2

During the last few days I have been setting up a Windows Server 2008 R2 in a VMware. I installed the standard FTP-Server on it by using the Webserver (IIS)-role.

Everything works fine with accessing my FTP-Site with ftp://localhost in Firefox. I can also get access to it via the local IP of my Server. Actually everything works fine in my LAN.

But here's my problem:
I want to get access "from outside", using the external IP or a dyndns-URL. I have a LinkSys-Router in front of my Server, therefore I'm forwarding all the important ports.

If you may now think "this idiot has probably forgotten some ports", I must dissappoint you. It even works getting access to my Server-Website and messing around in some WebInterfaces.

The problem is my passive FTP (active works for me). I always get a timeout, when e.g. FileZilla waits for a response to the LIST-command. The one big thing I don't get, is, why my Server sends a response to the PASV-command, naming a port like 40918, even if I have restricted the data port range for my passive FTP ( in the IIS-Manager) to e.g. [5000-5009].

I simply don't want to open and forward all possible data ports!

And another thing is, I can't specify a static external IP address for my server, since I don't own any.

I have already tried these solutions:

--- EDIT: ---

There is one idea rising up in my mind:
When I use FileZilla to connect by passive mode I always get something like this:
227 Entering Passive Mode (192,168,1,102,160,86)
According to a Rhinosof-article FZ tries to connect on port "160*256+86 = 41046", although I have restricted the data ports (as mentioned above). Could this be caused by the router, that doesn't forward out-ports directly, but uses different ones?
(--> The IP-Adress given is the local one, since I'm not able to define a static external in the IIS-Mgr)

--- EDIT 2: ---

I have had an idea about changing the dynamicportrange via netsh interface, but not even the examples given by the help-text itself worked. I think I'll give it up with the IIS-FTP und then use the FileZilla-Server.
Conclusion: Hello freeware, bye "costs, but simply works"-Windows * cough *.

Community
  • 1
Peter Wildemann
  • 121
  • 1
  • 4

4 Answers4

0

Have you tried putting the FTP Server in your router's DMZ just to see if its the router that is dropping the packets? Try that.

Also, turn on the windows firewall logging (Control Panel -> Admin Tools -> Windows Firewall and Advance Security, right click "Windows Firewall and Advance Security" in the console, go to Properties, then enable Logging there for dropped packets) just to see if your computer outside the network was able to ask for the correct ports.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
cflyer
  • 133
  • 6
  • Alright I will immediatly try this one! – Peter Wildemann Nov 03 '12 at 08:23
  • Here is an extract from the logfile, while trying to build a passive TCP connection _from outside_. There are serveral of this one, or similar ones. – Peter Wildemann Nov 03 '12 at 09:53
  • 2012-11-03 10:47:51 DROP TCP 59383 21 46 AP 139302526 1860714305 16362 - - - RECEIVE – Peter Wildemann Nov 03 '12 at 09:54
  • Hmm it looks like it is dropping on port 21. If you turn off the windows firewall service, are you able to connect? If you dont have physical access to the server becareful. In the past I have tried disabling the firewall service remotely...big mistake, locked me out of RDP lol. – cflyer Nov 05 '12 at 19:18
0

Changing the dynamic port range in windows will not help. The only thing it does is limit what port will be used for the client side of a socket connection.

What you need to do is limit the port range used by IIS's FTP server. There is a pretty good blog post about that on MSDN but here are the high points:

  • If you're using the built-in FTP server, you need to first install the "IIS 6 metabase compatibility" role service (as well as the associated scriting tools) and then use the following command to set the proper metabase property:

    adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5525"

    • If you're using the IIS 7.5 downloadable FTP module (the one you get from this page) then all you need it open the server's configuration editor and edit the "data channel port range" property under "FTP Firewall Support > Data Channel Port Range" in applicationHost.config.

Regardless of the above, you will still need to port forward the whole range on your NAT gateway device for external connections to work. Most descent Firewall/NAT devices have protocol helpers included for FTP that will allow them to identify the PASV command and react accordingly, but not all do (and it usually won't work if you're using non-standard port for the FTP command channel).

P.S. You should consider using a different protocol than FTP if you're behind NAT: you can't make it work without ugly - and risky - workarounds. I suggest you investigate SFTP or WebDAV.

Stephane
  • 6,432
  • 3
  • 26
  • 47
0

netsh advfirewall set global StatefulFtp enable

netsh advfirewall firewall add rule name="FTP for IIS" service=ftpsvc action=allow protocol=TCP dir=in

Mugurel
  • 903
  • 1
  • 9
  • 17
0

For those of you that are using a Windows server hosted using Microsoft's Azure Cloud Service, if you are using a Network Security Group, you will also need to create an inbound rule there that matches the port range that you setup inf the FTP Firewall Support section in IIS.

Josh Barnes
  • 1