Re: Bug with W2K3, SP1, Windows Firewall and FTP

It surely looks like there is something wrong with that setup. It seems
strange to me not more people are complaining about this...

Mav.

"Jimmy Chu" wrote:

Guess what? My situation is worse than yours. If I use Internet Explorer
as the FTP client with the firewall enabled on the server, message or no
message, IE times out. With firewall off, it all works fine. The ftp.exe
works with and without the welcome message (with the firewall on). This is
just great.

One thing I notice is that when using IE, it actually creates 2 sessions,
according to the FTP server. Hmm...


"EuroMaverick" <EuroMaverick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:718C762B-5E82-4FF5-9D12-88716361EB54@xxxxxxxxxxxxxxxx

No probs for hijacking this thread Jimmy ;-)

To answer your question: yes, it is IE and the "Enable folder view for FTP
sites" is checked !

Regards,

Benoit.

"Jimmy Chu" wrote:

Hey EuroMaverick,

Sorry that I hijacked your thread. I remember IIS did not display
multiple
lines welcome message when I tried it, but it did not hang either. What
browser are you using, and if it is IE, is the "Enable folder view for
FTP
sites" options (in Internet Options, Advanced) checked?


"EuroMaverick" <EuroMaverick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6F2A2150-A084-4191-806B-379F1D0D1BB2@xxxxxxxxxxxxxxxx
Hello guys,

Nice to see there is still so much going on here in that original
message
that I posted.

I'm not all too technical and I don't fully understand all the
postings,
so
could you bring me up-to-date here, please: is there something wrong
with
my
installation or is there indeed a bug as I described ?

Regards,

Benoit.

"Bernard Cheah [MVP]" wrote:

ha! when you have added the exception as program NOT port, you should
removed the relevant setting in the 'advanced' tab. Once program is in
the
list and exception is allowed (of coz tight to the scope of your
exception
list, either any computer, same subnet or customer), those allowed
network
range host will be able to communicate to the executable, in your
case -
inetinfo.exe without any port restriction..... my only concern now
will
be
the inetinfo is now open all to everyone.. of coz you can restrict the
access from the 'scope' range setting, however it still an expose
connection
to those hosts.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uWti$K0ZGHA.4292@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

I decided to try adding a port 21 in the firewall exception list
just
to
see, but that did not work. Then I unchecked the FTP Server service
in
the Advanced section for the Local Area Connection, and this seems
to
work. Does this make sense at all?


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23BceAFzZGHA.4160@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

I found this on the inetinfo thingy, but he unchecks the FTP
service
from
the firewall:

http://www.brianpautsch.com/ShowItem30.aspx


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:OqSO9gyZGHA.3752@xxxxxxxxxxxxxxxxxxxxxxx
Just tried it and still no luck.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message
news:unHf6cRZGHA.5004@xxxxxxxxxxxxxxxxxxxxxxx
W2k3 SP1 + XP SP2

Have you try exception list?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23SaDdwMZGHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

Are you running SP1?

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message
news:eYfrSlFZGHA.3684@xxxxxxxxxxxxxxxxxxxxxxx
I can't find the 'utimate windows firewall troubleshooting kb'
:)
I saw it few days ago. Now, part of the step. if some unknown
issue
is blocking the incoming request.
create an exception for the program. in your case will be
inetinfo.exe

ensure your ICF is on, then exception is allowed.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:ODxdj%238YGHA.3740@xxxxxxxxxxxxxxxxxxxxxxx
I only enabled the FTP Server service in advance settings. I
also
tried adding a port 20 one for data, but it was no help.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:%23RSSuL7YGHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
what is closed, not dropped :)
I have no clue already. how do you enable access for ftp in
the
firewall setting?
just the 'network connection setting' in the firewall
advanced
tab
or you have exceptions define for inetinfo.exe ?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:u%23UI$e3YGHA.1200@xxxxxxxxxxxxxxxxxxxxxxx
Here is the log. At 22:56:06, the port 21 was closed, and
when
I
entered a "dir" command at the client FTP prompt, I got
"Connection closed by remote host." message.

2006-04-18 22:54:14 DROP UDP 206.190.85.61 255.255.255.255
1215
712 72 - - - - - - - RECEIVE
2006-04-18 22:54:15 OPEN-INBOUND TCP 68.190.234.108
206.190.85.61
4357 21 - - - - - - - - -
2006-04-18 22:54:29 DROP UDP 206.190.85.61 255.255.255.255
1218
712 72 - - - - - - - RECEIVE
2006-04-18 22:54:35 OPEN TCP 206.190.85.61 68.190.234.108 20
4373 - - - - - - - - -
2006-04-18 22:54:39 OPEN TCP 206.190.85.61 68.190.234.108 20
4376 - - - - - - - - -
2006-04-18 22:54:44 DROP UDP 206.190.85.61 255.255.255.255
1219
712 72 - - - - - - - RECEIVE
2006-04-18 22:54:45 OPEN TCP 206.190.85.61 68.190.234.108 20
4382 - - - - - - - - -
2006-04-18 22:54:50 OPEN TCP 206.190.85.61 68.190.234.108 20
4384 - - - - - - - - -
2006-04-18 22:54:51 OPEN TCP 206.190.85.61 68.190.234.108 20
4386 - - - - - - - - -
2006-04-18 22:54:54 OPEN TCP 206.190.85.61 68.190.234.108 20
4388 - - - - - - - - -
2006-04-18 22:54:59 DROP UDP 206.190.85.61 255.255.255.255
1220
712 72 - - - - - - - RECEIVE
2006-04-18 22:55:14 DROP UDP 206.190.85.61 255.255.255.255
1221
712 72 - - - - - - - RECEIVE
2006-04-18 22:55:29 DROP UDP 206.190.85.61 255.255.255.255
1222
712 72 - - - - - - - RECEIVE
2006-04-18 22:55:44 DROP UDP 206.190.85.61 255.255.255.255
1223
712 72 - - - - - - - RECEIVE
2006-04-18 22:55:59 DROP UDP 206.190.85.61 255.255.255.255
1224
712 72 - - - - - - - RECEIVE
2006-04-18 22:56:06 CLOSE TCP 68.190.234.108 206.190.85.61
4357
21 - - - - - - - - -
2006-04-18 22:56:14 DROP UDP 206.190.85.61 255.255.255.255
1225
712 72 - - - - - - - RECEIVE
2006-04-18 22:56:29 DROP UDP 206.190.85.61 255.255.255.255
1226
712 72 - - - - - - - RECEIVE
2006-04-18 22:56:44 DROP UDP 206.190.85.61 255.255.255.255
1227
712 72 - - - - - - - RECEIVE
2006-04-18 22:56:47 CLOSE TCP 206.190.85.61 68.190.234.108
20
4373 - - - - - - - - -
2006-04-18 22:56:48 OPEN-INBOUND TCP 68.190.234.108
206.190.85.61
4357 21 - - - - - - - - -
2006-04-18 22:56:50 CLOSE TCP 206.190.85.61 68.190.234.108
20
4376 - - - - - - - - -
2006-04-18 22:56:57 CLOSE TCP 206.190.85.61 68.190.234.108
20
4382 - - - - - - - - -


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote
in
message news:eUhqFusYGHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
Geezz. didn't know the reproduce my article.
Now - can you post the firewall log?
I can't repro this. I have firewall enable and I can
connect
fine. and only idle timeout after 900 seconds.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23pJo4jrYGHA.1888@xxxxxxxxxxxxxxxxxxxxxxx
I actually re-read those articles, and I realized that
since
ftp.exe is using active, the PassivePortRange wouldn't fix
the
problem...


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uns$pzpYGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Hey Bernard, I found your Microsoft Help and Support
article
on
configuring PassivePortRange in IIS, and I also found
this
one
on Windows 2003 Server w/SP1 Firewall that basically says
to
do
the same thing. Does it make sense?

http://www.newagedigital.com/cgi-bin/newagedigital/articles/ms-firewall-ftp.html


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uPJlX5jYGHA.1228@xxxxxxxxxxxxxxxxxxxxxxx
From the Windows Firewall log, it looks like that the
Firewall
closes the port 21 connection for some reasons. The
client
then gets the connection disconnected by remote
.

Relevant Pages

  • Re: Bug with W2K3, SP1, Windows Firewall and FTP
    ... add a welcome message to the ftp. ... Bernard Cheah ... list and exception is allowed (of coz tight to the scope of your ... I decided to try adding a port 21 in the firewall exception list ...
    (microsoft.public.inetserver.iis.ftp)
  • RE: FTP Window of opportunity?
    ... target on the line when in reality it was just a firewall lying to them. ... The connection connects and then immediately ... Subject: FTP Window of opportunity? ... the FTP port shows up. ...
    (Pen-Test)
  • Re: Bug with W2K3, SP1, Windows Firewall and FTP
    ... Port) in the Exceptions tab and uncheck the pre-defined FTP Server in the ... list and exception is allowed (of coz tight to the scope of your exception ... I decided to try adding a port 21 in the firewall exception list just to ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Bug with W2K3, SP1, Windows Firewall and FTP
    ... it is IE and the "Enable folder view for FTP ... Bernard Cheah ... I decided to try adding a port 21 in the firewall exception list just ... the Advanced section for the Local Area Connection, ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Bug with W2K3, SP1, Windows Firewall and FTP
    ... Bernard Cheah ... FTP service is listed, it should be bi-directional. ... I'm confuse as well:) between the advanced tab and exception tab. ... I decided to try adding a port 21 in the firewall exception list ...
    (microsoft.public.inetserver.iis.ftp)