FTP Works Internally, Not Externally

2015 pts.
Tags:
DMZ
FTP
Microsoft Windows
Windows Server 2003
Server sitting in DMZ off Firewall on a different network. When one FTPs to it from a machine inside the Firewall, the connection is made and one can upload, download and modify files. When one FTPs from a source on an external network the log in proceeds as it should, but the proper directories are never found, and eventually the connection will time out. The server is Windows 2003 with IIS. The firewall is a WatchGuard Firebox. I've gone through the server settings and nothing seems amiss there. The FTP rules on the firewall allow both connections from the internal network and any external network. There are no entries in the log or the Event Viewer to indicate a problem. Does anyone have an idea how I might go about resolving this issue? Steve//

Answer Wiki

Thanks. We'll let you know when a new response is added.

Have you done the usual connectivity troubleshooting steps: trying to first ping, then telnet to port 20/21 of the server from a machine outside network? If so, what are the results?
Do you have any other servers in the DMZ that you can test similar connectivity tests?
Are you running SP1 on the server? If Windows Firewall service running? If yes, try stop and disabling it, and try it again.

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Invisflare
    "When one FTPs from a source on an external network the log in proceeds as it should, but the proper diretories are never found, and eventually the connection will time out." This sounds more like a firewall issue. The session control part works (server port 21) but the data flow part (server port 20) doesn't. Is the built-in firewall running on Windows 2003? I have no experience with WatchGuard so I can't give you specifics, but sometimes FTP protocol setup on a firewall isn't very neat - lots of details to be aware of.
    0 pointsBadges:
    report
  • Fullerine
    FTP can be tricky to troubleshoot. My first suggestion is to check and see if FTP is using passive mode. Check your firewall to determine if passive mode is supported in your ruleset. I would setup a sniffer to capture your ftp session within the DMZ. This should tell you what mode your server is oopeating in. I believe passive mode is your problem. Check this info out http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0d2a9b2e-b697-4bb3-8a61-0fad73a1fa08.mspx?mfr=true
    0 pointsBadges:
    report
  • Stevesz
    Thanks for your replies. I've not been able to connect, for some reason, to this site from home, so the delay in getting back. aalborz43: >Have you done the usual connectivity troubleshooting >steps: trying to first ping, then telnet to port 20/21 of >the server from a machine outside network? If so, what are >the results? Ping yes--Telnet is disallowed, but I think being able to connect and login pretty much puts connection issues to rest, other than a possible problem at the firewall. >Do you have any other servers in the DMZ that you can test >similar connectivity tests? Currently this is the only server in the DMZ. >Are you running SP1 on the server? If Windows Firewall >service running? If yes, try stop and disabling it, and >try it again. Yes, the machine is up to date on patches. No Windows firewall--wouldn't touch it with a 10 foot pole. invisflare: >This sounds more like a firewall issue. The session >control part works (server port 21) but the data flow part >(server port 20) doesn't. Is the built-in firewall running >on Windows 2003? I have no experience with WatchGuard so I >can't give you specifics, but sometimes FTP protocol setup >on a firewall isn't very neat - lots of details to be >aware of. That is my feeling also--there is a problem in the firewall, though it does not show in the logs. However, we do have the same type of firewall hardware on another network, with the same FTP set-up, serving an FTP server there, on the internal network, and it works fine, except those writers can neveer remember how to log into it (g). So, I am no tsure what the problem here is. The other FTP box is a Linux box, and this is a Windows box. I am planning on logging into the firewall in the next day or two and go over those settings again. Fullerine: >FTP can be tricky to troubleshoot. My first suggestion is >to check and see if FTP is using passive mode. Check your >firewall to determine if passive mode is supported in your >ruleset. I would setup a sniffer to capture your ftp >session within the DMZ. This should tell you what mode >your server is oopeating in. I believe passive mode is >your problem. Check this info out We have tried connection both with and without passive mode. The response has been the same. I've not used a sniffer there, but could possibly set one up the next time I am on site and do some testing then, If the problem is not resolved prior.
    2,015 pointsBadges:
    report
  • Mortree
    I can't tell how many external locations you are talking about for problem replication but if it is a low number... Do the exterior ISPs support FTP properly? Occasionally they block intentionally or accidentally. The joy of the Internet is that the problems don't always stop at your network. You got to go all the way to the client side configuration. Also you don't have secure FTP kicking in at any point after login do you? That is there might be a port change. It has been a long time but I was think that was a Windows IIS option.
    0 pointsBadges:
    report
  • Stevesz
    motree, Ports on the network are not blocked. The line is wide open until it hits the firewall. We have attempted to connect properly from several machines under our control outside the network, PC's and Mac's. These machines are able to connect to other FTP sites, so the problem is not a client side one. Once we have established a good FTP connection, the access will be limited to a few IP addresses, and not open to the public. Actually, only one person claims the need to access it this way, the head of IT, refusing to use a VPN circuit or another method. He insists on FTP access. (Nevermind when we gave him access to another server he totally screwed it and we had to rebuild it to get it to work properly again--messing around with things he had no need to even mess with. But that's another story.
    2,015 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following