Link to home
Start Free TrialLog in
Avatar of RetroRocker

asked on

FTPS (explicit) differences between WinXP and Win7

Given 2 PCs, one Win XP SP3 & one Win 7, sitting on the same LAN, behind the same NAT router, connecting to a single Win 2008 R2 server, via explicit FTPS and running CuteFTP Pro, with the same settings on both PCs, as the FTP client.

The Win XP PC has no trouble and can retrieve listings, transfer files etc.

The Win 7 PC has no problem with SSL/TLS and correctly works right up to the point of running the LIST command (and NLST come to that). Then it simply can go no further and times out.
The obvious might be the Win 7 firewall (an improvement over XP) but even totally disabling this has no effect on this issue.

I've tried every conceivable CuteFTP setting I can find but no joy with FTPS between Win 7 and my server.

Please can anyone suggest what might be wrong here ?

thanks RR
Avatar of GridLock137
Flag of United States of America image

Any ACLs on the router that may be causing it to fail? maybe there is specific traffic that it may be stopping when it gets to that point.

wait, disregard the PCs are on the same segment.

if possible try adding the rule in the Win7 firewall anyway and test it again.
Avatar of RetroRocker


GridLock137: thanks for the comment. Yes indeed, PCs on same segment.
The Win 7 firewall does already have an inbound rule for both the CuteFTP client executable and its associated so called file transfer engine executable which current simply allows ALL ports and ALL for profile. In fact, as mentioned, even if I disable the Win 7 firewall it doesn't help. A section of the CuteFTP message log follows ...

COMMAND:>      [12/11/2012 17:59:21] REST 0
            [12/11/2012 17:59:21] 350 Restarting at 0.
COMMAND:>      [12/11/2012 17:59:21] PBSZ 0
            [12/11/2012 17:59:21] 200 PBSZ command successful.
COMMAND:>      [12/11/2012 17:59:21] PROT C
            [12/11/2012 17:59:21] 200 PROT command successful.
COMMAND:>      [12/11/2012 17:59:21] PORT xxx,xxx,10,56,192,5
            [12/11/2012 17:59:21] 200 PORT command successful.
COMMAND:>      [12/11/2012 17:59:21] LIST
            [12/11/2012 17:59:22] 150 Opening ASCII mode data connection.
ERROR:>         [12/11/2012 17:59:52] Timeout (30000 ms) occurred on accepting data connection from server.
            [12/11/2012 17:59:53] 550
ERROR:>         [12/11/2012 17:59:53] Trashed response received.

(just a minor edit above so that I didn't publish the whole of my static IP)

... any further ideas gratefully received.

thanks, RR.
error 550 usually means an access issue on the FTP server, did you set your permissions correclty for the user you are using to gain access with?
Thanks, yes, 550 would seem to imply a permissions issue, in fact that's what the CuteFTP error message implies on timeout too.
The server only has one user, me and I use the administrator account (renamed). I have no problem accessing the root FTP folder I'm using on the server.
Again, this is all fully operable remotely from the Win XP machine using the same login. I've tried everything I can find ... I really just don't know where to look for this ... weird.

Any other ideas please ?
create a new user with the same permissions and try it again. do not use the renamed admin account.
Thanks, I tried 2 new users one as admin and one standard (even tried adding both to IIS_IUSERS group ... shouldn't have to do that with an admin account ;)
Permissions for the FTP root clearly show admins to have all necessary access.
No luck, exactly the same problem every time. This is crazy but I bet it's something really fundamental that I've just simply missed ... just don't have a clue what !

in desperation, RR
have you checked the passive mode settings?
OK, I'm not quite sure what you mean by the 'passive mode settings' in this case but ....... I would be able to use passive mode to FTP this server and can. For this I use port 21 plus a range of 10 ports for passive operation which are allowed on the server firewall, the server's hardware firewall and my own NAT router. The Windows 7 PC firewall on my LAN allows CuteFTP to use any ports. This is sufficient for reliable passive mode FTP from the WinXP & Win7 PCs, reliable FTPS from the Win XP PC but NOT FTPS from the Win 7 PC ... that's the whole issue unfortunately. Also I have only ever set out to encrypt the control channel (for the password basically), I'm not bothered about encrypting the data channel ... still can't work out why this all works on the Win XP PC but not the Win 7 PC ............

cheers RR
Getting desperate for an answer to this one ...
Just how is it that Win XP with CuteFTP works fine but Win 7 with CuteFTP fails to work ?
How can the FTP server be that choosy ;-)
BTW: replacing the FTP client with Filezilla gives exactly the same issues.

I've spent hours trying to sort this, it's crazy !

any more help genuinely appreciated !

sorry been away for a couple of days, obviously this is isolated to win7. there has to be an issue with the firewall rules on that win7 machine, any anti-virus installed on that machine?
Gridlock137: please no need to apologize for taking a break ... it's great to see you back :-)

I think this thread needs a recap ! The issue with the potential for AV/firewall conflict is a point I alluded to in my initial post. I have disabled the AV (a combination of Microsoft Security Essentials / Malwarebytes) and disabled the Win 7 x64 firewall on the client PC in the past, it has no effect on this issue. In fact I have done all of this AND disabled the AV/firewall on the Win 2008R2 x64 server all at the same time ! ... still no joy.

Let me recap:

The server is Win 2008R2 x64 / IIS 7.5 using Microsoft FTP service (ftpsvc). It uses the Windows firewall (inbound rule set for ftpsvc on ANY port, because in accordance with best practice, the port range is confined within the IIS settings). There is an external CISCO firewall which allows port 21 and the range mentioned above.

The clients are:
A: WinXP SP3 (ZoneAlarm Security Suite/NO Win firewall) tested with CuteFTP Pro 8 as FTP client. Can connect to the server by FTPS and plain vanilla FTP (and also Linux servers by FTP) = no apparent issues.
B: Win7 x64 (MSE/Malwarebytes/Win firewall) tested with CuteFTP Pro 8 as FTP client. Can NOT connect to the server by FTPS OR plain vanilla FTP (but CAN connect to Linux servers by FTP with NO problem).
C: Win7 x32 (ZoneAlarm Security Suite/NO Win firewall) tested with CuteFTP Pro 8 as FTP client. Can NOT connect to the server by FTPS OR plain vanilla FTP (but CAN connect to Linux servers by FTP with NO problem).

All clients are fully updated, as is server.

So, common factors ...
1. Win 7 client PCs do NOT work with the Win2008R2/IIS7.5 server.
2. ALL clients work with plain vanilla FTP with LINUX servers.
This is interesting because if this were either a firewall (somewhere) issue or permissions on the Win 2008 server then I wouldn't able to do anything. It does appear to be more subtle.
I did find this issue (which is NOT strictly my issue because a 550 error can have several causes) which demonstrates that the ftpsvc is not infallible. However I'm loathe to apply the hotfix to a production server besides which the dlls on my server have the same major/minor version numbers only the build numbers are less on the Win2008R2 server.

Hope that's clearer (probably as mud !!!)

thanks  RR
Avatar of RetroRocker

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
No further appropriate expert comment forthcoming.