1

We have an server in our DMZ running Windows Server 2016, with IIS are are having some issues using FTP in Passive mode from our internal network. We want to be able to use this both from our inside network, as well as from outside our network.

At the root server level I've configures the Data Channel Port Range 50000-50100

Next at the FTP site level I've configured "FTP Firewall Support" and entered the outside address that our network admin configured in the firewall for the "External IP Address of Firewall" field.

I've also configured the other settings such as

  • FTP Authentication - Basic Authentication Enabled
  • FTP Authorizations Rules - Read & Write permission for specific local windows accounts
  • FTP SSL Settings - Specified SSL certificate, Set SSL Policy to Require SSL Connections, and enabled user 128-bit encryption for SSL Connections
  • FTP User Isolation - Set to User name directory (disable global virtual directories)

If I connect from outside our network everything works great, however if I connect from inside our network using FileZilla in passive mode, it connects to the server, establishes the TLS , but fails to retrieve the directory listing. I can see that when it enters passive mode that in reports back the external IP, instead of the one from our internal dns. Obviously this is due to the FTP Firewall Support configuration made to get things to work externally.

If I remove the setting specifying our "External IP Address of Firewall" it then works internally, but no longer works externally.

Is there a way to configure this to work in passive mode both for the internal and external network?

John-Rock Bilodeau
  • 111
  • 1
  • 2

2 Answers2

1

Root Cause Analysis

For external clients, their control and data channels all go through the public IP address you configured. That's why usually they work with basic configuration.

However, for internal clients, their control channels go through the private IP address of your FTP server, while IIS FTP still picks up the public IP you configured to inform such clients to open data channels with that.

Based on your description of "I can see that when it enters passive mode that in reports back the external IP, instead of the one from our internal dns."

Solutions

Change to better FTP client software

Some FTP client software (such as WinSCP) is smart enough or configurable to open data channels with the server IP from control channels. If you can switch to such client software, then you don't need to change any firewall/server side settings. More about WinSCP can be found in this article. To learn about other client software, use search engines or their manuals.

Change your firewall settings to allow internal clients to connect to the public IP address

Some firewall product (like Microsoft ISA) allows administrators to enable internal clients to connect to public IP addresses, so you can flip the option. If you use other firewall products, they might have a similar setting documented in manuals.

Lex Li
  • 1,235
  • 8
  • 10
0

Yes, but it is a firewall configuration issue. You need to set the "External IP Address of Firewall" in IIS to the server's internal IP address. Then, the firewall needs to be configured for 1:1 NAT from the external IP address to the internal IP address. There will probably be other firewall configuration issues, e.g. pfSense requires a FTP Proxy package be installed to handle the PASV ports, but those requirements are going to be specific to the firewall in use. Most commercial-grade firewalls should have some method for configuring this setup.

CB_Ron
  • 338
  • 2
  • 10