Re: FTP on IIS6.0 Not Working

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Bernard (qbernard_at_hotmail.com.discuss)
Date: 03/05/04 

Date: Fri, 5 Mar 2004 14:07:42 +0800

Yes, you need to add it. Now many of the links saying that you should
disabled it by setting the value to 1, from what I read is set it to 1 is
enabling port attack not disabling it, as default no entry in registry is 0
(meaning disabled).

read
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/ref_reg_ftpservice.asp

you can try adding the key and set it to 1 and see. if possible restart
machine or IIS. 

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"Jenna" <stilesj AT meachamapel DOT com> wrote in message
news:#l5xyWfAEHA.3284@TK2MSFTNGP09.phx.gbl...
> Thank you, Bernard...I have gone through these steps many times.  The only
> step I have never been able to complete is the one regarding the
> EnablePortAttack registry entry.  This entry does not exist as far as I
can
> see...I have searched the registry for it.  I am very suspicious that this
> might be my problem as the first link you gave me here says "The FTP
> 'Bounce' or 'Port' attack prevents teh ISA Server itself from making a
> request from a local resource such as an FTP server."  Sounds like the
issue
> maybe, doesn't it?
> I'm thinking then, that with the upgrade to IIS 6.0, this became hardened
> again and isn't letting it work.  But I simply can't find the entry to
> change it...how can I change it without the entry?
> Another article mentioned that the entry changed names in IIS 6.0, but I
> can't find that entry, either.  If it doesn't exist, does that mean IIS
> isn't installed properly?  Or does it mean I have to add it?
> I appreciate any further assistance you can give me...I will continue to
> search other KBs, as well, but I have received the most direction here, so
> far.
> Thank you!
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:OP9miTZAEHA.3248@TK2MSFTNGP11.phx.gbl...
> > Mm.. it doesn't looks like to me KB294679 is configured.
> > As you should be able to connect with ftp.exe without any problems.
> >
> > I would suggest you try these articles again -
> >
>
http://www.isaserver.org/tutorials/Publishing_an_FTP_Server_on_ISA_Server.html
> > http://www.isaserver.org/tutorials/Publishing_FTP_server_on_ISA.html
> >
> > and other ftp resources -
> > http://www.isaserver.org/pages/search.asp?query=FTP
> >
> >
> > -- 
> > Regards,
> > Bernard Cheah
> > http://support.microsoft.com/
> > Please respond to newsgroups only ...
> >
> >
> > "Jenna" <stilesj AT meachamapel DOT com> wrote in message
> > news:#CXFn8UAEHA.3048@tk2msftngp13.phx.gbl...
> > > Here's what I get while using ftp.exe on the LAN:
> > >
> > > C:\>ftp 10.0.0.4            ; internal nic ip
> > > Connected to 10.0.0.4.
> > > 220 Microsoft FTP Service
> > > User (10.0.0.4:(none)): username
> > > 331 Password required for username.
> > > Password:
> > > 230 User username logged in.
> > > ftp> dir
> > > 200 PORT command successful.
> > > 150 Opening ASCII mode data connection for /bin/ls.
> > > 07-01-02  01:36PM                    0 brent was here to test.
> > > 226 Transfer complete.
> > > ftp: 67 bytes received in 0.01Seconds 4.47Kbytes/sec.
> > > ftp> quit
> > > 221
> > >
> > > C:\>ftp 10.0.1.2    ;external nic ip
> > > Connected to 10.0.1.2.
> > > 220 Microsoft FTP Service
> > > User (10.0.1.2:(none)): username
> > > 331 Password required for username.
> > > Password:
> > > 230 User username logged in.
> > > ftp> dir
> > > 500 Invalid PORT Command.
> > > 150 Opening ASCII mode data connection for /bin/ls.
> > >
> > > ;;then it just sits there and eventually times out.
> > >
> > > The same thing happened remotely using ftp.exe as happened with
ftp.exe
> to
> > > the external nic ip from the LAN (Invalid PORT command, then timed
out).
> > > I'm happy to try it one more time remotely, but I don't anticipate
that
> it
> > > has changed.
> > > Any other ideas?  I greatly appreciate your time and assistance...I am
> > > completely stumped.
> > > Should port 20 show up in netstat at all?  I was thinking probably
not,
> > but
> > > just thought I'd check.
> > >
> > >
> > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> > > news:uJrs3rOAEHA.3184@TK2MSFTNGP09.phx.gbl...
> > > > what tool do you use to login ?
> > > > have you try ftp.exe command line util to login from remote machine
?
> > > >
> > > > if you are sure 21/20 ports is open, you should be able to use
ftp.exe
> > > > to login and do dir list.
> > > >
> > > > -- 
> > > > Regards,
> > > > Bernard Cheah
> > > > http://support.microsoft.com/
> > > > Please respond to newsgroups only ...
> > > >
> > > >
> > > > "Jenna" <stilesj AT meachamapel DOT com> wrote in message
> > > > news:Oh6t8GJAEHA.220@TK2MSFTNGP09.phx.gbl...
> > > > > Thank you for your response, Bernard.
> > > > > I have ISA configured exactly as in MS KB 294679, which opens 21
and
> > 20
> > > > for
> > > > > FTP.  This was already set up before the upgrade to IIS 6.0 and
was
> > > > working
> > > > > before, as well.
> > > > >
> > > > > I could try the passiveportrange thing and configure it on ISA,
> > however
> > > we
> > > > > have a Cisco Router, as well.  It is configured to allow traffic
on
> 20
> > > and
> > > > > 21, but I wouldn't guarantee the higher ports for that.
> > > > >
> > > > > This was all working fine before our upgrade to Windows 2003 and
IIS
> > > 6.0,
> > > > > which is why my concern that there's potentially another setting
in
> > IIS
> > > > that
> > > > > changed to mess this up.  I'm also thinking this because it does
> > appear
> > > to
> > > > > authenticate me okay with my user name and password, and the log
> > > indicates
> > > > > this, as well.  It just won't let me see or do anything and
appears
> to
> > > > just
> > > > > close the connection with a time out, based on the log.
> > > > >
> > > > > Actually, here's the most recent log of my attempts, if it helps
> from
> > > the
> > > > > MSFTPSVC1 folder in my LogFiles directory:
> > > > > #Software: Microsoft Internet Information Services 6.0
> > > > > #Version: 1.0
> > > > > #Date: 2004-03-02 17:27:48
> > > > > #Fields: time c-ip cs-username s-ip s-port cs-method cs-uri-stem
> > > sc-status
> > > > > sc-win32-status cs(User-Agent)
> > > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [10]USER username 331 0 -
> > > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [10]PASS - 230 0 -
> > > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [11]USER username 331 0 -
> > > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [11]PASS - 230 0 -
> > > > > 17:28:19 127.0.0.1 username 10.0.0.4 21 [11]CWD /library 250 0 -
> > > > > 17:28:50 127.0.0.1 username 10.0.0.4 21 [11]CWD /library 250 0 -
> > > > > 17:28:55 127.0.0.1 username 10.0.0.4 21 [12]USER username 331 0 -
> > > > > 17:28:55 127.0.0.1 username 10.0.0.4 21 [12]PASS - 230 0 -
> > > > > 17:28:55 127.0.0.1 username 10.0.0.4 21 [12]CWD /library 250 0 -
> > > > > 17:29:11 127.0.0.1 username 10.0.0.4 21 [11]CWD /library 250 0 -
> > > > > 17:30:28 127.0.0.1 username 10.0.0.4 21 [10]closed - 421 121 -
> > > > > 17:31:28 127.0.0.1 username 10.0.0.4 21 [11]closed - 421 121 -
> > > > >
> > > > > So, if I'm reading this correctly, it authenticates me okay and
even
> > > > appears
> > > > > to open the folder okay and you can see the internal ip, so it
must
> be
> > > > > resolving okay.  Am I reading something wrong?  What am I missing?
> > > > > Thanks so much for your help!
> > > > >
> > > > >
> > > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> > > > > news:%23rfsvaAAEHA.2632@TK2MSFTNGP12.phx.gbl...
> > > > > > Great. looks like is ISA ports blocking issue,  now -
> > > > > >
> > > > > > do you configure FTP running other than default port 21 ?
> > > > > > FTP Error: 500 Invalid PORT Command
> > > > > > http://support.microsoft.com/?id=281193
> > > > > >
> > > > > > active mode uses 21 and 20, passive mode by default use
> > > > > > dynamic port range from 1024 to 5000.
> > > > > >
> > > > > > check if your ISA allow connection for port 21/20. this should
> > > > > > solve active mode connection.
> > > > > >
> > > > > > For passive mode, you configure passiveportrange in IIS 6.0.
> > > > > > then open the port range in ISA..
> > > > > > How To Configure PassivePortRange In IIS
> > > > > > http://support.microsoft.com/?id=555022
> > > > > >
> > > > > >
> > > > > > -- 
> > > > > > Regards,
> > > > > > Bernard Cheah
> > > > > > http://support.microsoft.com/
> > > > > > Please respond to newsgroups only ...
> > > > > >
> > > > > >
> > > > > > "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> > > > > > news:#bF1#K0$DHA.1548@TK2MSFTNGP12.phx.gbl...
> > > > > > > Wow.. you have many problems.
> > > > > > > Can we start one by one ?
> > > > > > >
> > > > > > > a) first, test everything locally first.
> > > > > > > can you login locally using ftp.exe -> ftp localhost ? or ftp
> > yourip
> > > ?
> > > > > > >
> > > > > > > b) so you have ISA running in the same box with IIS 6 ?
> > > > > > >
> > > > > > > c) from remote machine, can you login via ftp.exe to your IIS
> > > server?
> > > > > > > try login and dir listing.
> > > > > > > any problem ?
> > > > > > >
> > > > > > > d) if you use IE to connect, any problems ?
> > > > > > >
> > > > > > >
> > > > > > > -- 
> > > > > > > Regards,
> > > > > > > Bernard Cheah
> > > > > > > http://support.microsoft.com/
> > > > > > > Please respond to newsgroups only ...
> > > > > > >
> > > > > > >
> > > > > > > "Jenna" <stilesj AT meachamapel DOT com> wrote in message
> > > > > > > news:OLQ8YOW$DHA.4080@TK2MSFTNGP09.phx.gbl...
> > > > > > > > Okay, bear with me on this...I feel like I've tried
everything
> > and
> > > > > can't
> > > > > > > get
> > > > > > > > this to work!
> > > > > > > >
> > > > > > > > I had virtual directories set up for an FTP site on our
server
> > and
> > > > > they
> > > > > > > were
> > > > > > > > working fine.  They we upgraded the server from Windows 2000
> > > Server
> > > > to
> > > > > > > > Windows Server 2003 (also Exchange 2000 to Exchange 2003)
and
> > from
> > > > > > IIS5.0
> > > > > > > to
> > > > > > > > IIS6.0.
> > > > > > > > I guess IIS had a little trouble updating at the time and
when
> > it
> > > > got
> > > > > > > > updated my FTP virtual directories got wiped out.  No
problem,
> I
> > > > said,
> > > > > > > I'll
> > > > > > > > just recreate them.
> > > > > > > > Well, I have recreated them and they are inaccessible from
> > remote
> > > > > > > computers
> > > > > > > > over the internet (I can get on from a computer on the LAN).
> > > > > > > > What happens is when I type in the address, it asks for my
> > > password
> > > > > > > normally
> > > > > > > > and even accepts my user name and password, but then breaks
> down
> > > > with
> > > > > > this
> > > > > > > > message:
> > > > > > > > 200 Type set to A
> > > > > > > > 500 Invalid PORT command
> > > > > > > > 500 LPRT 6,16,0,0,0,0,0,0,0,0,67,0,0,0,0,0,133,96,2,13,29
> > > > > > > >
> > > > > > > > I was originally referred to KB281193.  I'm not sure how
this
> > > > article
> > > > > > > > provides a solution, though, and the LPRT response I get is
> > > clearly
> > > > > not
> > > > > > > like
> > > > > > > > the 6 number example shown.
> > > > > > > > The attempt above was without Passive Mode checked in IE.
> With
> > > > > Passive
> > > > > > > Mode
> > > > > > > > checked, it just times out after entering the user name and
> > > > password.
> > > > > > > > I am running ISA Server 2000, but this was set up before the
> > > upgrade
> > > > > to
> > > > > > > > IIS6.0 and I believe all the settings are fine here to allow
> > > access.
> > > > > I
> > > > > > > have
> > > > > > > > gone through articles 310110 and 294679 just to be sure.
When
> I
> > > > > > followed
> > > > > > > > the "Publish the FTP Site" instructions in 310110, I got an
> > event
> > > > log
> > > > > > > error:
> > > > > > > > Web Proxy Service failed to bind its socket to 10.0.1.2 port
> 80.
> > > > > Could
> > > > > > be
> > > > > > > > another service using same port or a NIC that's not
> functional.
> > > > > > > > (The NIC is fine and the service continues to run after this
> > > > message.)
> > > > > > > >
> > > > > > > > When following article 294679, it mentions changing the
> > > > > EnablePortAttack
> > > > > > > > value to 1.  However, I cannot find this variable (or, I
> believe
> > > the
> > > > > IIS
> > > > > > > > help file mentioned another name for it in 6.0) in the
> registry
> > > > > > anywhere.
> > > > > > > > Is this something that I'm supposed to create, or does the
> fact
> > > that
> > > > > its
> > > > > > > > missing mean that IIS6.0 is not properly installed?
> > > > > > > >
> > > > > > > > I also read some information about setting the
> PassivePortRange
> > > > > > > (KB555022),
> > > > > > > > but am not sure how this would help.
> > > > > > > >
> > > > > > > > Another note that may or may not be helpful:  I'm setting up
> the
> > > > > virtual
> > > > > > > > directories on FTP as a path to another server.  I have it
set
> > up
> > > to
> > > > > use
> > > > > > > the
> > > > > > > > user's authentication so that it uses their permissions when
> > > > accessing
> > > > > > the
> > > > > > > > folder.  This does cause an error in the event log upon
> creation
> > > and
> > > > > > > > reboots:
> > > > > > > > Unable to add virtual root '/foldername' for the directory
> > > > > > > > '\\server\foldername' due to the following error: Access is
> > > denied.
> > > > > > > > Despite this I can still access this from a computer on the
> LAN.
> > > If
> > > > I
> > > > > > > > assign to use a specific user's permissions, I don't get
that
> > > error,
> > > > > but
> > > > > > > > there's too much access then, and I still can't access
> remotely.
> > > > > > > >
> > > > > > > > Finally, I've been considering doing a VPN using PPTP for a
> more
> > > > > secure
> > > > > > > > option instead...is this relatively easy and should I just
try
> > > that
> > > > > and
> > > > > > > give
> > > > > > > > up on FTP?
> > > > > > > > Thanks, anyone, for some help or advice...this is driving me
> > > crazy!
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Quantcast