allow incoming connections from the DMZ.
ASKER CERTIFIED SOLUTION
yccdadmins

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
yccdadmins

ASKER
Resolution was achieved through trial and error.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.