IIS FTP setup issue
Hello
I'm having an issue with setting up an IIS FTP server (on a 2008R2 box). I have succeeded in setting up the server, users, publish the directory, setup NAT on the firewall. Things are looking pretty much ok but I am struggling at this point:
I guess this is somehow linked to passive FTP mode but
I'm sure it is a "classic" one (seeing lots of post googling this) but can't really figure it out.
Any advice most appreciated
I'm having an issue with setting up an IIS FTP server (on a 2008R2 box). I have succeeded in setting up the server, users, publish the directory, setup NAT on the firewall. Things are looking pretty much ok but I am struggling at this point:
220 Microsoft FTP Service
AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
USER username
331 Password required for username.
PASS *****************
230 User logged in.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
FEAT
211-Extended features supported:
LANG EN*
UTF8
AUTH TLS;TLS-C;SSL;TLS-P;
PBSZ
PROT C;P;
CCC
HOST
SIZE
MDTM
REST STREAM
211 END
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PORT 172,16,101,102,208,219
501 Server cannot accept argument.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PORT 172,16,101,102,208,222
501 Server cannot accept argument.I guess this is somehow linked to passive FTP mode but
- it happens even if I explicitly request active mode only
- I have defined the passive ports in the "FTP firewall support" tab and NAT-ed them to the correct internal IP
- this works fine if connecting locally (localhost) but not from LAN no WAN
I'm sure it is a "classic" one (seeing lots of post googling this) but can't really figure it out.
Any advice most appreciated
Did you try the passive mode? Don't use Windows command line client, since it only supports the active mode.
The port command is actually for active mode. Active mode through a NAT firewall won't work unless you have forwarding rules to the client machine, since in active mode the server establishes a connection to the client. Try passive mode, or try SFTP, which is easier because it tunnels the connections (data and control) over port 22. The error you are seeing may be down to zc2's comment. Try a different FTP client (Filezilla is a good choice).
ASKER
172,16,101,102 is a local network address of your client, so the server can't establish a data connection to it.
Usually NAT firewalls are smart enough to translate it to an external address, but something prevents in this case.
You are quite correct. Not sure why - FWIW I use Mikrotik firewall.
Did you try the passive mode? Don't use Windows command line client, since it only supports the active mode.
Using passive mode it times out:
Microsoft FTP Service
AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
USER username
331 Password required for username.
PASS *****************
230 User logged in.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
FEAT
211-Extended features supported:
LANG EN*
UTF8
AUTH TLS;TLS-C;SSL;TLS-P;
PBSZ
PROT C;P;
CCC
HOST
SIZE
MDTM
REST STREAM
211 END
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (***,***,247,94,216,17).
220 Microsoft FTP Service
AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
USER username
331 Password required for username.
PASS *****************
230 User logged in.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
FEAT
211-Extended features supported:
LANG EN*
UTF8
AUTH TLS;TLS-C;SSL;TLS-P;
PBSZ
PROT C;P;
CCC
HOST
SIZE
MDTM
REST STREAM
211 END
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (***,***,247,94,216,18).(I have obscured the - correct - external IP of the server)
In passive mode, you often will define a port range that your firewall will allow and you can configure the passive settings accordingly. More likely the data connection is timing out because the port selected is not allowed through the firewall.
Are you sure the ports around 55000-56000 are open on the server firewall?
ASKER
Are you sure the ports around 55000-56000 are open on the server firewall?
I believe so
(using range 50000-51000 both on FW and in IIS settings)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
those are my active settings...
let me try to extend the range of the FW.
Try to execute iisreset as well.
ASKER
Wow - extending the range on the FW did the trick ! No sure why IIS does not follow it's settings...
ASKER
(btw did try iisreset multiple times)
BTW, Why FTP, it is dead, IF passwords need to be exchanged the passwords will be sent unencrypted.
This is not new since the 1990's FTP was only considered valid for public available data (no password required or asked).
Please consider better ways to give access to data. (SSH (= SFTP / SCP) some kind of web service upload / download think next cloud through WEBDAV etc.).
(besides the multiple links and NAT issues caused by FTP).
This is not new since the 1990's FTP was only considered valid for public available data (no password required or asked).
Please consider better ways to give access to data. (SSH (= SFTP / SCP) some kind of web service upload / download think next cloud through WEBDAV etc.).
(besides the multiple links and NAT issues caused by FTP).
if you need to stay with iis ftp use ftp/s.
Comment: I do not use the IIS FTP server at all i use filezilla ftp server as the IIS implementation is a pain to setup and administer.
Comment: I do not use the IIS FTP server at all i use filezilla ftp server as the IIS implementation is a pain to setup and administer.
Usually NAT firewalls are smart enough to translate it to an external address, but something prevents in this case.