Solved

FTP SSL Nightmare

Posted on 2014-03-31
7
1,148 Views
Last Modified: 2014-04-02
I cannot get ftp to work over FTP.

settings for SSL have been Allow, Require and Custom (Require for Auth / Require for Data Channel.

Firewall opens 21,20, and 65400-65535 - same ports are open in IIS

ftp-ssl I can connect but cannot list anything in the folder. Says 150 Opening ASCII mode data connection.

Tried via FileZilla Again I can connect using passive mode - but get Error:
Connection timed out
Failed to retrieve directory listing

Please help
0
Comment
Question by:sparkis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39969036
In passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side, however, only outgoing connections need to be allowed (which will already be the case most of the time).

Most normal FTP servers use port 21, SFTP servers use port 22 and FTP over SSL/TLS (implicit mode) use port 990 by default. These ports are not mandatory, however, so it's best to allow outgoing connections to arbitrary remote ports.

Taking reference to the Filezilla configure, below are point to note in setting.

In passive mode, the client has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you'll have to allow outgoing connections to all ports in your firewall.

Important to note the server end to support Passive mode

Valid ports can be from 1 to 65535, however ports less than 1024 are reserved for other protocols. It is best to choose ports >= 50000 for passive mode FTP. Due to the nature of TCP (the underlying transport protocol), a port cannot be reused immediately after each connection. Hence the range of ports should not be too small or transfers of multiple small files can fail. A range of 50 ports should be sufficient in most cases.

Some notes include

- If you are trying to setup a server and it works fine within your LAN but is not reachable from the outside, try changing the listening port. Some ISPs don't like their customers to host servers and they may block ports with numbers under 1024.

- If you encounter "cannot open data connection" on a random basis (i.e., the ftp client can connect to the ftp server without problem for many connections until it encounters this problem), one possible reason may be that your client PC anti-virus software is configured to block outgoing connections on certain ranges of ports. When your ftp connections are running in pasv mode, the client-side outgoing ports are selected randomly and some of those randomly selected ports may be blocked by the anti-virus software. To identify this problem, read your anti-virus log on the client. In general, any software that can block certain ranges of outgoing ports (such as PC firewalls) can cause similar FTP grief.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39969040
Another means although not the best way is if you have a similar problem with Filezilla, and the problem persists even when the Windows Firewall is disabled, here is what you can test again:

Open Filezilla, go to Edit -> Settings
Click on Connection -> FTP: Choose Active
Click on Connection -> FTP -> Active Mode: Select "Ask your operating system for the external IP address"
Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
Press OK.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39969153
You need to make sure the firewall policies are coded correctly.

Is the firewall on the "server" side or the "client" side.

If the firewall is on the server side, the firewall has to allow inbound TCP connection from any high port to the port range 65400-65535.  I would also make the rule specific to the IP address used by the FTP server .

If the firewall is on the client side, then you need to allow a rule allows outbound TCP connections from any high port to  the port range 65400-65535.  I will still make the rule specific to the IP address used by the FTP server.
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 

Author Closing Comment

by:sparkis
ID: 39970578
That is exactly what I did - I left the FTP server configured on port 21, forced implicit tls over ssl and then made filezilla connect using active mode. That worked!

Thanks,
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39971007
That means that a firewall some place was not properly configure to allow the port range  65400-65535 through.
0
 

Author Comment

by:sparkis
ID: 39972648
No it specifically is. I have the Nat rules setup w/ 21,20 and 6500-65535 allowed
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39972856
Do you have the 65400-65535 set up correctly?

For active FTP the server initiates the connection outbound to the client.
For passive FTP the client initiates initiates the connection inbound to the server.

Active:
Client:>1023 < --------- Server:20

Passive:
Client:>1023 -----------> Server:65400-65535
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Reading the Web.Config using IIS 7.5? 4 54
PCI Scan on IIS Remediation not working 1 74
page view and f5 big ip 4 38
IIS 8.0 and Kemp Load Master 1 23
Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question