Strange FTP issue (Server 2003)

Posted on 2013-10-09
Medium Priority
Last Modified: 2013-11-18
We have a strange problem with FTP access to one of the sites on Web Server 2003.
Hoping someone can help.

We have a Server 2003 that runs IIS and has about 40-50 sites with FTP access.

No one seems to have this problem except for one website. Granted the site is rather poorly looked after with some filenames containing spaces etc. and with the total folder size of 330MB. Most images on the site are disproportionately large and what have you.

The problem:
In its current state when I attempt to establish a remote FTP connection to the site, it just throws up error: "An error occurred opening that folder on the FTP server. Make sure you have permission to access that folder. Details: The operation timed out" and refuses to load anything.

We have a firewall enabled for the network connection over which FTP requests are transmitted with the exceptions for various FTP services and a range of passive ports: 10001-10100.

When the firewall is enabled for this network connection, the FTP connection to this problematic site is attempted via 5000 range port (i.e. 5003, 5005 etc.) and when I switch the firewall off and retry the connection, it then connects and loads the FTP contents successfully but via 10000 range ports (i.e. 10002, 10006 etc.)
In short when firewall is off it uses 10000 range ports and is successful, when firewall is on it tries to use 5000 range ports instead and fails. Other sites that are hosted on the same server are not affected by this change and are always successful when FTP connection is attempted no matter if Firewall is on or off.
I've tried adding a couple of 5000 range ports (5000-5005 to be precise) to the exception list to see whether that makes any difference but it didn't.

Other weird thing that baffles me is when I take out (delete) one folder from the root of the site which contains web images then I'm able to establish a successful FTP connection to that site even though the firewall is still on. Image folder size in question is 95MB.
What's even weirder is that when I re-create a new BLANK folder in the root of the site and call it "images" (same as the original folder was called) and leave it blank and then retry the FTP connection then it fails immediately again.

The site is written in plain HTML and is rather old and messy (not our fault promise) but we never had problems with it before just recently it suddenly started doing that. I'm not aware of any recent changes in configuration either.

Tried in windows explorer and other FTP clients such as: Filezilla and FireFTP

Plain mystery to me.

Thanks in advance for any tips and help.
Question by:Safeserve
  • 2
LVL 81

Assisted Solution

arnold earned 1000 total points
ID: 39561312
Do you have a single FTP site with virtual directories that lead the user to the root of their site?

If you have multiple sites and firewall is up, the FTP session is such that all connections are initiated from the client versus the client with a non-firewall process where the client initiates the initial port 21 connection and the FTP server initiates the data connection back once the user authenticates.

The IIS FTP can be configured to limit the range of ports used by the FTP server for PASV (passive where the client initiates all connections) once you limit this range of ports, you would need to configure your firewall to allow the port range to reach the server/IP.

In your example port range 5000-5100 as an example alowed to the IIS/FTP server
LVL 16

Accepted Solution

AlexPace earned 1000 total points
ID: 39563647
The data channel port is negotiated on the fly when a file transfer or traditional directory listing is requested.

If the client wants a passive mode it sends PASV and the server responds with a port number from your chosen range that the client is expected to initiate a connection to that port.  

If the client wants active mode it sends PORT and an ip address and port number that the server is expected use.  The server initiates a connection to that address and port so it is outbound from the server instead of inbound like the control channel.  

People don't use active mode that much anymore because they don't want to open so many ports...  On the server side you'd need to allow outbound connections to any port above 1024 to comply with the FTP spec.  On the client side you need to allow external internet servers to open connections to machines inside your firewall.  

Passive mode allows both sides to have better control over the situation.   Some server admins just decide to only support passive mode for this reason.

Note: Many modern firewalls can open and close FTP data channel ports on the fly by snooping the FTP control channel and watching for PASV and PORT commands.  Of course this doesn't work when you use FTPS because the SSL/TLS encryption can prevent snooping of the control channel.

Author Closing Comment

ID: 39608315
Thanks guys!

Author Comment

ID: 39656076
Update: I've decided to give up trying to find what the problem is and instead used filezilla's FTP server software. Works absolutely beautifully and easy to set up. I've given it a unique listeting port (1121) so that the old FTP connections for other users are not affected.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question