IIS FTP setup issue

Hello

I'm having an issue with setting up an IIS FTP server (on a 2008R2 box). I have succeeded in setting up the server, users, publish the directory, setup NAT on the firewall. Things are looking pretty much ok but I am struggling at this point:

 220 Microsoft FTP Service
AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
USER username
331 Password required for username.
PASS *****************
230 User logged in.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
FEAT
211-Extended features supported:
 LANG EN*
 UTF8
 AUTH TLS;TLS-C;SSL;TLS-P;
 PBSZ
 PROT C;P;
 CCC
 HOST
 SIZE
 MDTM
 REST STREAM
211 END
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PORT 172,16,101,102,208,219
501 Server cannot accept argument.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PORT 172,16,101,102,208,222
501 Server cannot accept argument.

Open in new window


I guess this is somehow linked to passive FTP mode but
  • it happens even if I explicitly request active mode only
  • I have defined the passive ports in the "FTP firewall support" tab and NAT-ed them to the correct internal IP
  • this works fine if connecting locally (localhost) but not from LAN no WAN

I'm sure it is a "classic" one (seeing lots of post googling this) but can't really figure it out.

Any advice most appreciated
LVL 2
Alexandre TakacsCTOAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zc2Commented:
172,16,101,102 is a local network address of your client, so the server can't establish a data connection to it.
Usually NAT firewalls are smart enough to translate it to an external address, but something prevents in this case.
0
zc2Commented:
Did you try the passive mode? Don't use Windows command line client, since it only supports the active mode.
0
Martyn SpencerSoftware Developer / Linux System Administrator / Managing DirectorCommented:
The port command is actually for active mode. Active mode through a NAT firewall won't work unless you have forwarding rules to the client machine, since in active mode the server establishes a connection to the client. Try passive mode, or try SFTP, which is easier because it tunnels the connections (data and control) over port 22. The error you are seeing may be down to zc2's comment. Try a different FTP client (Filezilla is a good choice).
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Alexandre TakacsCTOAuthor Commented:
172,16,101,102 is a local network address of your client, so the server can't establish a data connection to it.
Usually NAT firewalls are smart enough to translate it to an external address, but something prevents in this case.

You are quite correct. Not sure why - FWIW I use Mikrotik firewall.

Did you try the passive mode? Don't use Windows command line client, since it only supports the active mode.

Using passive mode it times out:

Microsoft FTP Service
AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
USER username
331 Password required for username.
PASS *****************
230 User logged in.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
FEAT
211-Extended features supported:
 LANG EN*
 UTF8
 AUTH TLS;TLS-C;SSL;TLS-P;
 PBSZ
 PROT C;P;
 CCC
 HOST
 SIZE
 MDTM
 REST STREAM
211 END
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (***,***,247,94,216,17).
220 Microsoft FTP Service
AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
USER username
331 Password required for username.
PASS *****************
230 User logged in.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
FEAT
211-Extended features supported:
 LANG EN*
 UTF8
 AUTH TLS;TLS-C;SSL;TLS-P;
 PBSZ
 PROT C;P;
 CCC
 HOST
 SIZE
 MDTM
 REST STREAM
211 END
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (***,***,247,94,216,18).

Open in new window


(I have obscured the - correct - external IP of the server)
0
Martyn SpencerSoftware Developer / Linux System Administrator / Managing DirectorCommented:
In passive mode, you often will define a port range that your firewall will allow and you can configure the passive settings accordingly. More likely the data connection is timing out because the port selected is not allowed through the firewall.
0
zc2Commented:
Are you sure the ports around 55000-56000 are open on the server firewall?
0
Alexandre TakacsCTOAuthor Commented:
Are you sure the ports around 55000-56000 are open on the server firewall?

I believe so

nat
(using range 50000-51000 both on FW and in IIS settings)
0
zc2Commented:
Your range ends on 51000, but the server opens the port 55314 which is out of the range.
Set the correct range in the IIS "FTP Firewall Support" feature.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alexandre TakacsCTOAuthor Commented:
firewall
those are my active settings...

let me try to extend the range of the FW.
0
zc2Commented:
Try to execute iisreset as well.
0
Alexandre TakacsCTOAuthor Commented:
Wow - extending the range on the FW did the trick ! No sure why IIS does not follow it's settings...
0
Alexandre TakacsCTOAuthor Commented:
(btw did try iisreset multiple times)
0
nociSoftware EngineerCommented:
BTW, Why FTP, it is dead, IF passwords need to be exchanged the passwords will be sent unencrypted.
This is not new since the 1990's FTP was only considered valid for public available data (no password required or asked).
Please consider better ways to give access to data. (SSH (= SFTP / SCP)  some kind of web service upload / download  think next cloud through WEBDAV etc.).
 (besides the multiple links and NAT issues caused by FTP).
0
David Johnson, CD, MVPOwnerCommented:
if you need to stay with iis ftp use ftp/s.
Comment: I do not use the IIS FTP server at all i use filezilla ftp server as the IIS implementation is a pain to setup and administer.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
FTP

From novice to tech pro — start learning today.