« Previous Next »

Thread: Data Channel Port Range Grayed Out?

Last post 07-23-2009 9:48 AM by Diablo_rdk. 3 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (4 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 04-16-2009, 6:54 PM

    • kgolding
    • Not Ranked
    • Joined on 08-24-2006, 9:45 PM
    • Posts 3

    Data Channel Port Range Grayed Out?

    Reply Contact

    I just installed the new 7.g ftp services and I have been struggling with firewall rules, as I need to configure an external firewall to allow the data ports, however, the Data Channel Port Range box is grayed out, so I cannot configure what ports is should use, and I have no idea what ports may be configured by default.


    I have tried setting the external IP, but that did not help in either passive or active mode.
    There is a warning message in the upper left of the IIS Manager that says: “To accept passive connections when you are using FTP over SSL (FTPS) or when your firewall does not filter packets, configure the external IPv4 address of your firewall.” , which I think is suggesting that I add firewall allow rules for the Data Channel Port Range of [0-0]…?


    Also, when I add an external IP address of the firewall, I get a dialogue saying “Please configure your firewall to allow FTP access for both the control channel and data channel port range”. Which I would just love to do, but I cannot find a place that says what the control channel is, and the interface will not allow me to change the Data Channel Port Range from 0.


    Anyway, this is a Windows 2008 x64 machine sitting behind a pix firewall. The local Windows 2008 firewall is currently off, as I did not want it in my problem space.


    Anyway, I am definitely confused?.
    Tags:

  • 04-16-2009, 8:10 PM In reply to

    Re: Data Channel Port Range Grayed Out?

    Reply Contact

    I guess we didn't phrase the warning very clearly, did we? That's what often times happens when complicated topic is compressed to one sentence :-(

    So what does the: "To accept passive connections when you are using FTP over SSL (FTPS) or when your firewall does not filter packets, configure the external IPv4 address of your firewall.”  supposed to mean.

    FTP protocol requires a so called "data channel" to be negotiated each time data transfer such as directory listing, file download, file upload) are to happen. There are 2 main ways to negotiate "data channel" connections. One of them, which is used by most clients these days will make client send "PASV" command that will in turn cause server to respond with the IP address and port for client to connect to.
    The IP address of the server may be automatically overwritten by firewall to the external facing IP address value if deep packet inspection is enabled on the firewall. If that is  not the case then you need to use the Firewall Support feature to overwrite the IP address to be sent back to client directly on the server.

    Anyway, the description above may not make much sense to you. Would you please let me know what exactly are you up to? Do you plan to configure SSL for FTP? Or is your goal to just setup an old school FTP server without SSL? I don't want to dump confusing details onto the thread if they don't relate to your scenario

     

    Jaroslav Dunajsky (MSFT, IIS)

  • 04-16-2009, 10:16 PM In reply to

    • kgolding
    • Not Ranked
    • Joined on 08-24-2006, 9:45 PM
    • Posts 3

    Re: Data Channel Port Range Grayed Out?

    Reply Contact

    Ok, I think I found the source of my problem. I was confused by the grayed out/disabled box asking for the port ranges in my configured site, as I was sure I needed to add allow rules to my firewall for that port range, which was defaulted to [0-0]. I just discovered that the port range can only be configured at the server level. Its grayed out at any configured FTP Site level. Now that I see it, I can see why it was done that way, but very confusing at 1st glance.


    Perhaps the error should read more like:

    To accept passive connections when you are using FTP over SSL (FTPS) you may need to configure allow rules for this servers Data Channel Port Range and this sites port binding.

    If anyone else runs into the grayed out Data Channel Port Range box, click on the server node above [Application Pools], then open the FTP Firewall Support tool.

  • 07-23-2009, 9:48 AM In reply to

    Re: Data Channel Port Range Grayed Out?

    Reply Contact

    Hi,

    I had the same issue, so this was helpfull up to a point.

    When logging on with a FTP client I can see that it can open the control channel but not the data channel.

    I have now set my range but I have not been able to do two things:

    1: Find how to setup the range in my firewall.
    2: When temporarily disabling the firewwall, I can see that the FTP client can open the data channel, but unfortunatelly it will not let me upload files with an account I added to the "IISManager Users" after I installed the "ISSManagerAuth" at the site and added an allow rule with read,write access the new account.

    What am I missing?

    Kind regard.

    Edit: As to your question:

    JaroDunajsky:

    Anyway, the description above may not make much sense to you. Would you please let me know what exactly are you up to? Do you plan to configure SSL for FTP? Or is your goal to just setup an old school FTP server without SSL? I don't want to dump confusing details onto the thread if they don't relate to your scenario


    I want to setup an old school FTP server.
Page 1 of 1 (4 items)
Microsoft Communities