|
|
You're in the
iis ftp
group:Cannot access redirected FTP in active mode.
iis ftp:
to Windows Server 2003 / IIS 6.0 and have encountered a problem with active mode transfers. The problem only occurs on Windows Server 2003 / IIS 6.0 and only occurs while using active mode FTP from a private address (LAN) while my anti-virus is redirecting to port 2100. My anti-virus is set to use FTP service port 21 and redirect to (FTP proxy) port 2100. In IIS the default FTP site is set to use TCP port 2100. I can access and make transfers to and from the site using Internet Explorer or other FTP software in passive mode with no problems. I can access and make transfers to and from the site using FTP.exe or other FTP software in active mode from any publicly addressed pc (WAN to WAN) with no problems. The problem only seems to occur when trying to access (via active mode) the publicly addressed FTP site from a private (nat) address (LAN to WAN) while the anti-virus is redirecting to port 2100. While Anti-virus is redirecting to port 2100: Active mode FTP from WAN to WAN works. Active mode FTP from LAN to WAN does not work. Windows firewall is turned off. This problem does not occur in Windows 2000 / IIS 5. What do I need to do to fix this?
Hi David,
Acorrding to your description, looks like the problem is either on your private network or firewall setting on those clients but not on the IIS FTP server. As you know, in FTP active mode, data connection is established from FTP server(default port is 20) -> client . So this is usually impacted/blocked by a client side firewall. All the details is documented in the following article: Information About the IIS File Transmission Protocol (FTP) Service http://support.microsoft.com/?id=283679 I'd like to suggest you temporarily shutdown the firewall on the problematic clients or between server and the private networking to narrow down the root cause. Best regards, WenJun Zhang Microsoft Online Partner Support This posting is provided "AS IS" with no warranties, and confers no rights.
If its a network or firewall problem then why does it not affect Windows 2000
/ IIS 5? I have 2 servers sitting side by side - one is Windows 2000 / IIS 5 and the other is Windows 2003 /IIS 6. The IIS 5 machine does not exhibit the problem. As to testing for the for the firewall, I have tried to access the servers from my home pc, I have a private address (192.168.0.1) but no firewall. I can access the IIS 5 machine with no problem, but cannot access the IIS 6 machine. If you can email me or tell me how to get it to you, I will give you the IPs of both servers so that you can test from your end. Access from a any public address works. Access from any private address does not work. [quoted text, click to view] ""WenJun Zhang[msft]"" wrote:
> Hi David, > > Acorrding to your description, looks like the problem is either on your > private network or firewall setting on those clients but not on the IIS FTP > server. As you know, in FTP active mode, data connection is established > from FTP server(default port is 20) -> client . So this is usually > impacted/blocked by a client side firewall. All the details is documented > in the following article: > > Information About the IIS File Transmission Protocol (FTP) Service > http://support.microsoft.com/?id=283679 > > I'd like to suggest you temporarily shutdown the firewall on the > problematic clients or between server and the private networking to narrow > down the root cause. > > Best regards, > > WenJun Zhang > Microsoft Online Partner Support > > This posting is provided "AS IS" with no warranties, and confers no rights. > > >
Hmmm. Good question on the anti-virus - let me get with Trendmicro and I'll
get back to you on that. On the Firewall, its not currently running on the server. I turned it off to eliminate it as the problem. It doesent seem to matter whether or not its running on the workstation. A workstation with a public address can access the FTP site in active mode with the Windows firewall on or off. A workstation with a private address cannot. [quoted text, click to view] "Robin Walker [MVP]" wrote:
> DavidM <DavidM@discussions.microsoft.com> wrote: > > > My anti-virus is set to use FTP service port 21 and redirect to (FTP > > proxy) port 2100. > > What is the point of this? No data travels on the command stream to port > 21, so what is the "anti-virus" actually doing? > > > Windows firewall is turned off. > > Do you mean Windows Firewall on the FTP LAN client, or Windows Firewall on > the Server? > > What Firewall settings do you have on the server? > > -- > Robin Walker [MVP Networking] > rdhw@cam.ac.uk > >
To recap: I have been hosting an FTP site on a Windows 2000 / IIS 5 server
for the past five years. That server is running Trendmicro antivirus configured to "listen" on port 21 and redirecting to IIS port 2100. I had always assumed that it was also scanning data comming through port 20 and forwarding the data through another port (2099 ?) to the FTP folders on the server. I'm now trying to find out from Trend if this assumption is correct. In any case, various clients have been able to access the site in both active and passive mode for the past 5 years. I have now set a Windows 2003 / IIS 6 server configured the same as the Windows 2000 / IIS 5 server. Clients with a private address cannot access the site in active mode. What is different between IIS 5 and IIS 6 in this reguard? [quoted text, click to view] "Robin Walker [MVP]" wrote:
> DavidM <DavidM@discussions.microsoft.com> wrote: > > > Active mode FTP from WAN to WAN works. > > Active mode FTP from LAN to WAN does not work. > > For an FTP client behind a NAT router, Active Mode will only work by virtue > of special action being taken inside the NAT router: special Application > Layer Gateway (ALG) code needs to be able to recognise an active mode FTP > transfer being negotiated on the FTP command stream, and specially arrange > to allow the Active Mode TCP connection back from the server through the NAT > back to the FTP client. Such ALG code needs to be able to recognise an FTP > command stream as being such. The usual rule is that a TCP connection to > remote port 21 is taken to be an FTP command stream. > > This rule means that for most NAT boxes, Active FTP does not work when the > FTP command stream is connected from the client to a non-standard server > port (anything other than 21). This is regardless of type of server or > anti-virus. > > It isn't clear from your report whether you are trialling your IIS 6 server > by connecting to port 21. If you aren't, then Active Mode FTP will not work > through a client-end NAT router. > > -- > Robin Walker [MVP Networking] > rdhw@cam.ac.uk > >
Robin,
Let me apologize. There is an additional item that I just now tested for and got unexpected results. I'm hosting a web site (http) on the same server (the Windows 2003 /IIS6 server) on another public address. Both addresses are bound to the same NIC. When I removed the second address (the one for the WWW site) the FTP problem went away. Now I really don't know whats happening. [quoted text, click to view] "Robin Walker [MVP]" wrote:
> DavidM <DavidM@discussions.microsoft.com> wrote: > > > Active mode FTP from WAN to WAN works. > > Active mode FTP from LAN to WAN does not work. > > For an FTP client behind a NAT router, Active Mode will only work by virtue > of special action being taken inside the NAT router: special Application > Layer Gateway (ALG) code needs to be able to recognise an active mode FTP > transfer being negotiated on the FTP command stream, and specially arrange > to allow the Active Mode TCP connection back from the server through the NAT > back to the FTP client. Such ALG code needs to be able to recognise an FTP > command stream as being such. The usual rule is that a TCP connection to > remote port 21 is taken to be an FTP command stream. > > This rule means that for most NAT boxes, Active FTP does not work when the > FTP command stream is connected from the client to a non-standard server > port (anything other than 21). This is regardless of type of server or > anti-virus. > > It isn't clear from your report whether you are trialling your IIS 6 server > by connecting to port 21. If you aren't, then Active Mode FTP will not work > through a client-end NAT router. > > -- > Robin Walker [MVP Networking] > rdhw@cam.ac.uk > >
I now have the WWW and FTP set to the same address and the problem appears to
be be resolved. I'm still not sure why there was a problem using multiple addresses, but since I have no compelling reason to keep them separate maybe this is the solution. I've still got some additional conditions to test, and I'm waiting on a reply from Trendmicro. [quoted text, click to view] "Robin Walker [MVP]" wrote:
> DavidM <DavidM@discussions.microsoft.com> wrote: > > > Active mode FTP from WAN to WAN works. > > Active mode FTP from LAN to WAN does not work. > > For an FTP client behind a NAT router, Active Mode will only work by virtue > of special action being taken inside the NAT router: special Application > Layer Gateway (ALG) code needs to be able to recognise an active mode FTP > transfer being negotiated on the FTP command stream, and specially arrange > to allow the Active Mode TCP connection back from the server through the NAT > back to the FTP client. Such ALG code needs to be able to recognise an FTP > command stream as being such. The usual rule is that a TCP connection to > remote port 21 is taken to be an FTP command stream. > > This rule means that for most NAT boxes, Active FTP does not work when the > FTP command stream is connected from the client to a non-standard server > port (anything other than 21). This is regardless of type of server or > anti-virus. > > It isn't clear from your report whether you are trialling your IIS 6 server > by connecting to port 21. If you aren't, then Active Mode FTP will not work > through a client-end NAT router. > > -- > Robin Walker [MVP Networking] > rdhw@cam.ac.uk > >
[quoted text, click to view]
DavidM <DavidM@discussions.microsoft.com> wrote: > My anti-virus is set to use FTP service port 21 and redirect to (FTP > proxy) port 2100. What is the point of this? No data travels on the command stream to port 21, so what is the "anti-virus" actually doing? [quoted text, click to view] > Windows firewall is turned off. Do you mean Windows Firewall on the FTP LAN client, or Windows Firewall on the Server? What Firewall settings do you have on the server? -- Robin Walker [MVP Networking] rdhw@cam.ac.uk
[quoted text, click to view]
DavidM <DavidM@discussions.microsoft.com> wrote: > Active mode FTP from WAN to WAN works. > Active mode FTP from LAN to WAN does not work. For an FTP client behind a NAT router, Active Mode will only work by virtue of special action being taken inside the NAT router: special Application Layer Gateway (ALG) code needs to be able to recognise an active mode FTP transfer being negotiated on the FTP command stream, and specially arrange to allow the Active Mode TCP connection back from the server through the NAT back to the FTP client. Such ALG code needs to be able to recognise an FTP command stream as being such. The usual rule is that a TCP connection to remote port 21 is taken to be an FTP command stream. This rule means that for most NAT boxes, Active FTP does not work when the FTP command stream is connected from the client to a non-standard server port (anything other than 21). This is regardless of type of server or anti-virus. It isn't clear from your report whether you are trialling your IIS 6 server by connecting to port 21. If you aren't, then Active Mode FTP will not work through a client-end NAT router. -- Robin Walker [MVP Networking] rdhw@cam.ac.uk
[quoted text, click to view]
DavidM <dmcdowell@volkert.com.(stopspam)> wrote: > I now have the WWW and FTP set to the same address and the problem > appears to be be resolved. I'm still not sure why there was a > problem using multiple addresses, but since I have no compelling > reason to keep them separate maybe this is the solution. That makes sense. No doubt the "Active Mode" data connection attempts were marked as emanating from the "other" public address on the NIC, and thus were being dropped by the client-side NAT box, as they didn't match the rules for a reverse connection attempt from the FTP server. -- Robin Walker [MVP Networking] rdhw@cam.ac.uk
Have you forwarded Port 20-21 and the passive mode ports:
For Windows 2003 Server a) To Enable Direct Metabase Edit 1. Open the IIS Microsoft Management Console (MMC). 2. Right-click on the Local Computer node. 3. Select Properties. 4. Make sure the Enable Direct Metabase Edit checkbox is checked. b) Configure PassivePortRange via ADSUTIL script 1. Click Start, click Run, type cmd, and then click OK. 2. Type cd Inetpub\AdminScripts and then press ENTER. 3. Type the following command from a command prompt. adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5700" 4. Restart the FTP service. http://support.microsoft.com/kb/555022/en-us Best regards Niklas Engfelt Robin Walker [MVP] skrev: [quoted text, click to view] > DavidM <dmcdowell@volkert.com.(stopspam)> wrote:
> > > I now have the WWW and FTP set to the same address and the problem > > appears to be be resolved. I'm still not sure why there was a > > problem using multiple addresses, but since I have no compelling > > reason to keep them separate maybe this is the solution. > > That makes sense. No doubt the "Active Mode" data connection attempts were > marked as emanating from the "other" public address on the NIC, and thus > were being dropped by the client-side NAT box, as they didn't match the > rules for a reverse connection attempt from the FTP server. > > -- > Robin Walker [MVP Networking] > rdhw@cam.ac.uk
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |