Windows Server - FTP fail in passive mode when windows firewall is turned on with multiple ip addresses

Asked By Edthered C on 24-Sep-08 07:29 PM

i have a windows 2003 server hosting websites and ftp that is accessible thru 3 different public ip addresses (60.50.80.69, 60.50.80.70, 60.50.80.71). the primary ip address is 60.50.80.69. windows firewall is turned on.

when i try to ftp to the server thru 60.50.80.71 (secondary ip) using PASV mode, it will always enter into passive mode using the primary ip (60.50.80.69) and not thru the ip that it was initially initiated on (60.50.80.71). Sample FTP log below;

Connect socket #1008 to 60.50.80.71, port 21...
220 Microsoft FTP Service 
...
...
... 
PASV 
227 Entering Passive Mode (60,50,80,69,19,137). 

this is not a problem if i use some third party ftp client to connect but i will get an error when i'm using C# to connect. I'm building an application with a simple FTP function. This is the error message that i get when i try to connect using C#;

The server returned an address in response to the PASV command that is different than the address to which the FTP connection was made.

But if i turn off windows firewall. everything will work fine. the PASV connection will be made using the ip it was initiated on and not thru the primary ip.

is there any way that i can get this to work without having to turn off windows firewall? i found a KB (http://support.microsoft.com/kb/817829) from microsoft with the same situation but it only applies to ISA server.

i would really appreciate any help that i can get. thanks

troubleshooting - Perry replied to Edthered C on 24-Sep-08 07:36 PM

Note that when you select the Enable folder view for FTP sites check box, Internet Explorer behaves as a standard FTP client and uses Active mode, even if the Use Passive FTP check box is enabled.

How to configure Passive and Active mode in Internet Explorer

Issue: Internet Explorer needs to be configured to use Passive or Active mode.

Solution: Before configuring Passive or Active mode, it is useful to understand the implications for each mode, as follows:

  • In Active mode, the FTP client uses a PORT command to inform the server that it should connect to a specific IP address and port, and then send the data. This requires that the firewall allows inbound access from port 20 on the FTP server to all high-number ports for the client.
  • In Passive mode, the FTP client uses a PASV command to request that the server tells the client to which IP address and port it should connect to, to send and receive data. This requires that the firewall allows outbound access to all high-number TCP ports on the FTP server, and to inbound high-number TCP ports for the client.

ISA Server supports both modes. To configure Internet Explorer in Active or Passive mode, do the following:

To configure Internet Explorer 7 to use Passive mode
  1. On the Tools menu of Internet Explorer, click Internet Options.

  2. Click the Advanced tab.

  3. In the Browsing section of the Settings list, do the following:

To configure Internet Explorer 7 to use Active mode
  1. On the Tools menu of Internet Explorer, click Internet Options.

  2. Click the Advanced tab.

  3. In the Browsing section of the Settings list, do the following:

Please refer http://technet.microsoft.com/en-us/library/bb794745.aspx for more details.

-Paresh

solution - Perry replied to Edthered C on 24-Sep-08 07:38 PM

Hi,

It could be that the firewalls on some of your clients are not setup to allow passive ftp.

With active ftp the server actually acts like a client for the data transfer.  The server will initiate the connection with source port 20 to the client using the random high port the client told the server to use in the PORT command.

With passive ftp the client will initiate the connection with a random high port to the random high port that the server told it to use on the PASV command.  

When using passive ftp most firewalls monitor the ftp command connection and will dynamically, and temporarily, define a rule that allows the data connection.  It could be that for the sites that the passive ftp is failing on they do not have their firewalls enabled to do that.

Since all of your other connections work fine with active, I would use active as the default and then create a table within your program for sites that must use passive.  Then your program can switch between active and passive based on the current target not being in the table (use active) or being in the table (use passive). refer http://www.experts-exchange.com/Programming/Languages/Visual_Basic/Q_23348943.html for details.

-Paresh

follow up - Edthered C replied to Perry on 24-Sep-08 07:56 PM

Hi Paresh,

Thanks for the promp reply, but this is not about Internet Explorer 7.

I've tried using Active connection but Active connection will not work. It has to be PASV. And I believe this has nothing to do with the client's firewall. I've already pinpoint the problem to the Windows Firewall on the server.

If the firewall is ON = Problem.

If the firewall is OFF = No Problem.

The situation is that, if i turn on Windows Firewall, the return PASV connection will always be made thru the Primary IP Address (60.50.80.69) no matter what ip i use to initiate the connection.

I just need the PASV connection to use the IP Address that it was initiated on. If i FTP to the server using the IP 60.50.80.71, then i need the return PASV connection to be 60.50.80.71 also. If i can just get this, then my problem will be solved.

All my connection works fine if i turn off Windows Firewall. But I do not want to turn off Windows Firewall so I probably think that i need to do some adjustment to the firewall but i;m not sure where and how.