Groups | Blog | Home
all groups > iis ftp > december 2004 >

iis ftp : Problem with NAPT?


Jeff Talamini
12/21/2004 10:17:03 PM
I have a windows 2000 server with SP4 and IIS. IIS is setup for web and ftp
hosting. The server is connected to my local home network which is behind a
linksys router that is connected to cable modem service. FTP within my home
network works fine. On the Linksys I have port forwarding setup on ports 20
and 21 for FTP from the Internet. When a client who is on a local area
network at a remote offic and behind a Sonicwall firewall connects to my
server via my public IP address for FTP, all works fine. He can connect to
the server using FTP in IE or at the command prompt.

When I change the FTP port in the IIS console for the FTP site and then
connect with FTP (in IE or command line) within my home network using the new
port number all works fine. I will then make the necessary changes in port
forwarding in the Linksys router so that the Internet can connect via the new
port number. When the same client attempts to connect using FTP with the new
port number, they are unable to do so either in IE or at the command line. I
did open port 20 and even 920, the number below 921 the changed FTP port
number. I even put the server in the DMZ so that all ports would be open. I
even had the client change the passive FTP check box in Internet options all
with no success.

I've come to the conclusion that it's a NAPT problem but I don't want to
leave my server open on the default ports.

Thanks for any help.

Alun Jones [MSFT]
12/22/2004 8:56:16 AM
[quoted text, click to view]


I have yet to see a NAPT that does any FTP translation on any port other
than the default port.

I don't think that you'll really find that moving to a different port is
going to provide you with the protection that you seek. Every so often, I
run a 'sacrificial' server, and it's not just found by FTP clients, but
WWW-based worms as well. That suggests that a large number of attackers
will scan for all open and responding ports, and try whatever attack they
have handy.

I think the answer you're going to find best is to leave your FTP server at
port 21, and simply make sure you keep it protected by patches and monitored
by log auditing.

Alun.
~~~~
--
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.

Jeff T
12/22/2004 9:19:11 AM
Alun,

Thanks for your help. I was afraid this was the answer to my problem, but I
will keep security tight and all updates. Are IIS updates still seperated
from the windows updates and obtained manually on MS website? If so can you
give me a link to the IIS updates.

Thanks again,

Jeff

[quoted text, click to view]
Bernard
12/23/2004 11:36:40 AM
Fixes are delivered via Windows update, however, you shouldn't rely on it.
in fact you should get MBSA to scan for any missing patches / fixes.

www.microsoft.com/mbsa/


--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/



[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about iis ftp
AddThis Social Bookmark Button
View Other Months
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn