Re: Bug with W2K3, SP1, Windows Firewall and FTP

The thing is that I can't control what mode the clients use, so adding
inetinfo (if it works) would only solve half the problem.


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:uNWQb77fGHA.3468@xxxxxxxxxxxxxxxxxxxxxxx
Yes. only when you checked it.....
so active mode work but not passive mode then......

anyway - where were we before ? I'm kinda lost now.
passive mode should work once you added in the exception list...
have you try restart the entire machine and test again ?

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uMqlyMUbGHA.4272@xxxxxxxxxxxxxxxxxxxxxxx
Yeah, ftp.exe works OK, but from what I read, "Enable folder view for FTP
sites" makes IE an active client.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:%23mA$oGzaGHA.5000@xxxxxxxxxxxxxxxxxxxxxxx
Sorry, been traveling...

I know. I just want to check if it works.
and it could be IE is not behaving in active mode. since you ftp.exe
work.......... correct ?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23m2hKALaGHA.3524@xxxxxxxxxxxxxxxxxxxxxxx
But that's for using the passive mode. Since ftp.exe is active, so it
makes sense that opening up inetinfo.exe didn't help.

Yeah, I don't know about this Advanced section. The description says
that it allows users from the Internet to access the service, and the
FTP service is listed, it should be bi-directional.

As with using banner and welcome message and firewall, I guess that
means unsecured beats nonfunctional...


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:OcfJxtEaGHA.4160@xxxxxxxxxxxxxxxxxxxxxxx
Errrr. add program not add port. like what it stated in the article
you posted.

I'm confuse as well :) between the advanced tab and exception tab.
It's Microsoft :)
Anyway, I believe exception program list allow any port connection (in
and out) as long as it is listed there, whereas in the advanced tab,
you can only control the incoming ports, not out going.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uVuBhw8ZGHA.2376@xxxxxxxxxxxxxxxxxxxxxxx
Wait. I probably was not clear before--I did not leave the
inetinfo.exe in the exceptions (since that did not work), but I added
port 21 (using Add Port) in the Exceptions tab and uncheck the
pre-defined FTP Server in the Advanced section. This is what I don't
understand--both (opening a port in the Exceptions and checking the
FTP Server in the Advanced section) are opening the same port.


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:ebhZ2I1ZGHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
ha! when you have added the exception as program NOT port, you
should removed the relevant setting in the 'advanced' tab. Once
program is in the list and exception is allowed (of coz tight to the
scope of your exception list, either any computer, same subnet or
customer), those allowed network range host will be able to
communicate to the executable, in your case - inetinfo.exe without
any port restriction..... my only concern now will be the inetinfo
is now open all to everyone.. of coz you can restrict the access
from the 'scope' range setting, however it still an expose
connection to those hosts.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uWti$K0ZGHA.4292@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

I decided to try adding a port 21 in the firewall exception list
just to see, but that did not work. Then I unchecked the FTP
Server service in the Advanced section for the Local Area
Connection, and this seems to work. Does this make sense at all?


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23BceAFzZGHA.4160@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

I found this on the inetinfo thingy, but he unchecks the FTP
service from the firewall:

http://www.brianpautsch.com/ShowItem30.aspx


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:OqSO9gyZGHA.3752@xxxxxxxxxxxxxxxxxxxxxxx
Just tried it and still no luck.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:unHf6cRZGHA.5004@xxxxxxxxxxxxxxxxxxxxxxx
W2k3 SP1 + XP SP2

Have you try exception list?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23SaDdwMZGHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

Are you running SP1?

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:eYfrSlFZGHA.3684@xxxxxxxxxxxxxxxxxxxxxxx
I can't find the 'utimate windows firewall troubleshooting kb'
:)
I saw it few days ago. Now, part of the step. if some unknown
issue is blocking the incoming request.
create an exception for the program. in your case will be
inetinfo.exe

ensure your ICF is on, then exception is allowed.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:ODxdj%238YGHA.3740@xxxxxxxxxxxxxxxxxxxxxxx
I only enabled the FTP Server service in advance settings. I
also tried adding a port 20 one for data, but it was no help.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:%23RSSuL7YGHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
what is closed, not dropped :)
I have no clue already. how do you enable access for ftp in
the firewall setting?
just the 'network connection setting' in the firewall
advanced tab or you have exceptions define for inetinfo.exe
?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:u%23UI$e3YGHA.1200@xxxxxxxxxxxxxxxxxxxxxxx
Here is the log. At 22:56:06, the port 21 was closed, and
when I entered a "dir" command at the client FTP prompt, I
got "Connection closed by remote host." message.

2006-04-18 22:54:14 DROP UDP 206.190.85.61 255.255.255.255
1215 712 72 - - - - - - - RECEIVE
2006-04-18 22:54:15 OPEN-INBOUND TCP 68.190.234.108
206.190.85.61 4357 21 - - - - - - - - -
2006-04-18 22:54:29 DROP UDP 206.190.85.61 255.255.255.255
1218 712 72 - - - - - - - RECEIVE
2006-04-18 22:54:35 OPEN TCP 206.190.85.61 68.190.234.108
20 4373 - - - - - - - - -
2006-04-18 22:54:39 OPEN TCP 206.190.85.61 68.190.234.108
20 4376 - - - - - - - - -
2006-04-18 22:54:44 DROP UDP 206.190.85.61 255.255.255.255
1219 712 72 - - - - - - - RECEIVE
2006-04-18 22:54:45 OPEN TCP 206.190.85.61 68.190.234.108
20 4382 - - - - - - - - -
2006-04-18 22:54:50 OPEN TCP 206.190.85.61 68.190.234.108
20 4384 - - - - - - - - -
2006-04-18 22:54:51 OPEN TCP 206.190.85.61 68.190.234.108
20 4386 - - - - - - - - -
2006-04-18 22:54:54 OPEN TCP 206.190.85.61 68.190.234.108
20 4388 - - - - - - - - -
2006-04-18 22:54:59 DROP UDP 206.190.85.61 255.255.255.255
1220 712 72 - - - - - - - RECEIVE
2006-04-18 22:55:14 DROP UDP 206.190.85.61 255.255.255.255
1221 712 72 - - - - - - - RECEIVE
2006-04-18 22:55:29 DROP UDP 206.190.85.61 255.255.255.255
1222 712 72 - - - - - - - RECEIVE
2006-04-18 22:55:44 DROP UDP 206.190.85.61 255.255.255.255
1223 712 72 - - - - - - - RECEIVE
2006-04-18 22:55:59 DROP UDP 206.190.85.61 255.255.255.255
1224 712 72 - - - - - - - RECEIVE
2006-04-18 22:56:06 CLOSE TCP 68.190.234.108 206.190.85.61
4357 21 - - - - - - - - -
2006-04-18 22:56:14 DROP UDP 206.190.85.61 255.255.255.255
1225 712 72 - - - - - - - RECEIVE
2006-04-18 22:56:29 DROP UDP 206.190.85.61 255.255.255.255
1226 712 72 - - - - - - - RECEIVE
2006-04-18 22:56:44 DROP UDP 206.190.85.61 255.255.255.255
1227 712 72 - - - - - - - RECEIVE
2006-04-18 22:56:47 CLOSE TCP 206.190.85.61 68.190.234.108
20 4373 - - - - - - - - -
2006-04-18 22:56:48 OPEN-INBOUND TCP 68.190.234.108
206.190.85.61 4357 21 - - - - - - - - -
2006-04-18 22:56:50 CLOSE TCP 206.190.85.61 68.190.234.108
20 4376 - - - - - - - - -
2006-04-18 22:56:57 CLOSE TCP 206.190.85.61 68.190.234.108
20 4382 - - - - - - - - -


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote
in message news:eUhqFusYGHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
Geezz. didn't know the reproduce my article.
Now - can you post the firewall log?
I can't repro this. I have firewall enable and I can
connect fine. and only idle timeout after 900 seconds.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23pJo4jrYGHA.1888@xxxxxxxxxxxxxxxxxxxxxxx
I actually re-read those articles, and I realized that
since ftp.exe is using active, the PassivePortRange
wouldn't fix the problem...


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uns$pzpYGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Hey Bernard, I found your Microsoft Help and Support
article on configuring PassivePortRange in IIS, and I
also found this one on Windows 2003 Server w/SP1
Firewall that basically says to do the same thing. Does
it make sense?

http://www.newagedigital.com/cgi-bin/newagedigital/articles/ms-firewall-ftp.html


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uPJlX5jYGHA.1228@xxxxxxxxxxxxxxxxxxxxxxx
From the Windows Firewall log, it looks like that the
Firewall closes the port 21 connection for some
reasons. The client then gets the connection
disconnected by remote host/service not available, and
since the server did not get a proper response from the
client, it is still waiting for the next command
(that's why the session is still going) until the
session times out. So the real question is why is the
Windows Firewall doing this?

Oh, I also tested it from the server itself. Since the
Firewall is not involved in this case, everything went
fine. Any thought on this Windows Firewall behavior?


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx>
wrote in message
news:ey49yJhYGHA.4168@xxxxxxxxxxxxxxxxxxxxxxx
Well, even with the refresh button. it's only as
'real' as you thought.
it will only 'clear' from the list when the tcp
connection no longer appear when you do 'netstat -an'
at command prompt.
that's what I have tested in the past.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%232uxMmAYGHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
here is a refresh button. I could see the connection
time updated after I clicked the button. BTW, the
client I used was the Microsoft FTP.exe.


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx>
wrote in message
news:uM8cPHsXGHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
As for the FTP MMC connection status, I believe it
is not refresh realtime. so it may take someting to
reflect even after the client has disconnected.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:OvNjv8LXGHA.3492@xxxxxxxxxxxxxxxxxxxxxxx
You mean running FTP on the IIS/FTP server?
Hmmm...I'll try that and let you know the outcome.


"Bernard Cheah [MVP]"
<qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:ebu2U74WGHA.4212@xxxxxxxxxxxxxxxxxxxxxxx

Weird indeed. same behavior if you try connect via
ftp.exe on the machine itself ??


--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:ORvcyC1WGHA.752@xxxxxxxxxxxxxxxxxxxxxxx
I'm encountering a bad behavior with Windows
Firewall on too. With the Windows Firewall on,
the FTP sessions (using the command line FTP on
the client) would be disconnected (the message
says something about connection disconnect by
server) in about less than 1 minute, but the IIS
manager would still show the session is active.
If the Windows Firewall is off, everything is
well.


"EuroMaverick"
<EuroMaverick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:60BB5F4B-BDD8-4C26-9108-5AFAF30C3D19@xxxxxxxxxxxxxxxx
Hello people,

I don't know if this is a documented bug or if
the information is wide
spread, but since we spend about two days
tracking this down, I think it
makes sense to share this information with
whoever is interested in it.

This is the setup where this will occur:
- Windows 2003 server with SP1
- Windows firewall turned on
- IIS on the same machine
- FTP within that IIS

Now, add a welcome message to the ftp. As soon
as this welcome message
contains a <return>, your browser will hang when
you navigate to the
ftp-site. It does not actually hang, but returns
an error much later and your
ftp-site is not accessible.

Remove all returns from the welcome message, and
the ftp-server works just
fine...

Regards,

Benoit Somers.























































.

Loading