3

I configured iis7 ftp to allow ssl connections. I set the ssl firewall to use ports 50000-50050.

If I set up a custom service on my fortigate firewall for ftps with source ports 990-50050 and destination ports 990-50050, set it to a firewall policy and connect from a client it connects and works successfully.

If I create a service FTPS Control with source port 990 and destination port 990 and another service,FTP Data with source ports 50000-50050 and destination ports 50000-50050 add them to a group FTPSSL, replace the ftps policy with FTPSSL and try connecting it tries to connect to port 990 and eventually times out.

Is there a way to configure the service to only use the ports I need and not every port from 990 up?

  • what version firmware are you running? I've had a bunch of ftp related issues with the 4.x series firmwares. – 3dinfluence Jun 14 '10 at 17:05
  • ftps probably knows active and passive modes too, and most clients default to passive nowadays. Also be aware of the difference between FTPS and FTPES (also often fudged), if your firewall attempts any intelligent ftp handling with FTPES it is bound to fail. – rackandboneman Jun 15 '12 at 00:14

2 Answers2

1

Remove the source ip port restrictions. So any to port 990 for ftp command, and any to range 50000 to 50050.

becomingwisest
  • 3,328
  • 20
  • 18
0

For the FTP Service to pick up the 50000-50050 passive port range you will need to manually restart the FTP Service under Administrative Tools > Services

iainlbc
  • 2,694
  • 19
  • 19
  • 1
    I did this and when the ports 990-50050 are opened only passive ports 50000 - 50050 are used. So the problme look sto be with the firewall mappingsome how –  Apr 24 '10 at 16:15