Re: FTP transmission issue

ftp.exe is an active mode client. you can query passive mode via it, but not
act as a passive mode client.
and it is very basic and most of time for troubleshooting usage + minor non
production usage online.

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"noone" <noone@xxxxxxxxxxx> wrote in message
news:%23vboCuLiGHA.4892@xxxxxxxxxxxxxxxxxxxxxxx
Turns out that the FTP client at the command prompt is stuck in Active
mode. You can type Litteral PASV, or Quote PASV all day long, but it will
never actually switch to passive mode. Therefore, you will need to open
up port 20 incoming and outgoing, then define and enable a range ports for
the FTP connection. ( hundreds of ports) Very Unsecure...

To cut this all short, Command prompt FTP is BAD news... Use a secure FTP
client (SSH, or some other form of encrption / secure connection) that
allows you to use Passive mode FTP. Either that or Drop your FTP server
in a DMZ, segregate it and isolate it. Then hope it doesn't blow up in
your face. Remeber that depending on what you are hosting on this FTP
site, you may need to enable traffic to and or from this server onto your
network. (So much for security.) If you already have a DMZ, you could
further endanger these other clients, depending on your IP addressing and
routing policy on the DMZ....

Very Uncool, but considering FTP.exe it was orriginally developed in 1971,
I guess I can't blame the people who developed it... Just the programmer
who hard coded it into my new software...

;-)

Thanks for all the help.



"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:exrf02ChGHA.3984@xxxxxxxxxxxxxxxxxxxxxxx
This sounds just like what I'm encountering...


"noone" <noone@xxxxxxxxxxx> wrote in message
news:uS8TRFChGHA.2208@xxxxxxxxxxxxxxxxxxxxxxx
If this is a Firewall issue, then why are there any file transfers
allowed at all. If the Firewall is not configured to allow access on
the undefined port, then it should deny access entirely, not after a
half dozen files get transfered... ????

Firewalls are just that... walls. They stop access in, or out, defined
by the user. Is there some magic I'm missing here...?

:-)



"Robin Walker [MVP]" <rdhw@xxxxxxxxx> wrote in message
news:%23y4gWoAhGHA.3496@xxxxxxxxxxxxxxxxxxxxxxx
noone <noone@xxxxxxxxxxx> wrote:

The problem is that the FTP going out from the server will work for a
certain time then will fail pushing files.

Here is how it happens:

From the DOS prompt of the server

Please clarify this: you are using the ftp *client* program on your IIS
server?
So this query has nothing to do with IIS?

ftp (IPaddress)

What is it that you are connecting *to* here? Someone else's remote
FTP server, or what?

You can do the put a few times and eventually after 4 or 5 attempts
it will fail.

On a second site it does the same...

What do you mean by "second site"?
Do you mean:
(a) the same ftp client connecting to a different remote server?
(b) an ftp client at a different site connecting to the same remote
server?

Sometimes it will work for hours and when it blocks it takes many
attempts to let a few files across then blocks again.

I'm running a Brand new box Dell PowerEdge 1850, dual processors, 4
Gb ram and 140 GB Hdd, with Windows Server 2003 R2 SP1 and IIS 6.0.

What is the relevance of this information if you are not using this
IIS, but just using an ftp client program?

The local Windows firewall is not enabled and the box is sitting
behind a corporate firewall. Port 21 is enabled OUT for everyone on
the firewall, with no restriction.

If you are using the ftp line-mode client built into Windows, then it
will be functioning in Active (PORT) mode. Only the command stream
uses port 21 on the remote server. The data transfers will be made on
a connection *from* the remote server *to* your ftp client: that is, an
incoming connection through your firewall, even though you are PUTting
data from the client to the remote server, the TCP connection on which
this happens was made the other way around. Your firewall might not be
happy with this, or might be timing these connections out.

I suggest that it is all a firewall problem.

You might care to do some experiments with alternative third-party ftp
clients that can use passive mode FTP, to see whether they work better.
That assumes that your firewall will let the passive mode connections
out.

--
Robin Walker [MVP Networking]
rdhw@xxxxxxxxx









.

Relevant Pages

  • Re: FTP Server setup... Im so close!
    ... > I have installed the Internet Information Services, etc, and have the FTP ... Your external client is trying to use Passive Mode. ... Since your server is behind NAT, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Microsoft FTP Server problem on W2K?
    ... I have technical responsibility for this FTP implementation, ... Since PASV voids PORT, the client side ... connect to the server from" isn't implied by the text of the RFC. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Telnet/ftp problems SBS2000
    ... | through the server to get internet access everything works. ... | client uses an internet backup company to backup his really vital data, ... I understand that you cannot use ftp service to ... the connection can be established ...
    (microsoft.public.windows.server.sbs)
  • [NEWS] Directory Traversal Vulnerabilities in FTP Clients
    ... vulnerable to certain directory traversal attacks by modified FTP servers. ... file/directory permissions and the privilege level of the client. ... A malicious server could potentially overwrite key files to cause a denial ... your vendor, or the associated CERT vulnerability note, if your product is ...
    (Securiteam)
  • Re: Configure ISA to allow ISA Server to make external FTP Connect
    ... your Server name and select properties, Installation mode is listed at the ... client, as well as being all three at the same time. ... This means that the workstation has the proxy server details ... Enter the name 'FTP Access', press next twice, from the drop down box ...
    (microsoft.public.isa.configuration)