IIS FTP setup issue

Alexandre Takacs
Alexandre Takacs used Ask the Experts™
on
Hello

I'm having an issue with setting up an IIS FTP server (on a 2008R2 box). I have succeeded in setting up the server, users, publish the directory, setup NAT on the firewall. Things are looking pretty much ok but I am struggling at this point:

 220 Microsoft FTP Service
AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
USER username
331 Password required for username.
PASS *****************
230 User logged in.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
FEAT
211-Extended features supported:
 LANG EN*
 UTF8
 AUTH TLS;TLS-C;SSL;TLS-P;
 PBSZ
 PROT C;P;
 CCC
 HOST
 SIZE
 MDTM
 REST STREAM
211 END
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PORT 172,16,101,102,208,219
501 Server cannot accept argument.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PORT 172,16,101,102,208,222
501 Server cannot accept argument.

Open in new window


I guess this is somehow linked to passive FTP mode but
  • it happens even if I explicitly request active mode only
  • I have defined the passive ports in the "FTP firewall support" tab and NAT-ed them to the correct internal IP
  • this works fine if connecting locally (localhost) but not from LAN no WAN

I'm sure it is a "classic" one (seeing lots of post googling this) but can't really figure it out.

Any advice most appreciated
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
172,16,101,102 is a local network address of your client, so the server can't establish a data connection to it.
Usually NAT firewalls are smart enough to translate it to an external address, but something prevents in this case.
Did you try the passive mode? Don't use Windows command line client, since it only supports the active mode.
Martyn SpencerSoftware Developer / Linux System Administrator / Managing Director

Commented:
The port command is actually for active mode. Active mode through a NAT firewall won't work unless you have forwarding rules to the client machine, since in active mode the server establishes a connection to the client. Try passive mode, or try SFTP, which is easier because it tunnels the connections (data and control) over port 22. The error you are seeing may be down to zc2's comment. Try a different FTP client (Filezilla is a good choice).
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
172,16,101,102 is a local network address of your client, so the server can't establish a data connection to it.
Usually NAT firewalls are smart enough to translate it to an external address, but something prevents in this case.

You are quite correct. Not sure why - FWIW I use Mikrotik firewall.

Did you try the passive mode? Don't use Windows command line client, since it only supports the active mode.

Using passive mode it times out:

Microsoft FTP Service
AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
USER username
331 Password required for username.
PASS *****************
230 User logged in.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
FEAT
211-Extended features supported:
 LANG EN*
 UTF8
 AUTH TLS;TLS-C;SSL;TLS-P;
 PBSZ
 PROT C;P;
 CCC
 HOST
 SIZE
 MDTM
 REST STREAM
211 END
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (***,***,247,94,216,17).
220 Microsoft FTP Service
AUTH TLS
234 AUTH command ok. Expecting TLS Negotiation.
USER username
331 Password required for username.
PASS *****************
230 User logged in.
PBSZ 0
200 PBSZ command successful.
PROT P
200 PROT command successful.
FEAT
211-Extended features supported:
 LANG EN*
 UTF8
 AUTH TLS;TLS-C;SSL;TLS-P;
 PBSZ
 PROT C;P;
 CCC
 HOST
 SIZE
 MDTM
 REST STREAM
211 END
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
SYST
215 Windows_NT
PWD
257 "/" is current directory.
CWD /
250 CWD command successful.
TYPE A
200 Type set to A.
PASV
227 Entering Passive Mode (***,***,247,94,216,18).

Open in new window


(I have obscured the - correct - external IP of the server)
Martyn SpencerSoftware Developer / Linux System Administrator / Managing Director

Commented:
In passive mode, you often will define a port range that your firewall will allow and you can configure the passive settings accordingly. More likely the data connection is timing out because the port selected is not allowed through the firewall.
Are you sure the ports around 55000-56000 are open on the server firewall?

Author

Commented:
Are you sure the ports around 55000-56000 are open on the server firewall?

I believe so

nat
(using range 50000-51000 both on FW and in IIS settings)
Your range ends on 51000, but the server opens the port 55314 which is out of the range.
Set the correct range in the IIS "FTP Firewall Support" feature.

Author

Commented:
firewall
those are my active settings...

let me try to extend the range of the FW.
Try to execute iisreset as well.

Author

Commented:
Wow - extending the range on the FW did the trick ! No sure why IIS does not follow it's settings...

Author

Commented:
(btw did try iisreset multiple times)
nociSoftware Engineer
Distinguished Expert 2018

Commented:
BTW, Why FTP, it is dead, IF passwords need to be exchanged the passwords will be sent unencrypted.
This is not new since the 1990's FTP was only considered valid for public available data (no password required or asked).
Please consider better ways to give access to data. (SSH (= SFTP / SCP)  some kind of web service upload / download  think next cloud through WEBDAV etc.).
 (besides the multiple links and NAT issues caused by FTP).
Top Expert 2016

Commented:
if you need to stay with iis ftp use ftp/s.
Comment: I do not use the IIS FTP server at all i use filezilla ftp server as the IIS implementation is a pain to setup and administer.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial