-1

We have a Windows Server 2012 R2 box, running IIS 6.2 (Build 9200). This is a Rackspace server.

The server was running one FTP site, with no issues. We had worked with Rackspace originally to get the right ports opened in their networking environment, and get the server configured to match, and all was good. We were able to connect to the FTP server via command-line, or using GUI tools such as FireFTP, WinSCP, etc.

Now we needed to add a second FTP site to the server for another client. I've set up the second site, got users created, authorization rules set, the whole 9.

Since adding the second site though, graphical tools no longer connect. I can connect to both sites fine via the Windows command-line FTP. It can log in, connect, list directories, put files and get files, all without issue.

Graphical tools all can't get past connecting though. They authenticate fine, connect, and then time out on trying to list directory contents (messages vary depending on client, FireFTP, Windows Explorer, et al).

Most posts say that this is one of two things, 1) the firewall settings, or 2) the Active/Passive mode.

The timeout issue in graphical tools is occurring when operating in passive mode. If I switch them to active mode they have different issues. FireFTP keeps getting kicked off after issuing the command PORT |2|fe80::cc7e:88c2:277f:f3f6|1038|, getting stuck in an "attempting to reconnect" loop. Windows Explorer just hangs itself into oblivion.

The firewall settings should be correct, since as previously stated, we'd already worked on this and got it working when it was just one site being hosted. In the IIS server-level FTP Firewall Support section, the Data Control Port Range is set to 2000-2100 and the External IP Address of Firewall is filled in.

The sites are just plain normal FTP, not SFTP at all.
They're both using IIS Manager accounts for login with user-isolation.
There is no request filtering set up, other than the default for _vti_bin.

Both sites are running on the same IP address using virtual hosts.

Any ideas or directions to look?

eidylon
  • 358
  • 1
  • 7
  • 20
  • Bizzare. Can you confirm ports 20, 21, and appropriate ephemeral ports for your OS are properly open? I think 20/21 open inbound and ephemeral outbound. If it's not that I'm thinking some kind of misconfiguration. – Tim Jun 20 '17 at 18:55
  • @Tim well, GRC Shields Up shows 21 open, but 20 in stealth. Which confuses me why it worked before, and still works for command-line. I'm not sure how to test/check the ephemeral ports. – eidylon Jun 20 '17 at 19:31
  • Make a connection from the server to a client on a high port, 49152 to 65535 is the standard range. Problem is that's a bit tricky to test, usually the client software (ftp/web) do it automatically. – Tim Jun 20 '17 at 19:45

2 Answers2

0

PASV mode enabled/disabled on the GUI client? Try toggling to the other option to see if this makes a difference.

Jason Chodakowski
  • 144
  • 1
  • 2
  • I've tried both. Passive times out listing the directory, active has trouble even successfully initiating the connection. – eidylon Jun 20 '17 at 18:36
  • Question for context: are the two FTP sites running on different addresses or the same (host) address? – Jason Chodakowski Jun 20 '17 at 18:38
  • Same IP using virtual hosts. Question updated with that. – eidylon Jun 20 '17 at 18:43
  • I think that may be the issue then; the FTP protocol is a little sparse (it's not like there are VHost headers on every request) so the FTP server is going to be unable to distinguish specifically which virtual FTP host the data control mappings should be sent to (each request is kind of distinct in this way). I'd venture a guess that if you split these two FTP "servers" onto separate IP addresses (and duplicated the firewall work) that this issue would resolve itself. – Jason Chodakowski Jun 20 '17 at 18:47
  • Possibly; according to the IIS docs, it should work. The caveat is that when you log in, you need to use the virtual host name in the username, in the form of `|` . I'm not even sure what's involved in getting additional IP addresses provisioned from Rackspace and all. I have a feeling it would be a whole big thing, and probably needing to get billing involved... so that would definitely be a last resort. – eidylon Jun 20 '17 at 19:16
  • Heh, according to Rackspace's website, you cannot get additional IPs on a server except for use with SSL. "**Because of the global shortage of IPv4 address space, Rackspace currently offers additional IPv4 addresses only for the following purposes: SSL on cloud servers**". – eidylon Jun 20 '17 at 19:37
0

For future reference for anyone coming looking...

My first stab at making this work was to address the issue in Jason's answer, regarding the IP I moved both sites under one "real" FTP site on the server and use user isolation to limit each login's access to only what they should have. This still didn't work though.

So I took out the Data Control Port Range and External IP of Firewall settings (not even sure what made me think to do that), and then it worked beautifully.

It works; all's good now.

eidylon
  • 358
  • 1
  • 7
  • 20