FTP to external address from server on internal network

Question

I am at a large University, with servers set up on the Univeristy network. The network has internal (10...) IP addresses, and external (129...) IP addresses. I have a ColdFusion-based business process which FTP's data from an external server.

The server on which the ColdFusion instance is based has several (about 10) IP addresses associated with it, both internal and external. It has one primary address, which has been, until recently, external.

Using Wireshark, we have been able see which IP is used, and it is never the primary, but other than that, does not seem to follow any logic.

We recently changed the primary IP for the server to an internal address, to comply with new University-wide security policies, and the FTP connection from Coldfusion stopped working. Using Wireshark, we've confirmed it is going out on one of the internal (10...*) IP addresses (not the primary).

Is there a way to control which IP ColdFusion uses for an FTP connection, either through system configuration, or programmatically?

Code for the FTP call:

var ftpService= new ftp(
    username = partnerConfig.sftpLogin,
    connection = "MyConnection",
    password = partnerConfig.sftpPw,
    fingerprint = partnerConfig.sftpFingerprint,
    server = partnerConfig.sftpServer,
    secure = "yes"
);
var result=ftpService.open();
var result2=ftpService.listdir(directory = partnerConfig.inFolder, name="dirlist");
var result3=result2.getResult();

EDIT: My server guy tells me that this University is fairly unique in how it configures the subnets. NO firewall exceptions are allowed from the 10.* subnet. The "Public" IP's are not public by default, simply the ones which are capable of having exceptions.

FURTHER EXPLANATION: It comes down to the Rules and IP addresses the main IT org at the university set up. the 10.x.x.x IPs are never allowed access outside the university ("internal"). 129.x.x.x IP, may have firewall exceptions ("external"). If I type ipconfig (it's Windows), I see about 10 static IP addresses, half of which are 10.x.x.x, and half of which are 129.x.x.x. When the "primary" IP for the machine was a 129.x.x.x address, Coldfusion chose one of the OTHER 129.x.x.x addresses for the outgoing IP for the connection. With the "primary" IP switched to a 10.x.x.x IP, ColdFusion is choosing one of the OTHER 10.x.x.x addresses for the outgoing connection. My choices, as far as I can tell are 1) Switch the primary back to a 129.x.x.x for the server; 2) Move the site to a different server with a primary of 129.x.x.x, and keep other sites on the server in compliance with the new policy; 3)See if I can figure out how to control which IP Coldfusion chooses from the 10 static IPs on the server.

Answer 1

Our admin figured it out. We needed to add a static route to the server, so that whenever ColdFusion (or any application) tries to connect to the specific destination we were FTPing to, it goes through a specific outgoing IP address.

This was not something I was familiar with, but a quick search gives the basics: http://technet.microsoft.com/en-us/library/dd469825.aspx

Answer 2

You have an internal IP address and you are not sure what the external is? This sound like a network bridge issue. What you are looking for is FTP proxy or some tool that associates an externally assigned IP to an internally assigned IP for port 22 (or whatever you set your port to). Look at: http://wiki.squid-cache.org/Features/FtpGateway

FTP reverse proxy

It sounds like your IPs (even internally may not be static)...or maybe it just feels that way. Make sure your internal IP is static.

Read about FTP port forwarding: Here are some port forwarding guides.

Other keywords FTP bridge, FTP one-to-one mapping, among others.

Good luck.

Answer 3

I had a similar question regarding the cfmail tag:

Force cfmail tag to send from a specfic server IP address

Unfortunately, I didn't get an answer that worked. ColdFusion seems to pick (seemingly at random) which source IP address is used.