Adding SSL transfer to Server 2012 FTP connection

AGenMIS
AGenMIS used Ask the Experts™
on
Currently we connect to our 2012 server using port 21 FTP to add files etc.  We would like to make this connection secure using either port 22 or port 990.

I have created the certificate in IIS and set this to Allow SSL.  IN the Bindings I have port 21, 22, and 990 to connect to the IP over FTP which Im not sure I need

The networking team opened the above ports in the router firewalls.  We can connect either port but we cant load the directory like in standard FTP.

Windows firewall is allowing FTP 21 and 990.  FTP Firewall support under IIS is set to 0-0



Connect socket #1008 to *********, port 990...
TLSv1.2, cipher TLSv1/SSLv3 (ECDHE-RSA-AES256-SHA384) - 256 bit
USER anonymous  
331 Anonymous access allowed, send identity (e-mail name) as password.  
PASS **********  
230 User logged in.  
SYST  
215 Windows_NT  
Keep alive off...
Attemping Active mode transfer...
PBSZ 0  
200 PBSZ command successful.  
PROT P  
200 PROT command successful.  
PORT ##,###,##,##,70,225  
501 Server cannot accept argument.  
PORT command failed
Error loading directory...
990-connection.PNG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Tim EdwardsIT Team Lead - Unified Communications & Collaboration

Commented:
On top of port 21 and 990 did you configure the Data Channel Port Range and open these ports on the firewall?

Author

Commented:
That's where my issue lies I believe as to what ports to add or adjust. We have set to 0-0 in the IIS as seen in the screen shot
SSL.PNG
Dan McFaddenSystems Engineer

Commented:
You need both 20/tcp AND 21/tcp open for general FTP.  21 is the command channel and 20 is the data channel, so it makes sense that no data info is being transfer when 20 is not open.

passive FTP Data channel reference link:   https://technet.microsoft.com/en-us/library/dd463996(v=ws.10).aspx

FTP over SSL (FTPS) link:  https://www.iis.net/configreference/system.applicationhost/sites/site/ftpserver/security/ssl

Here is a nice walk-thru on setting up a FTP over SSL site in IIS:

http://www.vsysad.com/2013/06/install-and-configure-ftp-over-ssl-ftps-in-iis-7-5/

Dan
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Author

Commented:
Firewall ports 20, 21, 22, 989, and 990 are open on the network firewall so it must be an adjustment in IIS
Dan McFaddenSystems Engineer

Commented:
The PORT command is the FTP client's attempt to open the data channel. The error message at the end of the FTP session indicates that the dir list cannot be displayed, usually meaning that something is blocking access to the data channel port.

Did you setup the FTP Firewall Support options?
Have you tried to run a passive FTP session?

Dan

Author

Commented:
Yes tried passive checked and unchecked no luck.  Firewall support options is set to 0-0 and ssl is set to Allow SSL connections. When I connect over port 21 Auth TLS , open ssl. I connect it asks do I wanna accept the certicate, I click ok and it errors out
Dan McFaddenSystems Engineer

Commented:
1. Does the hostname for the server match the hostname in the SSL Cert?
2. What are you using for your login credentials?

Dan

Author

Commented:
yes hostname is the same and we connect over anonymous that's linked to one of the local admin accounts

Author

Commented:
Followed so many articles on google and I don't see anything wrong with the setup in IIS 8 on server 2012 so I took screen shots of my setup if anyone can look at it to just verify the IIS is correct and it maybe a network firewall issue and not server related
ftp-SETUP.docx
Dan McFaddenSystems Engineer

Commented:
- Is there an external firewall involved, not just the Windows Firewall Service?
- Have you tested the server with the Windows Firewall Service disabled?  I recommend this to eliminate the FW as the source of the issue.
- What do the FTP Site bindings look like?

Author

Commented:
binding is FTP port 21 to the ip address

Yes the network firewall is controlled by another agency but we have not tried to disable the windows firewall as this would need a maintenance window
Dan McFaddenSystems Engineer

Commented:
Since there is an external firewall, have you tried, on the FTP Site object, to enter that IP address in the "FTP Firewall Support" feature?

When testing the FTP SSL conection, are you going thru the network firewall?

Dan.

Author

Commented:
entered ip address in the ftp firewall support and no luck, no blocks on mcafee hips for the ftp and no difference without firewall.  attached iis log and core ftp log.

Checking with the network team if they opened ports one way or bidirectional
COREFTP.LOG
IIS.log
Dan McFaddenSystems Engineer

Commented:
Are you running the FTP service/AppPool as a non-Default user?  Another way of asking that is... are you using a service account for the FTP Service?

You most likely have an access issue reading the SSL certificate therefore causing a handshake failure.

Dan

Author

Commented:
I created a self signed certificate on the 2012 server to use and named it the same name as the server if that may have been the issue?

Author

Commented:
I created a new self signed certificate -Personal on the server and applied it to the FTP site - no luck. Also the service is running as Local System.  Attached the coreftp log
Sever-ftp-issues.docx

Author

Commented:
If I connect using port 990 over FTPS it connects and accepts the certificate but fails to load the directory as it times out. Do I need additional ports open on the network firewall as I see in the log its trying to open a couple other ports


Connect socket #844 to *****, port 990...Cert 'E1 BE CC 35 14 CA E4 42 9F BC B5 03 41 08 F6 24' specified...TLSv1 (AES-256/SHA1), 256 bitsUSER anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.

PASS **********

230 User logged in.

SYST

215 Windows_NT

Keep alive off...PBSZ 0

200 PBSZ command successful.

PROT P

200 PROT command successful.

PORT *,*,*,*,71,76

501 Server cannot accept argument.

Attemping PASV mode transfer...PASV

227 Entering Passive Mode (*,*,*,*,218,90).

LIST

150 Opening ASCII mode data connection.

Connect socket #1352 to ******, port 55898...timeoutConnection timed outError loading directory...Total uploaded files:  0

Total uploaded data:  0

Total downloaded files:  0

Total downloaded data:  0
Dan McFaddenSystems Engineer

Commented:
The SSL Settings need to be set at the both server level and the site level, for the FTP SSL Settings.

So, click on the server object and set up the FTP SSL Settings as you have done for the site.  Restart IIS.

Dan

Author

Commented:
would this effect only FTP as we have a website that uses a certificate as well
Dan McFaddenSystems Engineer

Commented:
You are changing the server scope FTP SSL Settings, not the HTTP settings.

Dan
Dan McFaddenSystems Engineer

Commented:
Any additional info for this question?

Dan

Author

Commented:
Connect socket #972 to  port 990...TLSv1.2, cipher TLSv1/SSLv3 (ECDHE-RSA-AES256-SHA384) - 256 bitUSER anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.

PASS **********

230 User logged in.

SYST

215 Windows_NT

Keep alive off...PBSZ 0

200 PBSZ command successful.

PROT P

200 PROT command successful.

PASV

227 Entering Passive Mode (,231,181).

LIST

150 Opening ASCII mode data connection.

Connect socket #720 to , port 59317...timeoutQUIT

226 ABOR command successful.

Connect socket #1036 to , port 990...TLSv1.2, cipher TLSv1/SSLv3 (ECDHE-RSA-AES256-SHA384) - 256 bitUSER anonymous

331 Anonymous access allowed, send identity (e-mail name) as password.

PASS **********

230 User logged in.

SYST

215 Windows_NT

Keep alive off...Attemping Active mode transfer...PBSZ 0

200 PBSZ command successful.

PROT P

200 PROT command successful.

PORT 10,164,24,115,44,221

501 Server cannot accept argument.

PORT command failedError loading directory...
Systems Engineer
Commented:
The PASV port negotiation timing out is usually due to something preventing or blocking access to that port.    The PORT command returning a 501 error is due to a firewall (software and/or hardware) blocking access.

I believe configuring the firewall compatibility feature was mentioned in a previous post.

To me, this appears to be a firewall/port blocking issue, which you also mentioned previously.

Dan

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial