Forum Discussion

Wookie_73's avatar
Wookie_73
Copper Contributor
Apr 17, 2021

FTPS (FTP TLS) Using IIS on Windows server 2019 broken - Passive port connection or cert suspected?

Hi all I hope someone out there can help.

 

I have an FTPS server set up using IIS explicit FTP over TLS.

I don't use this a lot its mainly for getting files when I am out and about.

Last time I tried to access the FTP site it had stopped working (a few months ago).

I have had a bit of time to trouble shoot but am drawing a blank as to why it doesn't work.

I believe it is something to do with he passive port range, or maybe a certificate issue?

Just to be clear it was working and has now broken. There has been minimal changes on the server but nothing that should affect the FTP site. Updates etc.

The FTP ports specified are open in the firewall. These ports are also forwarded in my router. The external IP address is specified for the FTP at site level. The passive post range (5000-5100) is specified at server level. SSL is set to required and a current certificate is selected.

 

What I have tried:

Created new firewall rules. Turned the firewall off. Made no difference.

 

Set the SSL policy to allow SSL connections and I can connect without encryption, so the site still works. Upon setting back to required I can no longer connect.

 

Used a port scanner on a mobile network and scanned the passive ports using both my ftp host name and external IP address with wireshark running on the server. Traffic is getting through on ports 5000-5100 as expected.

 

When I try to connect from an external source I get traffic on port 21 on the server but nothing in the 5000-5100 range. My FTP client software (on my phone) hangs at 234AUTH command ok. Expecting TLS Negotiation.

 

If I test the site using ftptest.net it connects and brings up the directory listing. There are a couple of warnings about IPv6 not implemented and MLSD.

 

If I try to connect to the FTP site over the internal network using WinSCP or FileZilla it will connect but only in active mode (so not using passive ports). If I use my phone over the internal network it will connect using passive mode, but oddly only brings up the directory listing if I use the external IP address rather than the host name. Connecting using the host name on the phone gets stuck at LIST, 40 Opening ASCII mode data connection. FileZilla and WinSCP both work with hostname (active mode).

 

This has left me scratching my head any ideas would be appreciated.

Thanks

No RepliesBe the first to reply

Resources