FTP IIS Server while connected to VPN?RSS

6 replies

Last post Nov 25, 2016 02:58 AM by administrator.

  • FTP IIS Server while connected to VPN?

    Aug 16, 2016 03:21 AM|seanvree|LINK

    I'm running a IIS FTP server from a Windows 10 enterprise box. Windows firewall is disabled. 

    The server is also connected to a VPN. 

    The problem is that clients can't connect to the FTP server via PASV when the server is connected to the VPN, I assume that's because I can't open the data port range on the VPN config?? I can connect to the FTP control port, but it's unable to connect via PASV. I can disable the VPN and it works fine. 

    Error from client is the following: 


    Status: Connecting to 71.197.148.35:8889... 
    Status: Connection established, waiting for welcome message... 
    Status: Insecure server, it does not support FTP over TLS. 
    Status: Logged in 
    Status: Retrieving directory listing... 
    Status: Server sent passive reply with unroutable address. Using server address instead. 
    Command: LIST 
    Response: 150 Opening BINARY mode data connection. 
    Error: The data connection could not be established: ECONNREFUSED - Connection refused by server 

    I can do an open port check using the WAN address and it's open. 

    So, how would I configure windows/IIS to use the internal LAN address 192.x.x.x.x. and NOT the VPN IP?  I've already set the binding of the FTP site in IIS to the LAN static IP 192.x.x20 but that still doesn't work. 

    Thoughts?

  • Re: FTP IIS Server while connected to VPN?

    Aug 17, 2016 05:31 AM|Jean Sun|LINK

    Hi,

    Could you please check your IIS FTP log? So we can find out the reason of this issue in the log.

    Best Regards,

    Jean

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: FTP IIS Server while connected to VPN?

    Aug 17, 2016 08:26 AM|seanvree|LINK

    2016-08-17 08:02:34 192.168.1.1 - 192.168.1.20 21 ControlChannelOpened - - 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b -
    2016-08-17 08:02:34 192.168.1.1 - 192.168.1.20 21 USER plexguest 331 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b -
    2016-08-17 08:02:34 192.168.1.1 VREEPLEXDESKTOP\PlexGuest 192.168.1.20 21 PASS *** 230 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b /
    2016-08-17 08:02:34 192.168.1.1 VREEPLEXDESKTOP\PlexGuest 192.168.1.20 21 opts utf8+on 200 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b -
    2016-08-17 08:02:34 192.168.1.1 VREEPLEXDESKTOP\PlexGuest 192.168.1.20 21 PWD - 257 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b -
    2016-08-17 08:02:34 192.168.1.1 VREEPLEXDESKTOP\PlexGuest 192.168.1.20 21 CWD /FTP/Movies/ 250 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b /FTP/Movies
    2016-08-17 08:02:34 192.168.1.1 VREEPLEXDESKTOP\PlexGuest 192.168.1.20 21 TYPE A 200 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b -
    2016-08-17 08:02:34 192.168.1.1 VREEPLEXDESKTOP\PlexGuest 192.168.1.20 21 PASV - 227 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b -
    2016-08-17 08:02:34 192.168.1.1 VREEPLEXDESKTOP\PlexGuest 192.168.1.20 40017 DataChannelOpened - - 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b -
    2016-08-17 08:02:34 192.168.1.1 VREEPLEXDESKTOP\PlexGuest 192.168.1.20 40017 DataChannelClosed - - 0 0 dcc49917-0505-4347-8984-bbe51e55bf6b 

    right now my settings are as follows: 

    Windows:
    Windows firewall OFF .
    IIS FTP listening on Port 21 (bound to static IP 192.168.1.20). Can access from internal LAN

    Data channel range:  40000-65000

    Router settings:

    DDWRT (router) Port forwarding: 
    port 20 tcp&upd-> 192.168.1.20 port 20 
    port 21 tcp&upd -> 192.168.1.20 port 21 
    port 1024 tcp&upd -> 192.168.1.20 port 1024 

    Port Range forwarding 40000- 65000  tcp&upd -> 192.168.1.20 

    Firewall comand (IP tables): 

    iptables -I INPUT -i `nvram get wan_ifname` -p tcp --dport 20 -j ACCEPT 
    iptables -I INPUT -i `nvram get wan_ifname` -p tcp --dport 21 -j ACCEPT 
    iptables -I INPUT -i `nvram get wan_ifname` -p tcp --dport 1024: -j ACCEPT 
    iptables -I INPUT -m helper --helper ftp -j ACCEPT 
    iptables -I INPUT -m conntrack --ctstate RELATED -j ACCEPT 
    iptables -I OUTPUT -p tcp --sport 20 -j ACCEPT 

    it seems that there is a problem with the data ports as it works internal LAN, and FTP active external, but no PASV external. 

    I can't figure this out!

  • Re: FTP IIS Server while connected to VPN?

    Aug 18, 2016 07:41 AM|Jean Sun|LINK

    Hi seanvree,

    The above log doesn't contain error information, please provide more information about this.

    You can learn the meaning of IIS FTP status code in the following link.

    https://support.microsoft.com/en-sg/kb/969061

    it seems that there is a problem with the data ports as it works internal LAN, and FTP active external, but no PASV external. 

    When the client issues a PASV command, the server responds to that PASV instruction with one of its ephemeral ports that will be used as the server-side port of the data connection. With that information, the client then makes a new connection to that port on the server and starts the data transfer.

    But the VPN may change the Port number, so the connection can't be established.

    Best Regards,

    Jean

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: FTP IIS Server while connected to VPN?

    Aug 18, 2016 08:24 AM|seanvree|LINK

    Yeah, that's what I thought, so I'm wondering how to configure the FTP to use the LAN gateway and NOT the VPN gateway?

  • Re: FTP IIS Server while connected to VPN?

    Aug 23, 2016 07:06 AM|Jean Sun|LINK

    Hi seanvree,

    I'm not familiar with VPN settings, you can post this issue in VPN forums.

    Best Regards,

    Jean

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: FTP IIS Server while connected to VPN?

    Nov 25, 2016 02:58 AM|administrator.|LINK

    Your problem is not with the gateway. The DNS Server is the problem. Your Lan has its own DNS Server . The VPN Connection has its own DNS too. Try to configure your connection settings. Use the DNS Server who can point to your FTP site.

    Or register the ftp site to the dns server of your vpn server. so when you  are connected to your vpn server , and when you query the ftp site the dns server of your vpn server will point to the ftp site. If it is configured correctly, thats IF?