Re: Internet Explorer Keeps Timing out on FTP

• Previous message: Oleg: "Help me whis IIS 5.0 ftp"
• In reply to: Siegfried Heintze: "Re: Internet Explorer Keeps Timing out on FTP"
• Next in thread: Siegfried Heintze: "Re: Internet Explorer Keeps Timing out on FTP"
• Reply: Siegfried Heintze: "Re: Internet Explorer Keeps Timing out on FTP"
• Reply: Paul Lynch: "Re: Internet Explorer Keeps Timing out on FTP"
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 18 Jun 2004 17:40:55 GMT

> From: "Siegfried Heintze" <siegfried@heintze.com>
>
> All the machines are behind the same ActionTec DSL router/firewall. In
other
> words, the NT and Win2K machines that don't have this problem are behind
the
> same firewall as the Win2003 server that does have this problem.
>
> This is a problem with the FTP client. I have not started the FTP server
and
> I deliberately do not run IIS process (because I don't want it to conflict
> with the Apache Web Server). How do I tell what version of FTP? I believe
> Win2003 Server has IIS 6. That is probably the version of the FTP
> client/server too since IIS and FTP are both implemented with the same
> program INETINFO.exe.

Windows 2003 comes with IIS 6.0 for FTP (and other services).

What I think is going on here is the classic FTP problem of what ports to
open in the firewall.

Try changing the active / passive FTP option in Internet Explorer - from
the "Tools" menu, select "Internet Options". Select the "Advanced" tab,
and scroll down to "Use Passive FTP (for firewall and DSL modem
compatibility)". I'm going to guess, from the information you've given me,
that this is checked. Uncheck it.

Now try and connect to the FTP site again. Does it list the directory?

Note that IE lumps connection and directory listing together - if it is
able to connect, but cannot get a data connection for a directory listing,
this looks very similar to the error message that you get when you cannot
connect at all.

So, what's the difference between Active and Passive FTP? Well, they're
both modes of opening a connection down which to transfer data, whether
that's a file upload, a file download, or a directory listing. The FTP
client chooses which method to use, by sending either a PORT or PASV
command to the server. FTP servers are required to support both.

When the PORT command is used, the FTP client is asking the FTP server to
make an "active open" - i.e. to initiate a connection - to the client. To
achieve this, the FTP client includes an IP address and port number in the
PORT command. For historical reasons that aren't worth going into, the
PORT command is given with 6 decimal numbers, separated by commas. The
first four numbers are the IP address - with commas instead of dots. The
next number is the high-byte of the port number (i.e. the integer part of
port-number / 256), and the last number is the low-byte of the port number
(the remainder of port-number / 256). The FTP server connects from its
local port 20 to the FTP client's specified IP address and port. So, any
firewall between the FTP server and FTP client has to accomodate this
connection. This can be a problem, as clients may be behind restrictive
firewalls that allow only outgoing traffic, and not incoming traffic. This
is particularly a problem with NATs, as the client can only give out an
internal address and port number - this has typically been solved by an
"Application Level Gateway" (ALG) on the NAT that translates the PORT
command and opens an incoming connection.

Because of the problems with PORT commands through firewalls and NATS, the
passive connection was deemed to be more likely to succeed, and made into
the suggested standard mode of connection, under the theory that FTP
servers were unlikely to be behind restrictive firewalls or NAT routers.

When the PASV command is used, the FTP client is asking the FTP server to
make a "passive open" - i.e. to wait for a connection. The client doesn't
send any information in the PASV command, and the server responds with the
same sort of comma-separated six-number sequence as described in the PORT
command. The FTP client will then connect to that port for the next data
exchange. Note that the port numbers at both ends in a passive open are
essentially random, so it's very difficult to write a firewall rule to
handle this. For a NAT, the FTP ALG will translate the PASV response. The
usual way to write a firewall / NAT rule for passive FTP is to create a
wide range of ports for FTP traffic, tell the FTP server to use only those
ports, and map that range of ports directly through the firewall / NAT to
the FTP server.

So, when PASV doesn't work, try PORT, and when PORT doesn't work, try PASV.
 If you want to restrict the range of passive ports, there's an excellent
article written by Bernard at http://support.microsoft.com/?id=555022.

Alun.
~~~~

• Previous message: Oleg: "Help me whis IIS 5.0 ftp"
• In reply to: Siegfried Heintze: "Re: Internet Explorer Keeps Timing out on FTP"
• Next in thread: Siegfried Heintze: "Re: Internet Explorer Keeps Timing out on FTP"
• Reply: Siegfried Heintze: "Re: Internet Explorer Keeps Timing out on FTP"
• Reply: Paul Lynch: "Re: Internet Explorer Keeps Timing out on FTP"
• Messages sorted by: [ date ] [ thread ]