| Groups | Blog | Home |
iis ftp : How to configure the port range for passive FTP connection ?
I need to limit the port range for passive FTP connection, from the 1025-5000
default range to a few ports (for example, 1025-1030) in order to open that ports in my router/firewall. I found something about to change the metabase.xml in the IIS Help, but it is so vague, and I couldn't do anything useful with this. Where can I change this in Win2003 IIS manager ? If is only possible in the metabase, send me an example, please ! Thanks,
Thanks, Bernard.
A few minutes later I had posted my question, I discovered your article in another thread. I followed the instructions, and I solve the first part of my problem: open a limited range of ports. But I saw another obstacle: my server is behind a NAT. This is an appliance that works as a mix of router, firewall and NAT. I use this appliance to share the Internet connection in my LAN. When my FTP server answers to a cliente request in passive mode, it send its local IP, instead the external IP used in Internet connections. Because of this, the client will try to connect to an IP that doesn't exists in the Internet. Is there any solution for this ? Could I force the FTP server to send the external IP in the answer to PASV command ? Thanks, Elga. [quoted text, click to view] "Bernard" wrote:
> Have you try this ? > > How To Configure PassivePortRange In IIS > http://support.microsoft.com/?id=555022 > > -- > Regards, > Bernard Cheah > http://www.tryiis.com/ > http://support.microsoft.com/ > http://www.msmvps.com/bernard/ > > > > "Elga" <Elga@discussions.microsoft.com> wrote in message > news:912C921D-E7A5-4F42-9D68-39CD238B13DC@microsoft.com... > > I need to limit the port range for passive FTP connection, from the > 1025-5000 > > default range to a few ports (for example, 1025-1030) in order to open > that > > ports in my router/firewall. > > > > I found something about to change the metabase.xml in the IIS Help, but it > > is so vague, and I couldn't do anything useful with this. > > > > Where can I change this in Win2003 IIS manager ? > > If is only possible in the metabase, send me an example, please ! > > > > Thanks, > > > > Elga. > >
Have you try this ?
How To Configure PassivePortRange In IIS http://support.microsoft.com/?id=555022 -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Elga" <Elga@discussions.microsoft.com> wrote in message news:912C921D-E7A5-4F42-9D68-39CD238B13DC@microsoft.com... > I need to limit the port range for passive FTP connection, from the 1025-5000 > default range to a few ports (for example, 1025-1030) in order to open that > ports in my router/firewall. > > I found something about to change the metabase.xml in the IIS Help, but it > is so vague, and I couldn't do anything useful with this. > > Where can I change this in Win2003 IIS manager ? > If is only possible in the metabase, send me an example, please ! > > Thanks, > > Elga.
This was discussed weeks ago, again this is sort of 'by design' in current
implementation. I would suggest you read the following: watchout for url wrap: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&frame=right&th=ee013501d615f1c0&seekm=3A488543-D58D-4F84-ABCF-055E9F7C0084%40microsoft.com#link1 -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Elga" <Elga@discussions.microsoft.com> wrote in message news:EB13FC96-2CDB-4B4F-BD7B-09D43B83C433@microsoft.com... > Thanks, Bernard. > A few minutes later I had posted my question, I discovered your article in > another thread. > I followed the instructions, and I solve the first part of my problem: open > a limited range of ports. > > But I saw another obstacle: my server is behind a NAT. This is an appliance > that works as a mix of router, firewall and NAT. I use this appliance to > share the Internet connection in my LAN. > When my FTP server answers to a cliente request in passive mode, it send its > local IP, instead the external IP used in Internet connections. Because of > this, the client will try to connect to an IP that doesn't exists in the > Internet. > > Is there any solution for this ? > Could I force the FTP server to send the external IP in the answer to PASV > command ? > > Thanks, > > Elga. > > > "Bernard" wrote: > > > Have you try this ? > > > > How To Configure PassivePortRange In IIS > > http://support.microsoft.com/?id=555022 > > > > -- > > Regards, > > Bernard Cheah > > http://www.tryiis.com/ > > http://support.microsoft.com/ > > http://www.msmvps.com/bernard/ > > > > > > > > "Elga" <Elga@discussions.microsoft.com> wrote in message > > news:912C921D-E7A5-4F42-9D68-39CD238B13DC@microsoft.com... > > > I need to limit the port range for passive FTP connection, from the > > 1025-5000 > > > default range to a few ports (for example, 1025-1030) in order to open > > that > > > ports in my router/firewall. > > > > > > I found something about to change the metabase.xml in the IIS Help, but it > > > is so vague, and I couldn't do anything useful with this. > > > > > > Where can I change this in Win2003 IIS manager ? > > > If is only possible in the metabase, send me an example, please ! > > > > > > Thanks, > > > > > > Elga. > > > > > >
ok so this must be the same issue I am having.
I have raidenftpd running at home on a non 21 port on a linksys befsr81. It works just fine, but I have never tested it with IE since it is a SSL only ftp site. At my main office I have a sonic wall tz170 using IIS in windows 2003 and I did nothing special and it works out of the box with smartftp and IE. My satellite office has a linksys befsr41 and windows 2000 ftp server. So to sum up what you are saying is browsing a ftp site via IE is not possible with a cheepo linksys router? "Bernard" <qbernard@hotmail.com.discuss> |>This was discussed weeks ago, again this is sort of 'by design' in current |>implementation. |>I would suggest you read the following: |> |>watchout for url wrap: |>http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&frame=right&th=ee013501d615f1c0&seekm=3A488543-D58D-4F84-ABCF-055E9F7C0084%40microsoft.com#link1
[quoted text, click to view]
"David Lewis" <*@*.*> wrote in message news:sno3m0d8g71fi86glk4uop3jaakisikski@4ax.com... > I have raidenftpd running at home on a non 21 port on a linksys befsr81. It works just fine, but I have never tested it > with IE since it is a SSL only ftp site. If the BEFSR81 is running as a NAT, then that site will not work in PASV mode, and will only work with clients in active mode if those clients have public IP addresses. That's a hazard with FTP over SSL - because you've encrypted the traffic, the NAT cannot possibly monitor and change it to alter the address or port. Setting the IP address specifically is not necessarily a reliable answer - the letter missing from NAT is P - NAPT is the strict term, for "Network Address and Port Translation". As you can imagine, if the port on the outside is different from the port inside the NAPT device, you will inadvertently be connecting those FTP data connections to random ports unassociated with them. [quoted text, click to view] > At my main office I have a sonic wall tz170 using IIS in windows 2003 and possible with a cheepo linksys router?I did nothing special and it works out of the > box with smartftp and IE. > > My satellite office has a linksys befsr41 and windows 2000 ftp server. > > So to sum up what you are saying is browsing a ftp site via IE is not I've had it work fine with a BEFSR41 - however, the control channel needs to be unencrypted, and the FTP server needs to be bound to port 21. Alun. ~~~~
2 separate issues here.
My home site with a non standard port and SSL works just fine, even with users behind nat. The only problem I have is companies that block high port access. Oh well:)) the other issue was solved in IE options by turning off use passive ftp. "Alun Jones [MSFT]" <alunj@online.microsoft.com> [quoted text, click to view] |>"David Lewis" <*@*.*> wrote in message |>> I have raidenftpd running at home on a non 21 port on a linksys befsr81.|>news:sno3m0d8g71fi86glk4uop3jaakisikski@4ax.com... |>It works just fine, but I have never tested it |>> with IE since it is a SSL only ftp site. |> |>If the BEFSR81 is running as a NAT, then that site will not work in PASV |>mode, and will only work with clients in active mode if those clients have |>public IP addresses. That's a hazard with FTP over SSL - because you've |>encrypted the traffic, the NAT cannot possibly monitor and change it to |>alter the address or port. Setting the IP address specifically is not |>necessarily a reliable answer - the letter missing from NAT is P - NAPT is |>the strict term, for "Network Address and Port Translation". |> |>As you can imagine, if the port on the outside is different from the port |>inside the NAPT device, you will inadvertently be connecting those FTP data |>connections to random ports unassociated with them. |> |>> At my main office I have a sonic wall tz170 using IIS in windows 2003 and |>I did nothing special and it works out of the |>> box with smartftp and IE. |>> |>> My satellite office has a linksys befsr41 and windows 2000 ftp server. |>> |>> So to sum up what you are saying is browsing a ftp site via IE is not |>possible with a cheepo linksys router? |> |>I've had it work fine with a BEFSR41 - however, the control channel needs to |>be unencrypted, and the FTP server needs to be bound to port 21. |> |>Alun. |>~~~~ |>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |