IIS7 - Publishing

Re: FTP - Can access from LAN, but timeout from WAN

NeanDuhTall — Thu, 28 May 2009 00:08:04 GMT

OK - I finally got FTPS working thru my Firewalls (there are actually two hardware firewalls in series, plus the Windows Firewall running on the Win 2008 Web/FTP Server).

The final problem with being unable to establish a Data channel connection on the specified port range was traced back to the Port Redirection rules in my Router (which is actually between my hardware firewall and the actual internet).

Turns out that it is unable to actually map an external port range to an internal one properly in the Port Redirection settings. I deleted the rule and just rely on the port range specified in the Open Ports settings area to map them thru to the DMZ hardware firewall

Works fine now from the internet. I can open an Explicit FTP over SSL/TLS session from FileZilla, SmartFTP or FireFTP clients.

And Lex, in reply to your last question - The IP address that I masked out was the WAN side of my hardware firewall. Yes, I guess I could remove the IP address specified in the FTP Firewall Support area in IIS and it might work as the hardware firewall then wouldn't see an address conflict in the PASV mode request reply packet. But, as I was aiming for FTP over SSL ultimately (I don't allow non-SSL connections to my FTP sites) and it works then I don't need to do this. However, for anyone who has a Snapgear firewall (or indeed any firewall appliance that uses the same Linux kernel as the Snapgear unit that I have - a Snapgear SME550 (also known as an SG550) and they want to use plain passive mode FTP through it, then your idea could be the way to get it to work. I am guessing that if you did this, then it would be up to the client software to make an assumption about the IP address to attempt the connection on?

Thanks for all your help guys, much appreciated.

Re: FTP - Can access from LAN, but timeout from WAN

lextm — Wed, 27 May 2009 10:24:16 GMT

Is the IP address you masked out the IP address of the FTP server? Or it is simply the address of the firewall device?

If it is the firewall address, you may consider remove External Firewall IP Address setting in FTP 7.5 and test again. Some firewall products do not support that feature.

Re: FTP - Can access from LAN, but timeout from WAN

NeanDuhTall — Wed, 27 May 2009 06:28:22 GMT

OK, analyzing the error on the Hardware firewall shows a fundamental problem with plain (un-encrypted) FTP thru this device - the conntrack_ftp module is opening the reply packet from the server and silently dropping it because the IP address specified in the reply (which is the IP address specified in the FTP Firewall Support settings page in IIS) doesn't match the IP address that the packet is being sent from (which is the internal IP address of the FTP server).

It recognizes this as it drops the packet silently - hence the reply never gets to the client. Crappy.

I thought of a workaround though - use FTP over SSL - which is actually what I was aiming for in the end anyway. That way, the packets will be encrypted and the Hardware firewall will be unable to do anything 'smart' with them. It will just have to deliver it as per the rules that I have defined.

Trying this succeeds! FTP over SSL shows the server replying and the Client then attempts to open a connection on the external IP/port in the reply...

but now I am getting a timeout at the Opening BINARY mode data connection point:-

Command: PASV
Response: 227 Entering Passive Mode (*,*,*,*,19,43).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out Error: Failed to retrieve directory listing

Once again, I've obfuscated the IP address (for what it is worth...).

Who would have thought it would be THAT hard to get something as old as FTP working?

I'll tackle it again from the office tomorrow (at home now - the sun set while I was doing this stuff!).

Re: FTP - Can access from LAN, but timeout from WAN

NeanDuhTall — Wed, 27 May 2009 05:15:29 GMT

Ah, man I'm tired now. I've spent the whole day looking this one over, researching and trying different things and I am still stuck on this:

The reply from the FTP server 227 Entering Passive Mode (192,170,1,1,19,41)., which contains the Data port range info for the client to connect on just doesn't appear to be getting to the client machine (Wireshark logs in the previous post hint at that as there is just nothing in the Client after the PASV command is issued). This is totally weird - it's like the whole TCP conversation just ends after the server sends the reply to the client.

The client never even attempts to connect to the Data port as it never receives the 227 Entering Passive Mode (192,170,1,1,19,41). response from the server telling it which ports to connect on.

I took a close look at the Hardware Firewall System Logs and this is what I see when a client FTP session fails at the PASV command:-

May 27 16:38:19 kernel: conntrack_ftp: ip mismatch: 192,170,1,1 != 192.168.1.*
May 27 16:38:26 last message repeated 5 time(s)
May 27 16:38:26 kernel: conntrack_ftp: ip mismatch: 192,170,1,1 != 192.168.1.*
May 27 16:38:35 last message repeated 1 time(s)

I've obfuscated the last octet in the IP addresses with *'s for posting here (probably not worth doing but hey) I did a little Googling on the conntrack_ftp bit and some of it looked worriesome - these messages might indicate that my return message packet is getting silently dropped by the firewall (perhaps???) due to some obscure error. I am unsure though as I don't know much about the Linux kernel that runs in the Snapgear firewall.

I've double checked the Data Port ranges in both the IIS settings and in the Hardware Firewall Filters and NAT rules and they are identical (I used 4900-4910 as per your (Steve's) blog post).

Re: FTP - Can access from LAN, but timeout from WAN

steve schofield — Wed, 27 May 2009 02:34:21 GMT

Yeah FTP 7.5 (7.0) cache stuff. restarting the service 'resets' if you will settings so new ones can take effect. I would verify the PASV ports are identical. You are close :P

Re: FTP - Can access from LAN, but timeout from WAN

NeanDuhTall — Tue, 26 May 2009 23:42:10 GMT

OK, I found a post that Lex had replied to elsewhere (here) in the Forum that described the problem with FTP 7.5 not honouring the data port range set in the IIS FTP Firewall Support settings.

Apparently, you need to restart the Microsft FTP Service to get it to pick up the new port range.

I did this and now the server is replying with a port in that range... but the client still isn't getting the directory listing. So, back to checking the firewall settings for the Data Port range both the (Windows firewall and the Hardware firewall).

Re: FTP - Can access from LAN, but timeout from WAN

NeanDuhTall — Tue, 26 May 2009 23:05:21 GMT

Thanks for the reply Steve.

And, thanks for putting my attention back on the Hardware firewall - there was indeed a problem with it's settings - I only had Destination NAT rules in place and I needed to add in a couple of Source NAT rules to alter the source of the traffic to be the Firewalls LAN port IP address.

Once I added these, I was able to establish the control traffic over port 21 between the internet based test client and the internal FTP server.

The only problem is now in the switch to PASV mode - for some reason (and I will investigate settings on the FTP server after posting this) the server is telling the client to connect to a data port that isn't in the range I specified in the IIS FTP Managment tools (and hence isn't open thru the Firewall appliance).

I've included the transcripts from Wireshark session on both the client and the server below FYI:

Wireshark capture on Client (Client chatter is in red, Server chatter is in blue):-

220 Microsoft FTP Service
USER *******
331 Password required for *******.
PASS *******
230 User logged in.
OPTS UTF8 ON
200 OPTS UTF8 command successful - UTF8 encoding now ON.
PWD
257 "/" is current directory.
TYPE I
200 Type set to I.
PASV

Wireshark capture on Server (Client chatter is in red, Server chatter is in blue):-

227 Entering Passive Mode (192,170,1,1,225,65).

The client side times out, never apparently making the connection - and it rightly so it would appear as the port number looks to be 57665 (correct me if I calculated this wrong) which isn't within the range I that I opened in the Firewall - or in the FTP Firewall Support settings in IIS on the FTP server (now that's a problem...).

Re: FTP - Can access from LAN, but timeout from WAN

steve schofield — Tue, 26 May 2009 01:27:30 GMT

I would run wireshark on both sides to capture the traffic, 1 on the laptop and 1 on the destination server. For troubleshooting purposes, I would turn off windows firewall to eliminate the secondary firewall rule. I also double check your windows firewall rules to see if you have restricted certain ip's or vlans. From your description, the problem appears to be with the hardware firewall, all signes point to that since everything works internally w/o issues.

Re: FTP - Can access from LAN, but timeout from WAN

NeanDuhTall — Mon, 25 May 2009 21:39:12 GMT

Hi Lex,

thanks for taking the time to reply. In reply to your question - yes, the destination addresses of the packets from the test client are the same as that which the FTP service is bound to in IIS.

The test setup is as follows:-

Laptop Test Client (connected to WAN side of Hardware Firewall for testing):-

Windows Server 2008 Standard
Fixed IP Address
Telnet client session: TELNET [WAN port IP address of Firewall Appliance] 21

Hardware Firewall:-

Snapgear SME550
NAT rule and matching packet filter accept/forward rule for inbound FTP traffic on port 21. Forwarding to [Internal FTP Server IP Address, port 21]
NAT rule and matching packet filter accept/forward rule for inbound FTP traffic on port range 4900-4910. Forwarding to [Internal FTP Server IP Address, port range 4900-4910]

Internal Web/FTP Server:-

Windows Server 2008 Enterprise SP1, IIS 7, FTP 7.5 (Original IIS7 FTP role never installed/enabled)
Windows Firewall Rule to accept inbound TCP traffic for all ports that the Microsoft FTP Service is listening on, for all profiles (Domain, Private and Public), all interface types and with a scope of any IP address for both Local and Remote addresses.
3 websites in IIS 7, published with the FTP service, each with an FTP binding to [Internal FTP Server IP address, port 21] with a Host Name set to match the public FQDN of the associated website (e.g. "ftp, 21, www.abc.com, [Internal Server IP Address]", "ftp, 21, www.def.com, [Internal Server IP Address]" and "ftp, 21, www.ghi.com, [Internal Server IP Address]")
FTP Firewall Support settings for each site are:-

Data Channel Port Range: 4900-4910
External IP Address of Firewall: [WAN Port IP Address of Hardware Firewall Appliance]

Using the Telnet session on the test client Laptop with the following: TELNET [WAN port IP address of Hardware Firewall Appliance] 21, a Wireshark capture session running on the [Internal FTP Server IP Address] shows three packets ariving with the following details:-

Source IP Address and port: [Fixed IP Address of Laptop test client] on a random port
Destination IP Address and port: [Internal FTP Server IP Address] on port 21

There are no replies to these packets and the Telnet session on the client times out.

I hope this helps some. Any suggestions about where I might be going wrong?

Note that there are four virtual NIC's in the internal Web/FTP Server machine with the FTP/associated web site HTTP bindings attached to one of them. All the sites have Host Names set (i.e. they use host headers). The other NIC's are used or other sites (SharePoint sites, Project Server PWA sites etc.) and services on that machine.

Re: FTP - Can access from LAN, but timeout from WAN

lextm — Mon, 25 May 2009 08:38:54 GMT

What destination IP address was captured by Wireshark for the FTP requests? Is it one of the IP addresses FTP service is monitoring?

If not, the requests will be ignored.

FTP - Can access from LAN, but timeout from WAN

NeanDuhTall — Mon, 25 May 2009 07:51:13 GMT

Hi all,

I've downloaded and set up the FTP 7.5 server software from Microsoft, on a Windows Server 2008 Enterprise SP1 machine with IIS7 (actually a Hyper-V VM). I've then published a couple of existing basic public websites using the FTP software, using the FTP managment tools in IIS and have opened the necessary ports to allow passive mode FTP access (port 21 for Control Traffic and a restricted port range of 4900-4910 for Data Traffic)

This all works fine from any machine on the LAN using FileZilla or even testing manually using a Telnet client.

However, I am completely unable to access the FTP service from the Internet - and yes, I have opened ports 21 and 4900-4910 in our hardware firewall appliance and forwarded them to the Windows Server hosting the FTP service. The initial connection attempt simply times out with either FileZilla or using a Telnet client session.

I've run diagnostic logging on our firewall appliance (a SnapGear SME550) and can see the packets being recieved from the test client and then being forwarded on to the internal FTP server machine. I've also installed WireShark on the FTP server machine and can see the packets landing at the server on port 21 - but the server does NOT respond?

I've enabled logging on the FTP server machine in Windows Firewall for both rejected and accepted packets, under each of the profiles (Domain, Private and Public), and interestingly enough - the packets are never logged! It's like Windows Server just doesn't see them! Likewise in the FTP logs - no trace can be found - which would follow as they don't appear to be getting noticed, even by the firewall software? And yet WireShark clearly shows them reaching the machine.

It's like the FTP server machine isn't accepting any traffic that doesn't originate from the local subnet!? And yet, this same machine is happily hosting HTTP and HTTPS websites that are served up on the internet and deals with internet sourced traffic for them without a hitch.

I'm going nuts trying to figure this one. I've checked and re-checked every setting in all of the firewalls and in the FTP service/IIS.

Any suggestions (please...)?