Re: PASV FTP behind NAT firewall

---

• From: "Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx>
• Date: Thu, 8 Jun 2006 16:53:48 +0800

---

Displaying the NAT IP instead of the internal server IP is the way to go,
one of previous thread talk about security issue on exposing the internal
IP. As for the issue, I'm not sure what MS is going to do about it.

On the ftp feature, it is not Microsoft focus since it was introduced. It is
plain basic and simple, nothing fancy and MS would like to keep it that way
I believe. More towards competition with third party vendors rather than
technical issue. FYI, in IIS 7, what I heard is that FTP will be a separate
component, and ftps will be included.

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"Robin Walker [MVP]" <rdhw@xxxxxxxxx> wrote in message
news:%23V62ZGjiGHA.836@xxxxxxxxxxxxxxxxxxxxxxx

Bernard Cheah [MVP] <qbernard@xxxxxxxxxxxxxxxxxxx> wrote:

this is a common question and what you see is by design.
you should see the NAT device IP rather than the server IP. and this
is NAT device issue nothing you can configure at IIS FTP.
Lot of discussions in the past -

The "lots of discussion in the past" does not lessen the fact that this is
a major design failing in IIS. Few NAT boxes are capable of rewriting FTP
passive-mode command streams on the fly, and the standard fix is to get
the server to write the WAN IP address of the NAT box into the command
stream: almost every competing FTP server provides this functionality.

Even worse, if the FTP service is made secure by means of an SSL wrapper,
then it is *impossible* for NAT boxes to re-write the command stream: the
editing *must* be done by the server before encryption.

--
Robin Walker [MVP Networking]
rdhw@xxxxxxxxx

.

---

• References:
  • Re: PASV FTP behind NAT firewall
    • From: Bernard Cheah [MVP]
  • Re: PASV FTP behind NAT firewall
    • From: Robin Walker [MVP]

• Prev by Date: Re: Help with transparent ftp
• Next by Date: Re: Cannot access redirected FTP in active mode.
• Previous by thread: Re: PASV FTP behind NAT firewall
• Next by thread: RE: Cannot access redirected FTP in active mode.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: FTP Server setup... Im so close! ... > I have installed the Internet Information Services, etc, and have the FTP ... Your external client is trying to use Passive Mode. ... Since your server is behind NAT, ... (microsoft.public.windowsxp.network_web) Re: FTP with Isolate users using Active Directory ... this is related to NAT. ... on the server end, is the ftp server ... Also some NAT device might break it, if ftp is bind to port ... (microsoft.public.inetserver.iis.ftp) Re: IIS, FTP und unsauberes NAT ... Verbindung auf Client und Server Seite? ... Router, NAT, ... Kunde nicht auf den FTP kommt, ich habe es dann erst zu Hause, wo ich ... ausgehedem Port des Clients zumindest scheinbar identisch ist, ... (microsoft.public.de.inetserver.iis) Re: Connection closed by remote host ... well it is NAT issue then and not Ftp.exe or the Ftp server ... > I'm wondering why would IE ftp works but not ftp.exe. ... > passive mode but not active mode. ... I have been running an automated SQL Server 2000 DTS package ... (microsoft.public.inetserver.iis.ftp) Re: Questions about passive FTP, firewalls and Routers ... ftp, ... > a decision of the client - not of the server. ... This is called a NAT editor. ... (microsoft.public.win2000.networking)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Internet-Server  > microsoft.public.inetserver.iis.ftp  > 2006-06