Knowledge Base

Home > Problems > Problem with TLS and Firewall


Article 60

Problem with SSL and Firewalls

NAT (Network Address Translation) is not the only factor that prevents you from using FTPS with a firewall.

Firewalls are usually configured to deny inbound connections to the FTP server using any port other than port 21. Under PASV FTP, the firewall that protects the server needs to be able to see the un-encrypted response to the PASV command in order to allow inbound connectivity to the server on a dynamic port (i.e., ports other than 21).

This step will fail when PASV mode is used because the FTP Control session is encrypted. The new inbound FTP Data connection will arrive at the firewall and will be denied because it cannot be "bound" to an existing FTP Control Session.

The firewall needs to be able to read the encrypted PORT and PASV commands and re-write them with the proper IP address and port info when the firewall is performing NAT.