Re: Bug with W2K3, SP1, Windows Firewall and FTP

Wait. I probably was not clear before--I did not leave the inetinfo.exe in
the exceptions (since that did not work), but I added port 21 (using Add
Port) in the Exceptions tab and uncheck the pre-defined FTP Server in the
Advanced section. This is what I don't understand--both (opening a port in
the Exceptions and checking the FTP Server in the Advanced section) are
opening the same port.


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:ebhZ2I1ZGHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
ha! when you have added the exception as program NOT port, you should
removed the relevant setting in the 'advanced' tab. Once program is in the
list and exception is allowed (of coz tight to the scope of your exception
list, either any computer, same subnet or customer), those allowed network
range host will be able to communicate to the executable, in your case -
inetinfo.exe without any port restriction..... my only concern now will
be the inetinfo is now open all to everyone.. of coz you can restrict the
access from the 'scope' range setting, however it still an expose
connection to those hosts.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uWti$K0ZGHA.4292@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

I decided to try adding a port 21 in the firewall exception list just to
see, but that did not work. Then I unchecked the FTP Server service in
the Advanced section for the Local Area Connection, and this seems to
work. Does this make sense at all?


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23BceAFzZGHA.4160@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

I found this on the inetinfo thingy, but he unchecks the FTP service
from the firewall:

http://www.brianpautsch.com/ShowItem30.aspx


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:OqSO9gyZGHA.3752@xxxxxxxxxxxxxxxxxxxxxxx
Just tried it and still no luck.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:unHf6cRZGHA.5004@xxxxxxxxxxxxxxxxxxxxxxx
W2k3 SP1 + XP SP2

Have you try exception list?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23SaDdwMZGHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

Are you running SP1?

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:eYfrSlFZGHA.3684@xxxxxxxxxxxxxxxxxxxxxxx
I can't find the 'utimate windows firewall troubleshooting kb' :)
I saw it few days ago. Now, part of the step. if some unknown issue
is blocking the incoming request.
create an exception for the program. in your case will be
inetinfo.exe

ensure your ICF is on, then exception is allowed.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:ODxdj%238YGHA.3740@xxxxxxxxxxxxxxxxxxxxxxx
I only enabled the FTP Server service in advance settings. I also
tried adding a port 20 one for data, but it was no help.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:%23RSSuL7YGHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
what is closed, not dropped :)
I have no clue already. how do you enable access for ftp in the
firewall setting?
just the 'network connection setting' in the firewall advanced tab
or you have exceptions define for inetinfo.exe ?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:u%23UI$e3YGHA.1200@xxxxxxxxxxxxxxxxxxxxxxx
Here is the log. At 22:56:06, the port 21 was closed, and when I
entered a "dir" command at the client FTP prompt, I got
"Connection closed by remote host." message.

2006-04-18 22:54:14 DROP UDP 206.190.85.61 255.255.255.255 1215
712 72 - - - - - - - RECEIVE
2006-04-18 22:54:15 OPEN-INBOUND TCP 68.190.234.108 206.190.85.61
4357 21 - - - - - - - - -
2006-04-18 22:54:29 DROP UDP 206.190.85.61 255.255.255.255 1218
712 72 - - - - - - - RECEIVE
2006-04-18 22:54:35 OPEN TCP 206.190.85.61 68.190.234.108 20
4373 - - - - - - - - -
2006-04-18 22:54:39 OPEN TCP 206.190.85.61 68.190.234.108 20
4376 - - - - - - - - -
2006-04-18 22:54:44 DROP UDP 206.190.85.61 255.255.255.255 1219
712 72 - - - - - - - RECEIVE
2006-04-18 22:54:45 OPEN TCP 206.190.85.61 68.190.234.108 20
4382 - - - - - - - - -
2006-04-18 22:54:50 OPEN TCP 206.190.85.61 68.190.234.108 20
4384 - - - - - - - - -
2006-04-18 22:54:51 OPEN TCP 206.190.85.61 68.190.234.108 20
4386 - - - - - - - - -
2006-04-18 22:54:54 OPEN TCP 206.190.85.61 68.190.234.108 20
4388 - - - - - - - - -
2006-04-18 22:54:59 DROP UDP 206.190.85.61 255.255.255.255 1220
712 72 - - - - - - - RECEIVE
2006-04-18 22:55:14 DROP UDP 206.190.85.61 255.255.255.255 1221
712 72 - - - - - - - RECEIVE
2006-04-18 22:55:29 DROP UDP 206.190.85.61 255.255.255.255 1222
712 72 - - - - - - - RECEIVE
2006-04-18 22:55:44 DROP UDP 206.190.85.61 255.255.255.255 1223
712 72 - - - - - - - RECEIVE
2006-04-18 22:55:59 DROP UDP 206.190.85.61 255.255.255.255 1224
712 72 - - - - - - - RECEIVE
2006-04-18 22:56:06 CLOSE TCP 68.190.234.108 206.190.85.61 4357
21 - - - - - - - - -
2006-04-18 22:56:14 DROP UDP 206.190.85.61 255.255.255.255 1225
712 72 - - - - - - - RECEIVE
2006-04-18 22:56:29 DROP UDP 206.190.85.61 255.255.255.255 1226
712 72 - - - - - - - RECEIVE
2006-04-18 22:56:44 DROP UDP 206.190.85.61 255.255.255.255 1227
712 72 - - - - - - - RECEIVE
2006-04-18 22:56:47 CLOSE TCP 206.190.85.61 68.190.234.108 20
4373 - - - - - - - - -
2006-04-18 22:56:48 OPEN-INBOUND TCP 68.190.234.108 206.190.85.61
4357 21 - - - - - - - - -
2006-04-18 22:56:50 CLOSE TCP 206.190.85.61 68.190.234.108 20
4376 - - - - - - - - -
2006-04-18 22:56:57 CLOSE TCP 206.190.85.61 68.190.234.108 20
4382 - - - - - - - - -


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:eUhqFusYGHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
Geezz. didn't know the reproduce my article.
Now - can you post the firewall log?
I can't repro this. I have firewall enable and I can connect
fine. and only idle timeout after 900 seconds.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23pJo4jrYGHA.1888@xxxxxxxxxxxxxxxxxxxxxxx
I actually re-read those articles, and I realized that since
ftp.exe is using active, the PassivePortRange wouldn't fix the
problem...


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uns$pzpYGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Hey Bernard, I found your Microsoft Help and Support article
on configuring PassivePortRange in IIS, and I also found this
one on Windows 2003 Server w/SP1 Firewall that basically says
to do the same thing. Does it make sense?

http://www.newagedigital.com/cgi-bin/newagedigital/articles/ms-firewall-ftp.html


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uPJlX5jYGHA.1228@xxxxxxxxxxxxxxxxxxxxxxx
From the Windows Firewall log, it looks like that the
Firewall closes the port 21 connection for some reasons. The
client then gets the connection disconnected by remote
host/service not available, and since the server did not get
a proper response from the client, it is still waiting for
the next command (that's why the session is still going)
until the session times out. So the real question is why is
the Windows Firewall doing this?

Oh, I also tested it from the server itself. Since the
Firewall is not involved in this case, everything went fine.
Any thought on this Windows Firewall behavior?


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:ey49yJhYGHA.4168@xxxxxxxxxxxxxxxxxxxxxxx
Well, even with the refresh button. it's only as 'real' as
you thought.
it will only 'clear' from the list when the tcp connection
no longer appear when you do 'netstat -an' at command
prompt.
that's what I have tested in the past.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%232uxMmAYGHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
here is a refresh button. I could see the connection time
updated after I clicked the button. BTW, the client I used
was the Microsoft FTP.exe.


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote
in message news:uM8cPHsXGHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
As for the FTP MMC connection status, I believe it is not
refresh realtime. so it may take someting to reflect even
after the client has disconnected.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:OvNjv8LXGHA.3492@xxxxxxxxxxxxxxxxxxxxxxx
You mean running FTP on the IIS/FTP server? Hmmm...I'll
try that and let you know the outcome.


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx>
wrote in message
news:ebu2U74WGHA.4212@xxxxxxxxxxxxxxxxxxxxxxx

Weird indeed. same behavior if you try connect via
ftp.exe on the machine itself ??


--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:ORvcyC1WGHA.752@xxxxxxxxxxxxxxxxxxxxxxx
I'm encountering a bad behavior with Windows Firewall
on too. With the Windows Firewall on, the FTP sessions
(using the command line FTP on the client) would be
disconnected (the message says something about
connection disconnect by server) in about less than 1
minute, but the IIS manager would still show the
session is active. If the Windows Firewall is off,
everything is well.


"EuroMaverick" <EuroMaverick@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:60BB5F4B-BDD8-4C26-9108-5AFAF30C3D19@xxxxxxxxxxxxxxxx
Hello people,

I don't know if this is a documented bug or if the
information is wide
spread, but since we spend about two days tracking
this down, I think it
makes sense to share this information with whoever is
interested in it.

This is the setup where this will occur:
- Windows 2003 server with SP1
- Windows firewall turned on
- IIS on the same machine
- FTP within that IIS

Now, add a welcome message to the ftp. As soon as this
welcome message
contains a <return>, your browser will hang when you
navigate to the
ftp-site. It does not actually hang, but returns an
error much later and your
ftp-site is not accessible.

Remove all returns from the welcome message, and the
ftp-server works just
fine...

Regards,

Benoit Somers.











































.