5

I'm attempting to setup a FTPS server on Windows Server 2008. The inner workings have been successful -- I can connect locally or on the VPN. But I can't seem to craft the firewall rules to make it work properly. I have the server configured to confine data channels to ports 41230-41240 insofar as I can tell and the networking team has configured the same ports to be open. But it appears my clients are all still trying to connect via ports in the 50000-52000 range. I have tried all possible IPs to "route" through according to the standard technet article -- the server's own and both firewalls.

I can't see a rhyme or reason to this, has anyone successfully got a Windows Server 2008 running through the firewall in the following network configuration:

  • Server itself has no firewall running
  • No NAT -- server has it's public address assigned directly, etc.
  • Redundant Cisco ASA firewalls.
  • We are really running FTPES -- that is, FTP with explicit security -- with control on 21 and hoping to put data on 41230-41240.

Please advise if you need more information.

Wyatt Barnett
  • 725
  • 5
  • 14

2 Answers2

1

2 things:
1) connect in passive mode.

2) Add passive port range in IIS:

  1. Go to IIS 7.0 Manager. In the Connections pane, click the server-level node in the tree.
  2. Double-click the FTP Firewall Support icon in the list of features.
  3. Enter a range of values for the Data Channel Port Range.
  4. Once you have entered the port range for your FTP service, click Apply in the Actions pane to save your configuration settings.
ERR0
  • 158
  • 5
  • Thanks for the reply. I amended the post, but we are running FTPES in actuality with the control channel on port 21. Control appears to be working -- I can authenticate, but I can't list directory files, for instance. – Wyatt Barnett Aug 16 '11 at 03:22
  • answer updated based on your feedback. – ERR0 Aug 16 '11 at 20:03
  • Been there, done that -- it doesn't seem to work. Still trying ports in the 52k. – Wyatt Barnett Aug 16 '11 at 20:25
1

We went through this a year ago; having clients configure their firewalls to work with the dynamic port ranges was endless grief. Ultimately we replaced FTPS with SFTP which uses fixed ports and all the problems vanished. This product along with filezilla for end users has worked very for us. https://www.bitvise.com/winsshd

mike42
  • 86
  • 7
  • Seconded. The FTP protocol is basically broken by design by modern standards. It's from a long-ago simpler time when firewalls didn't exist, and everybody on the network trusted everybody else enough to allow incoming connections on all ports. – rmalayter Oct 04 '11 at 18:11