Link to home
Start Free TrialLog in
Avatar of yccdadmins

asked on

FTPS access from external and DMZ

Greetings all,

After a great deal of effort I have set up an IIS 7.5 FTPS server in my DMZ.  I am using User Isolation to keep things a little more secure and each user has their own virtual server.

During the build I had to configure FTP Firewall Support.  I entered a port range and then the external address of my FTP server.  Everything works great from the outside now.  Problem is I need people on the inside to get vendor that was placed on the FTP site.  The plan was to have employees on the inside login to the FTP server (from the inside network) with the same ID and pull data that was placed by the vendors.

Employees can connect to the FTP server in the DMZ fine but I get the following error:

Error:      Connection timed out
Error:      Failed to retrieve directory listing

We had the same error when connecting from the outside but it was resolved by:

1. Using Active instead of Passive
2.  Putting the correct IP address in the FTP Firewall Support section of IIS - I had incorrectly put the DMZ address and when I put the external address fo the FTP server in everything went fine

So now we have the issue when connecting from the inside (can't list) but I can't change firewall settings beause it breaks the outside.

Anyone had this issue before or have a good article they know of?

We have a rule set in the Cisco ASA that basically duplicates the ports and access to the FTP server.
Avatar of yccdadmins


By the way - IIS 7.5 running on 2008 R2 64.
Still looking for documents on accessing DMZ ftp server from inside and outside network but not much luck.
Another note.  When I set up the FTP server I set the isolated users to use virtual directories.  I had thought of simply sharing the folders and poking a hole to allow access from the inside but can't figure out how to share virtual folders.....
Another note - this is not a firewall issue.  Set the ASA to wide open from my system to the DMZ and tried to connect.  Logged in fine but list directory still does not work.
You need the logs to solve this without just guessing until you find something that works.

In Active Mode the client requests that the server initiate a connection back to the client on an IP address and port specified by the client.

That means your clients can't give their internal unroutable 10.x.x.x or 192.168.x.x addresses when they send the PORT command or else your server won't be able to reach them.  Your network firewall may be able to provide automatic port translastion by sniffing the FTP control channel and changing the PORT command on the fly.  It also means that your network firewall needs to allow incoming connections from the DMZ.
Avatar of yccdadmins

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Resolution was achieved through trial and error.