Jump to content


Photo

FTPS Implicit


  • Please log in to reply
4 replies to this topic

#1 jeremyk

jeremyk
  • Members
  • 3 posts

Posted 27 March 2010 - 01:21 AM

I am connecting to our hosted FTPS server using FTPS (implicit) through a router/firewall at my end and through a hardware firewall at our hosting service. The hosting service has opened ports 990 and 989 for control and data connections respectively. SmartFTP makes the control connection w/o a problem but then attempts to open the data connection on a port in the 50K range rather than 989 (59839 in the example below). I've tried change to active mode and various connection settings but SmartFTP won't use 989 for the data connection. How can I configure SmartFTP to just use 989 for data? I'm using version 4.0.1082.0 on Windows 7, 64-bit. A sample log is included below.



[18:18:26] SmartFTP v4.0.1082.0
[18:18:26] Resolving host name "icweb1.icohere.com"
[18:18:26] Connecting to 64.225.158.123 Port: 990
[18:18:26] Connected to icweb1.icohere.com.
[18:18:26] Connected. Exchanging encryption keys...
[18:18:26] Key Exchange: 2048 bit RSA
[18:18:26] Session Cipher: 128 bit AES
[18:18:26] TLS 1.0 encrypted session established.
[18:18:26] 220 Microsoft FTP Service
[18:18:26] USER jeremy
[18:18:26] 331 Password required for jeremy.
[18:18:26] PASS (hidden)
[18:18:27] 230 User logged in.
[18:18:27] SYST
[18:18:27] 215 Windows_NT
[18:18:27] Detected Server Type: Windows NT
[18:18:27] RTT: 80.410 ms
[18:18:27] FEAT
[18:18:27] 211-Extended features supported:
[18:18:27] LANG EN*
[18:18:27] UTF8
[18:18:27] AUTH TLS;TLS-C;SSL;TLS-P;
[18:18:27] PBSZ
[18:18:27] PROT C;P;
[18:18:27] CCC
[18:18:27] HOST
[18:18:27] SIZE
[18:18:27] MDTM
[18:18:27] REST STREAM
[18:18:27] 211 END
[18:18:27] OPTS UTF8 ON
[18:18:27] 200 OPTS UTF8 command successful - UTF8 encoding now ON.
[18:18:27] PWD
[18:18:27] 257 "/" is current directory.
[18:18:27] TYPE A
[18:18:27] 200 Type set to A.
[18:18:27] PBSZ 0
[18:18:27] 200 PBSZ command successful.
[18:18:27] PROT P
[18:18:27] 200 PROT command successful.
[18:18:27] PASV
[18:18:27] 227 Entering Passive Mode (64,225,158,123,233,191).
[18:18:27] Opening data connection to 64.225.158.123 Port: 59839
[18:18:27] LIST -aL
[18:18:27] 150 Opening ASCII mode data connection.
[18:18:48] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

#2 mb

mb

    Developer

  • Administrators
  • 11520 posts
  • Gender:
    Male
  • Location:
    Worldwide

Posted 27 March 2010 - 01:23 AM

SSL Implicit is deprecated, use SSL Explicit instead.

Then SmartFTP opens the connection to the port the server returns in the passive reply, which is 59839.

The server administrator needs to setup a passive port range for IIS and open this port range in the firewall.

Regards,
Mat

#3 jeremyk

jeremyk
  • Members
  • 3 posts

Posted 29 March 2010 - 11:29 PM

Thanks, Mat, for your reply.

I was reluctant to use Explicit because I didn't want to open all the possible data ports up in the 50K to 65K range. I'd rather send all data traffic through 889. Can SmartFTP be configured to use just one port for data traffic?

Since our server has a separate, hardware firewall and since the traffic is secure the firewall cannot follow the FTPS negotiations and permit the data traffic w/o opening the ports.

#4 mb

mb

    Developer

  • Administrators
  • 11520 posts
  • Gender:
    Male
  • Location:
    Worldwide

Posted 30 March 2010 - 12:22 AM

FTPS Explicit or FTPS Implicit makes no difference in your situation. If you use FTPS Explicit then the default data connection port is 20 for active mode (PORT). But the passive port range will be the same.

My recommendation is the following:
1. Tell IIS to use a passive port range (e.g. from 58000 to 58010)
IIS 6: http://support.microsoft.com/kb/555022
IIS 7.5: http://learn.iis.net...ewall-settings/
2. Open this port range in your firewall

I hope this helps.

#5 jeremyk

jeremyk
  • Members
  • 3 posts

Posted 30 March 2010 - 11:04 PM

Thank you. That did the trick. I would note, however, for anyone reading this forum that the Microsoft FTP Publishing service had to be restarted before the PASV port range restrictions took effect.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users