SFTP cannot connect

Wilf
Wilf used Ask the Experts™
on
I am having an issue accessing a secure ftp web site from a network.  The network uses a watchguard xtm 25 appliance and then runs Server 2008 R2 as the network server.  The workstations are all Windows 7 Pro.

The URL is https://oebsftp.ontarioenergyboard.ca.  This should bring me to a log in page, but instead the following message

The message from IE 11 is as follows:

This page can’t be displayed


Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://oebsftp.ontarioenergyboard.ca  again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

Fire fox give the following:
Secure Connection Failed

The connection to oebsftp.ontarioenergyboard.ca was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.
Often the Ontario energy board upload sites are designed for IE only.

I do not see anything in the Watchguard appliance but may be overlooking something.

The server uses SEP 14.0 for both anti-virus and Firewall

As a separate issue, email using Outlook 2013 cannot use ssl either
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

Commented:
Support for some older TLS has ended.  You can turn on the lower TLS settings on the browsers but it's not recommended.  You can try using ftp client such as Filezilla to connect to that FTP URL.

If you still must use a web browser to access the website you can try enabling the settings as shown here: https://support.freshdesk.com/support/solutions/articles/222861-enabling-tls-1-1-and-tls-1-2-in-internet-explorer

In regards to the Outlook SSL problem are you referring to OWA?  Can you reach the URL at all and fail at SSL?  Please provide more details.
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
I had no trouble connecting to that site in IE11, Firefox, and Chrome on Windows 7 and Firefox on Win XP.

Author

Commented:
Thanks for the response/  The URL for the oebsftp can be reached from almost any other network or computer I have tried it on.  It will just not work from this particular network.  Filezilla is not an option in this case.

I get the same results with the tls settings enabled or not.  When I use a computer not on this network, I can connect with no issue.  I do not see anything in either SEP firewall or in the portion of the Windows Firewall that shows the rules for inbound and out bound [SEP has disabled the Windows Firewall].

On the SSL for the email:
"log onto incoming mail server (IMAP): A secure connection to the server cannot be established.
Send test email message: Your server does not support the connection encryption that you have specified.  Try changing the encryption method.  contact your mail server administrator or Internet service provider for additional assistance."

The mail server is a third party mail server provided with the web hosting company.  While the messages appear to indicated the issue is with the server, these settings work fine from other networks and computers.   I suspect this to be a generic message.

My concern is that there is something on this network that is blocking secure connections, because in both cases, the URL can be reached from any other network or computer, and the email settings work just fine from any other network or computer.

Is there something more that I can check?
Top Expert 2015

Commented:
""My concern is that there is something on this network that is blocking secure connections, because in both cases, the URL can be reached from any other network or computer, and the email settings work just fine from any other network or computer."

That's my thoughts are the same as well.  Can you attempt a trace from the router to see if TLS/SSL packets are getting thru?

"The URL for the oebsftp can be reached from almost any other network or computer I have tried it on."

If the problem is specific to one network I would start by looking at the firewall rules for this network.  I don't anticipate that this can be a DNS issue since you can reach the site, it's the TLS that's the problem but I would verify that the DNS is resolving fine.
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
Some anti-virus programs and firewalls intercept HTTPS requests so they can scan them.  When they do that, they regenerate the request using their own SSL/TLS capabilities... which aren't always current.

Author

Commented:
I have tested the URL on an identical network, and it works fine. Just not on this particular network
Top Expert 2015

Commented:
Is this particular network behind the same router as the one that's working?
Top Expert 2016

Commented:
concur site loads google.chrome, Microsoft Edge, Internet Explorer

Author

Commented:
Yes both networks are using a Watchguard XTM 25 appliance as a router.  Both networks have a single file server that acts as Domain controller, DHCP server, DNS server, etc
Distinguished Expert 2018

Commented:
Yes both networks are using a Watchguard XTM 25 appliance as a router.  Both networks have a single file server that acts as Domain controller, DHCP server, DNS server, etc
So I would ask what the difference in configuration of the firewalls is. Sounds like either a filtering or proxying issue. Start with looking at the FTP rules on each Watchguard.

Author

Commented:
Will continue looking later, Thanks.  So far the rules look identical.
Distinguished Expert 2018

Commented:
Is the firmware different? Is there a configuration difference outside of the rules?

Author

Commented:
The only differences in the two set ups is that there was a WG-IMAP [predefined rule] in the site that cannot use SSL in outlook and cannot access the sftp site.  I removed that rule, and it still seems to be the same.

The other difference is that the site that cannot access the sftp has two BOVPN firewall rules, but there does not seem to be anything in them that would create any secure shell issues.
Distinguished Expert 2018

Commented:
Did this ever start working?

Author

Commented:
No it did not.  I am still poking at it, but have not had any success to date.  I will try another router when I can get onto the network and see if that makes a difference
Distinguished Expert 2018

Commented:
Any luck?

Author

Commented:
nothing
Distinguished Expert 2018

Commented:
Did you ever try a different browser?
Commented:
It appears to be a server 2008 issue.  with server 2016 installed it seems to work.  

this questions should also be deleted as it is old and not relevent any more

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial