Re: FTP on IIS6.0 Not Working

From: Jenna (stilesj)
Date: 03/04/04 

Date: Thu, 4 Mar 2004 09:33:35 -0500

Thank you, Bernard...I have gone through these steps many times. The only
step I have never been able to complete is the one regarding the
EnablePortAttack registry entry. This entry does not exist as far as I can
see...I have searched the registry for it. I am very suspicious that this
might be my problem as the first link you gave me here says "The FTP
'Bounce' or 'Port' attack prevents teh ISA Server itself from making a
request from a local resource such as an FTP server." Sounds like the issue
maybe, doesn't it?
I'm thinking then, that with the upgrade to IIS 6.0, this became hardened
again and isn't letting it work. But I simply can't find the entry to
change it...how can I change it without the entry?
Another article mentioned that the entry changed names in IIS 6.0, but I
can't find that entry, either. If it doesn't exist, does that mean IIS
isn't installed properly? Or does it mean I have to add it?
I appreciate any further assistance you can give me...I will continue to
search other KBs, as well, but I have received the most direction here, so
far.
Thank you!

"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:OP9miTZAEHA.3248@TK2MSFTNGP11.phx.gbl...
> Mm.. it doesn't looks like to me KB294679 is configured.
> As you should be able to connect with ftp.exe without any problems.
>
> I would suggest you try these articles again -
>
http://www.isaserver.org/tutorials/Publishing_an_FTP_Server_on_ISA_Server.html
> http://www.isaserver.org/tutorials/Publishing_FTP_server_on_ISA.html
>
> and other ftp resources -
> http://www.isaserver.org/pages/search.asp?query=FTP
>
>
> --
> Regards,
> Bernard Cheah
> http://support.microsoft.com/
> Please respond to newsgroups only ...
>
>
> "Jenna" <stilesj AT meachamapel DOT com> wrote in message
> news:#CXFn8UAEHA.3048@tk2msftngp13.phx.gbl...
> > Here's what I get while using ftp.exe on the LAN:
> >
> > C:\>ftp 10.0.0.4 ; internal nic ip
> > Connected to 10.0.0.4.
> > 220 Microsoft FTP Service
> > User (10.0.0.4:(none)): username
> > 331 Password required for username.
> > Password:
> > 230 User username logged in.
> > ftp> dir
> > 200 PORT command successful.
> > 150 Opening ASCII mode data connection for /bin/ls.
> > 07-01-02 01:36PM 0 brent was here to test.
> > 226 Transfer complete.
> > ftp: 67 bytes received in 0.01Seconds 4.47Kbytes/sec.
> > ftp> quit
> > 221
> >
> > C:\>ftp 10.0.1.2 ;external nic ip
> > Connected to 10.0.1.2.
> > 220 Microsoft FTP Service
> > User (10.0.1.2:(none)): username
> > 331 Password required for username.
> > Password:
> > 230 User username logged in.
> > ftp> dir
> > 500 Invalid PORT Command.
> > 150 Opening ASCII mode data connection for /bin/ls.
> >
> > ;;then it just sits there and eventually times out.
> >
> > The same thing happened remotely using ftp.exe as happened with ftp.exe
to
> > the external nic ip from the LAN (Invalid PORT command, then timed out).
> > I'm happy to try it one more time remotely, but I don't anticipate that
it
> > has changed.
> > Any other ideas? I greatly appreciate your time and assistance...I am
> > completely stumped.
> > Should port 20 show up in netstat at all? I was thinking probably not,
> but
> > just thought I'd check.
> >
> >
> > "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> > news:uJrs3rOAEHA.3184@TK2MSFTNGP09.phx.gbl...
> > > what tool do you use to login ?
> > > have you try ftp.exe command line util to login from remote machine ?
> > >
> > > if you are sure 21/20 ports is open, you should be able to use ftp.exe
> > > to login and do dir list.
> > >
> > > --
> > > Regards,
> > > Bernard Cheah
> > > http://support.microsoft.com/
> > > Please respond to newsgroups only ...
> > >
> > >
> > > "Jenna" <stilesj AT meachamapel DOT com> wrote in message
> > > news:Oh6t8GJAEHA.220@TK2MSFTNGP09.phx.gbl...
> > > > Thank you for your response, Bernard.
> > > > I have ISA configured exactly as in MS KB 294679, which opens 21 and
> 20
> > > for
> > > > FTP. This was already set up before the upgrade to IIS 6.0 and was
> > > working
> > > > before, as well.
> > > >
> > > > I could try the passiveportrange thing and configure it on ISA,
> however
> > we
> > > > have a Cisco Router, as well. It is configured to allow traffic on
20
> > and
> > > > 21, but I wouldn't guarantee the higher ports for that.
> > > >
> > > > This was all working fine before our upgrade to Windows 2003 and IIS
> > 6.0,
> > > > which is why my concern that there's potentially another setting in
> IIS
> > > that
> > > > changed to mess this up. I'm also thinking this because it does
> appear
> > to
> > > > authenticate me okay with my user name and password, and the log
> > indicates
> > > > this, as well. It just won't let me see or do anything and appears
to
> > > just
> > > > close the connection with a time out, based on the log.
> > > >
> > > > Actually, here's the most recent log of my attempts, if it helps
from
> > the
> > > > MSFTPSVC1 folder in my LogFiles directory:
> > > > #Software: Microsoft Internet Information Services 6.0
> > > > #Version: 1.0
> > > > #Date: 2004-03-02 17:27:48
> > > > #Fields: time c-ip cs-username s-ip s-port cs-method cs-uri-stem
> > sc-status
> > > > sc-win32-status cs(User-Agent)
> > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [10]USER username 331 0 -
> > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [10]PASS - 230 0 -
> > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [11]USER username 331 0 -
> > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [11]PASS - 230 0 -
> > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [11]CWD /library 250 0 -
> > > > 17:28:50 127.0.0.1 username 10.0.0.4 21 [11]CWD /library 250 0 -
> > > > 17:28:55 127.0.0.1 username 10.0.0.4 21 [12]USER username 331 0 -
> > > > 17:28:55 127.0.0.1 username 10.0.0.4 21 [12]PASS - 230 0 -
> > > > 17:28:55 127.0.0.1 username 10.0.0.4 21 [12]CWD /library 250 0 -
> > > > 17:29:11 127.0.0.1 username 10.0.0.4 21 [11]CWD /library 250 0 -
> > > > 17:30:28 127.0.0.1 username 10.0.0.4 21 [10]closed - 421 121 -
> > > > 17:31:28 127.0.0.1 username 10.0.0.4 21 [11]closed - 421 121 -
> > > >
> > > > So, if I'm reading this correctly, it authenticates me okay and even
> > > appears
> > > > to open the folder okay and you can see the internal ip, so it must
be
> > > > resolving okay. Am I reading something wrong? What am I missing?
> > > > Thanks so much for your help!
> > > >
> > > >
> > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> > > > news:%23rfsvaAAEHA.2632@TK2MSFTNGP12.phx.gbl...
> > > > > Great. looks like is ISA ports blocking issue, now -
> > > > >
> > > > > do you configure FTP running other than default port 21 ?
> > > > > FTP Error: 500 Invalid PORT Command
> > > > > http://support.microsoft.com/?id=281193
> > > > >
> > > > > active mode uses 21 and 20, passive mode by default use
> > > > > dynamic port range from 1024 to 5000.
> > > > >
> > > > > check if your ISA allow connection for port 21/20. this should
> > > > > solve active mode connection.
> > > > >
> > > > > For passive mode, you configure passiveportrange in IIS 6.0.
> > > > > then open the port range in ISA..
> > > > > How To Configure PassivePortRange In IIS
> > > > > http://support.microsoft.com/?id=555022
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Bernard Cheah
> > > > > http://support.microsoft.com/
> > > > > Please respond to newsgroups only ...
> > > > >
> > > > >
> > > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> > > > > news:#bF1#K0$DHA.1548@TK2MSFTNGP12.phx.gbl...
> > > > > > Wow.. you have many problems.
> > > > > > Can we start one by one ?
> > > > > >
> > > > > > a) first, test everything locally first.
> > > > > > can you login locally using ftp.exe -> ftp localhost ? or ftp
> yourip
> > ?
> > > > > >
> > > > > > b) so you have ISA running in the same box with IIS 6 ?
> > > > > >
> > > > > > c) from remote machine, can you login via ftp.exe to your IIS
> > server?
> > > > > > try login and dir listing.
> > > > > > any problem ?
> > > > > >
> > > > > > d) if you use IE to connect, any problems ?
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Regards,
> > > > > > Bernard Cheah
> > > > > > http://support.microsoft.com/
> > > > > > Please respond to newsgroups only ...
> > > > > >
> > > > > >
> > > > > > "Jenna" <stilesj AT meachamapel DOT com> wrote in message
> > > > > > news:OLQ8YOW$DHA.4080@TK2MSFTNGP09.phx.gbl...
> > > > > > > Okay, bear with me on this...I feel like I've tried everything
> and
> > > > can't
> > > > > > get
> > > > > > > this to work!
> > > > > > >
> > > > > > > I had virtual directories set up for an FTP site on our server
> and
> > > > they
> > > > > > were
> > > > > > > working fine. They we upgraded the server from Windows 2000
> > Server
> > > to
> > > > > > > Windows Server 2003 (also Exchange 2000 to Exchange 2003) and
> from
> > > > > IIS5.0
> > > > > > to
> > > > > > > IIS6.0.
> > > > > > > I guess IIS had a little trouble updating at the time and when
> it
> > > got
> > > > > > > updated my FTP virtual directories got wiped out. No problem,
I
> > > said,
> > > > > > I'll
> > > > > > > just recreate them.
> > > > > > > Well, I have recreated them and they are inaccessible from
> remote
> > > > > > computers
> > > > > > > over the internet (I can get on from a computer on the LAN).
> > > > > > > What happens is when I type in the address, it asks for my
> > password
> > > > > > normally
> > > > > > > and even accepts my user name and password, but then breaks
down
> > > with
> > > > > this
> > > > > > > message:
> > > > > > > 200 Type set to A
> > > > > > > 500 Invalid PORT command
> > > > > > > 500 LPRT 6,16,0,0,0,0,0,0,0,0,67,0,0,0,0,0,133,96,2,13,29
> > > > > > >
> > > > > > > I was originally referred to KB281193. I'm not sure how this
> > > article
> > > > > > > provides a solution, though, and the LPRT response I get is
> > clearly
> > > > not
> > > > > > like
> > > > > > > the 6 number example shown.
> > > > > > > The attempt above was without Passive Mode checked in IE.
With
> > > > Passive
> > > > > > Mode
> > > > > > > checked, it just times out after entering the user name and
> > > password.
> > > > > > > I am running ISA Server 2000, but this was set up before the
> > upgrade
> > > > to
> > > > > > > IIS6.0 and I believe all the settings are fine here to allow
> > access.
> > > > I
> > > > > > have
> > > > > > > gone through articles 310110 and 294679 just to be sure. When
I
> > > > > followed
> > > > > > > the "Publish the FTP Site" instructions in 310110, I got an
> event
> > > log
> > > > > > error:
> > > > > > > Web Proxy Service failed to bind its socket to 10.0.1.2 port
80.
> > > > Could
> > > > > be
> > > > > > > another service using same port or a NIC that's not
functional.
> > > > > > > (The NIC is fine and the service continues to run after this
> > > message.)
> > > > > > >
> > > > > > > When following article 294679, it mentions changing the
> > > > EnablePortAttack
> > > > > > > value to 1. However, I cannot find this variable (or, I
believe
> > the
> > > > IIS
> > > > > > > help file mentioned another name for it in 6.0) in the
registry
> > > > > anywhere.
> > > > > > > Is this something that I'm supposed to create, or does the
fact
> > that
> > > > its
> > > > > > > missing mean that IIS6.0 is not properly installed?
> > > > > > >
> > > > > > > I also read some information about setting the
PassivePortRange
> > > > > > (KB555022),
> > > > > > > but am not sure how this would help.
> > > > > > >
> > > > > > > Another note that may or may not be helpful: I'm setting up
the
> > > > virtual
> > > > > > > directories on FTP as a path to another server. I have it set
> up
> > to
> > > > use
> > > > > > the
> > > > > > > user's authentication so that it uses their permissions when
> > > accessing
> > > > > the
> > > > > > > folder. This does cause an error in the event log upon
creation
> > and
> > > > > > > reboots:
> > > > > > > Unable to add virtual root '/foldername' for the directory
> > > > > > > '\\server\foldername' due to the following error: Access is
> > denied.
> > > > > > > Despite this I can still access this from a computer on the
LAN.
> > If
> > > I
> > > > > > > assign to use a specific user's permissions, I don't get that
> > error,
> > > > but
> > > > > > > there's too much access then, and I still can't access
remotely.
> > > > > > >
> > > > > > > Finally, I've been considering doing a VPN using PPTP for a
more
> > > > secure
> > > > > > > option instead...is this relatively easy and should I just try
> > that
> > > > and
> > > > > > give
> > > > > > > up on FTP?
> > > > > > > Thanks, anyone, for some help or advice...this is driving me
> > crazy!
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>