Solved

FTP SSL Nightmare

Posted on 2014-03-31
7
1,186 Views
Last Modified: 2014-04-02
I cannot get ftp to work over FTP.

settings for SSL have been Allow, Require and Custom (Require for Auth / Require for Data Channel.

Firewall opens 21,20, and 65400-65535 - same ports are open in IIS

ftp-ssl I can connect but cannot list anything in the folder. Says 150 Opening ASCII mode data connection.

Tried via FileZilla Again I can connect using passive mode - but get Error:
Connection timed out
Failed to retrieve directory listing

Please help
0
Comment
Question by:sparkis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39969036
In passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side, however, only outgoing connections need to be allowed (which will already be the case most of the time).

Most normal FTP servers use port 21, SFTP servers use port 22 and FTP over SSL/TLS (implicit mode) use port 990 by default. These ports are not mandatory, however, so it's best to allow outgoing connections to arbitrary remote ports.

Taking reference to the Filezilla configure, below are point to note in setting.

In passive mode, the client has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you'll have to allow outgoing connections to all ports in your firewall.

Important to note the server end to support Passive mode

Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases.

Some notes include

- If you are trying to setup a server and it works fine within your LAN but is not reachable from the outside, try changing the listening port. Some ISPs don't like their customers to host servers and they may block ports with numbers under 1024.

- If you encounter "cannot open data connection" on a random basis (i.e., the ftp client can connect to the ftp server without problem for many connections until it encounters this problem), one possible reason may be that your client PC anti-virus software is configured to block outgoing connections on certain ranges of ports. When your ftp connections are running in pasv mode, the client-side outgoing ports are selected randomly and some of those randomly selected ports may be blocked by the anti-virus software. To identify this problem, read your anti-virus log on the client. In general, any software that can block certain ranges of outgoing ports (such as PC firewalls) can cause similar FTP grief.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 39969040
Another means although not the best way is if you have a similar problem with Filezilla, and the problem persists even when the Windows Firewall is disabled, here is what you can test again:

Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
Press OK.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39969153
You need to make sure the firewall policies are coded correctly.

Is the firewall on the "server" side or the "client" side.

If the firewall is on the server side, the firewall has to allow inbound TCP connection from any high port to the port range 65400-65535.  I would also make the rule specific to the IP address used by the FTP server .

If the firewall is on the client side, then you need to allow a rule allows outbound TCP connections from any high port to  the port range 65400-65535.  I will still make the rule specific to the IP address used by the FTP server.
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 

Author Closing Comment

by:sparkis
ID: 39970578
That is exactly what I did - I left the FTP server configured on port 21, forced implicit tls over ssl and then made filezilla connect using active mode. That worked!

Thanks,
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39971007
That means that a firewall some place was not properly configure to allow the port range  65400-65535 through.
0
 

Author Comment

by:sparkis
ID: 39972648
No it specifically is. I have the Nat rules setup w/ 21,20 and 6500-65535 allowed
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39972856
Do you have the 65400-65535 set up correctly?

For active FTP the server initiates the connection outbound to the client.
For passive FTP the client initiates initiates the connection inbound to the server.

Active:
Client:>1023 < --------- Server:20

Passive:
Client:>1023 -----------> Server:65400-65535
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question