TMG 2010 will not accept user credentials when connecting to external FTP Sites

I am having an issue connecting to external FTP sites that require a username and password through TMG 2010. I am able to connect to any anonymous FTP site, and I can connect to the authenticating FTP servers, but it just keeps prompting for credentials over and over even though the password is correct. . This was working fine until Century Link changed out our DSL modem and it has not worked since. You would think, of course it's the DSL modem, but when I connect directly to the back of the modem and bypass the TMG server, I can authenticate and login to any FTP server that I want. This TMG server is running SP2 hotfix 4 and I have the FTP policy created, I have made sure that none of the policies have the read only flag checked on the FTP configuration for each policy (even the non ftp), I have active FTP enabled, but still cannot authenticate. The firewall logs show the traffic as "allowed" when I run a test but if I try to access the FTP site through Windows Explorer from the TMG server, it tells me that read only mode is active. All workstations behind the TMG server exhibit the same behavior. I have also tried using the firewall client but get the same results with that, and Filezilla also says the user name and pw are incorrect even though they are not.. I have tried just about every fix that I can find but I can't seem to find any articles describing this exact issue. Any help is greatly appreciated.

Who is Participating?
scottyvanmanConnect With a Mentor Author Commented:
I had tried that. This has been resolved and what it turned out to be was the FTP Host was blocking the static public IP that we had. They denied it at 1st, but after multiple requests they finally found the issue and unblocked it and we had access again. Ouch!!
Filezilla automatically sends some commands after the user is authenticated to get a list of features supported by the server and a directory listing from the remote working folder.  

I'd bet what is happening is that the username and password are accepted but the directory listing is failing.  I further suspect that the difference you see between external FTP sites has more to do with if the directory listing is sent via passive or active mode.

While I'm speculating, I'll guess that the firewall snoops the FTP control channel looking for the PORT command sent from the client when it wants to do an active mode data channel.  It modifies the command so that the private IP address of the workstation is replaced by the public IP address of the firewall and then it replaces the last 2 numbers with an available port.  The server will receive the modified port command and attempt to open an outgoing connection back to the replaced address and port which is actually the address of the firewall.  The firewall will then automatically forward (NAT) the connection attempt back to the workstation.  

Obviously that is complicated and prone to error so, when you plug in on the other side of the firewall, none of that happens and the thing just works.  

It would be great if you could get your hands on a copy of the FTP server's log showing what happened on the protocol level from its point of view.
scottyvanmanAuthor Commented:
Hi Alex, thanks for responding. I might think it was failing the directory listing except I can hit any anonymous FTP site like and I see all the files with no problem. I noticed last night that I am getting this error in the logs in when the FTP Filter is applied

21      FTP OUT      Initiated Connection      Unrestricted Internet access      0x0 SUCCESS      Local Host      External      -      1/21/2014 23:52

21      FTP OUT      Closed Connection      Unrestricted Internet access      0x80074e24 FWX_E_CONNECTION_KILLED      Local Host      External      -      1/21/2014 23:52

and this one when the FTP filter is not applied

21      FTP OUT      Initiated Connection      Unrestricted Internet access      0x0 SUCCESS      Internal      External      -      1/22/2014 0:13

21      FTP OUT      Closed Connection      Unrestricted Internet access      0x80074e20 FWX_E_GRACEFUL_SHUTDOWN      Internal      External      -      1/22/2014 0:13

I still have the same problem whether the filter is applied or not. I am still researching...
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

There is a comment on this other thread that discusses a resolution for a very similar issue that involved unexpected interference from a different anonymous access rule:
scottyvanmanAuthor Commented:
Thanks, I had seen that article but I don't have that same issue. I still can't figure it out. I swear if I could figure out how to make Outlook Anywhere work without TMG I would take TMG out and just use a firewall appliance. I'll keep working on it but thanks for trying to help!
What happens when you do an FTPS connection with a secured control channel?  The firewall wouldn't be able to snoop it after it goes into protected mode so it literally wouldn't know the difference between an anonymous connection and one where the PASS verb was used... of course it also wouldn't be able to snoop the PORT command so you'd have to use PASV mode or clear the control channel after authentication.
scottyvanmanAuthor Commented:
Let me try that and I will let you know. Thanks for the suggestion!
scottyvanmanAuthor Commented:
Ok, I tried that and I get the same error. Not sure where to run on this one....

Command:      open "" 2222
Command:      Trust new Hostkey: Yes
Command:      Pass: *********
Error:      Authentication failed.
Error:      Critical error
Error:      Could not connect to server

Have you tried adding the username and password to the URL?

e.g. ftp://domain/

I had a similar problem a couple of months ago and this was the only way round it
scottyvanmanAuthor Commented:
Solved it myself.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.