Re: Bug with W2K3, SP1, Windows Firewall and FTP

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I didn't help much actually :(

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%237NQ%23rzjGHA.4748@xxxxxxxxxxxxxxxxxxxxxxx
Bernard, thanks for all your help.


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:e3ZO3oHhGHA.5088@xxxxxxxxxxxxxxxxxxxxxxx
I got no more suggestion for you :(

What you can do is is disable windows firewall and get a more decent
firewall and see if it works well.

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uuXGfvChGHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
I know. I don't understand why it would get disconnected in the middle
of the session (it's not like I couldn't connect at all).


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:ePoJjU9gGHA.4864@xxxxxxxxxxxxxxxxxxxxxxx
It should solve all not just half. No idea why in your case it stuck.

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:e4rRTq8gGHA.4388@xxxxxxxxxxxxxxxxxxxxxxx
The thing is that I can't control what mode the clients use, so adding
inetinfo (if it works) would only solve half the problem.


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:uNWQb77fGHA.3468@xxxxxxxxxxxxxxxxxxxxxxx
Yes. only when you checked it.....
so active mode work but not passive mode then......

anyway - where were we before ? I'm kinda lost now.
passive mode should work once you added in the exception list...
have you try restart the entire machine and test again ?

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uMqlyMUbGHA.4272@xxxxxxxxxxxxxxxxxxxxxxx
Yeah, ftp.exe works OK, but from what I read, "Enable folder view
for FTP sites" makes IE an active client.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:%23mA$oGzaGHA.5000@xxxxxxxxxxxxxxxxxxxxxxx
Sorry, been traveling...

I know. I just want to check if it works.
and it could be IE is not behaving in active mode. since you
ftp.exe work.......... correct ?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23m2hKALaGHA.3524@xxxxxxxxxxxxxxxxxxxxxxx
But that's for using the passive mode. Since ftp.exe is active,
so it makes sense that opening up inetinfo.exe didn't help.

Yeah, I don't know about this Advanced section. The description
says that it allows users from the Internet to access the service,
and the FTP service is listed, it should be bi-directional.

As with using banner and welcome message and firewall, I guess
that means unsecured beats nonfunctional...


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:OcfJxtEaGHA.4160@xxxxxxxxxxxxxxxxxxxxxxx
Errrr. add program not add port. like what it stated in the
article you posted.

I'm confuse as well :) between the advanced tab and exception
tab. It's Microsoft :)
Anyway, I believe exception program list allow any port
connection (in and out) as long as it is listed there, whereas in
the advanced tab, you can only control the incoming ports, not
out going.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uVuBhw8ZGHA.2376@xxxxxxxxxxxxxxxxxxxxxxx
Wait. I probably was not clear before--I did not leave the
inetinfo.exe in the exceptions (since that did not work), but I
added port 21 (using Add Port) in the Exceptions tab and uncheck
the pre-defined FTP Server in the Advanced section. This is
what I don't understand--both (opening a port in the Exceptions
and checking the FTP Server in the Advanced section) are opening
the same port.


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message news:ebhZ2I1ZGHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
ha! when you have added the exception as program NOT port, you
should removed the relevant setting in the 'advanced' tab. Once
program is in the list and exception is allowed (of coz tight
to the scope of your exception list, either any computer, same
subnet or customer), those allowed network range host will be
able to communicate to the executable, in your case -
inetinfo.exe without any port restriction..... my only concern
now will be the inetinfo is now open all to everyone.. of coz
you can restrict the access from the 'scope' range setting,
however it still an expose connection to those hosts.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uWti$K0ZGHA.4292@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

I decided to try adding a port 21 in the firewall exception
list just to see, but that did not work. Then I unchecked the
FTP Server service in the Advanced section for the Local Area
Connection, and this seems to work. Does this make sense at
all?


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23BceAFzZGHA.4160@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

I found this on the inetinfo thingy, but he unchecks the FTP
service from the firewall:

http://www.brianpautsch.com/ShowItem30.aspx


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:OqSO9gyZGHA.3752@xxxxxxxxxxxxxxxxxxxxxxx
Just tried it and still no luck.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote
in message news:unHf6cRZGHA.5004@xxxxxxxxxxxxxxxxxxxxxxx
W2k3 SP1 + XP SP2

Have you try exception list?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23SaDdwMZGHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
Bernard,

Are you running SP1?

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote
in message news:eYfrSlFZGHA.3684@xxxxxxxxxxxxxxxxxxxxxxx
I can't find the 'utimate windows firewall troubleshooting
kb' :)
I saw it few days ago. Now, part of the step. if some
unknown issue is blocking the incoming request.
create an exception for the program. in your case will be
inetinfo.exe

ensure your ICF is on, then exception is allowed.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:ODxdj%238YGHA.3740@xxxxxxxxxxxxxxxxxxxxxxx
I only enabled the FTP Server service in advance
settings. I also tried adding a port 20 one for data, but
it was no help.

"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx>
wrote in message
news:%23RSSuL7YGHA.1220@xxxxxxxxxxxxxxxxxxxxxxx
what is closed, not dropped :)
I have no clue already. how do you enable access for
ftp in the firewall setting?
just the 'network connection setting' in the firewall
advanced tab or you have exceptions define for
inetinfo.exe ?

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:u%23UI$e3YGHA.1200@xxxxxxxxxxxxxxxxxxxxxxx
Here is the log. At 22:56:06, the port 21 was closed,
and when I entered a "dir" command at the client FTP
prompt, I got "Connection closed by remote host."
message.

2006-04-18 22:54:14 DROP UDP 206.190.85.61
255.255.255.255 1215 712 72 - - - - - - - RECEIVE
2006-04-18 22:54:15 OPEN-INBOUND TCP 68.190.234.108
206.190.85.61 4357 21 - - - - - - - - -
2006-04-18 22:54:29 DROP UDP 206.190.85.61
255.255.255.255 1218 712 72 - - - - - - - RECEIVE
2006-04-18 22:54:35 OPEN TCP 206.190.85.61
68.190.234.108 20 4373 - - - - - - - - -
2006-04-18 22:54:39 OPEN TCP 206.190.85.61
68.190.234.108 20 4376 - - - - - - - - -
2006-04-18 22:54:44 DROP UDP 206.190.85.61
255.255.255.255 1219 712 72 - - - - - - - RECEIVE
2006-04-18 22:54:45 OPEN TCP 206.190.85.61
68.190.234.108 20 4382 - - - - - - - - -
2006-04-18 22:54:50 OPEN TCP 206.190.85.61
68.190.234.108 20 4384 - - - - - - - - -
2006-04-18 22:54:51 OPEN TCP 206.190.85.61
68.190.234.108 20 4386 - - - - - - - - -
2006-04-18 22:54:54 OPEN TCP 206.190.85.61
68.190.234.108 20 4388 - - - - - - - - -
2006-04-18 22:54:59 DROP UDP 206.190.85.61
255.255.255.255 1220 712 72 - - - - - - - RECEIVE
2006-04-18 22:55:14 DROP UDP 206.190.85.61
255.255.255.255 1221 712 72 - - - - - - - RECEIVE
2006-04-18 22:55:29 DROP UDP 206.190.85.61
255.255.255.255 1222 712 72 - - - - - - - RECEIVE
2006-04-18 22:55:44 DROP UDP 206.190.85.61
255.255.255.255 1223 712 72 - - - - - - - RECEIVE
2006-04-18 22:55:59 DROP UDP 206.190.85.61
255.255.255.255 1224 712 72 - - - - - - - RECEIVE
2006-04-18 22:56:06 CLOSE TCP 68.190.234.108
206.190.85.61 4357 21 - - - - - - - - -
2006-04-18 22:56:14 DROP UDP 206.190.85.61
255.255.255.255 1225 712 72 - - - - - - - RECEIVE
2006-04-18 22:56:29 DROP UDP 206.190.85.61
255.255.255.255 1226 712 72 - - - - - - - RECEIVE
2006-04-18 22:56:44 DROP UDP 206.190.85.61
255.255.255.255 1227 712 72 - - - - - - - RECEIVE
2006-04-18 22:56:47 CLOSE TCP 206.190.85.61
68.190.234.108 20 4373 - - - - - - - - -
2006-04-18 22:56:48 OPEN-INBOUND TCP 68.190.234.108
206.190.85.61 4357 21 - - - - - - - - -
2006-04-18 22:56:50 CLOSE TCP 206.190.85.61
68.190.234.108 20 4376 - - - - - - - - -
2006-04-18 22:56:57 CLOSE TCP 206.190.85.61
68.190.234.108 20 4382 - - - - - - - - -


"Bernard Cheah [MVP]" <qbernard@xxxxxxxxxxxxxxxxxxx>
wrote in message
news:eUhqFusYGHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
Geezz. didn't know the reproduce my article.
Now - can you post the firewall log?
I can't repro this. I have firewall enable and I can
connect fine. and only idle timeout after 900
seconds.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:%23pJo4jrYGHA.1888@xxxxxxxxxxxxxxxxxxxxxxx
I actually re-read those articles, and I realized
that since ftp.exe is using active, the
PassivePortRange wouldn't fix the problem...


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uns$pzpYGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Hey Bernard, I found your Microsoft Help and
Support article on configuring PassivePortRange in
IIS, and I also found this one on Windows 2003
Server w/SP1 Firewall that basically says to do the
same thing. Does it make sense?

http://www.newagedigital.com/cgi-bin/newagedigital/articles/ms-firewall-ftp.html


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in message
news:uPJlX5jYGHA.1228@xxxxxxxxxxxxxxxxxxxxxxx
From the Windows Firewall log, it looks like that
the Firewall closes the port 21 connection for
some reasons. The client then gets the connection
disconnected by remote host/service not available,
and since the server did not get a proper response
from the client, it is still waiting for the next
command (that's why the session is still going)
until the session times out. So the real question
is why is the Windows Firewall doing this?

Oh, I also tested it from the server itself.
Since the Firewall is not involved in this case,
everything went fine. Any thought on this Windows
Firewall behavior?


"Bernard Cheah [MVP]"
<qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:ey49yJhYGHA.4168@xxxxxxxxxxxxxxxxxxxxxxx
Well, even with the refresh button. it's only as
'real' as you thought.
it will only 'clear' from the list when the tcp
connection no longer appear when you do
'netstat -an' at command prompt.
that's what I have tested in the past.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in
message
news:%232uxMmAYGHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
here is a refresh button. I could see the
connection time updated after I clicked the
button. BTW, the client I used was the Microsoft
FTP.exe.


"Bernard Cheah [MVP]"
<qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
news:uM8cPHsXGHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
As for the FTP MMC connection status, I believe
it is not refresh realtime. so it may take
someting to reflect even after the client has
disconnected.

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in
message
news:OvNjv8LXGHA.3492@xxxxxxxxxxxxxxxxxxxxxxx
You mean running FTP on the IIS/FTP server?
Hmmm...I'll try that and let you know the
outcome.


"Bernard Cheah [MVP]"
<qbernard@xxxxxxxxxxxxxxxxxxx> wrote in
message
news:ebu2U74WGHA.4212@xxxxxxxxxxxxxxxxxxxxxxx

Weird indeed. same behavior if you try
connect via ftp.exe on the machine itself ??


--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/


"Jimmy Chu" <reply@xxxxxxxxxxxxx> wrote in
message
news:ORvcyC1WGHA.752@xxxxxxxxxxxxxxxxxxxxxxx
I'm encountering a bad behavior with Windows
Firewall on too. With the Windows Firewall
on, the FTP sessions (using the command line
FTP on the client) would be disconnected
(the message says something about connection
disconnect by server) in about less than 1
minute, but the IIS manager would still show
the session is active. If the Windows
Firewall is off, everything is well.


"EuroMaverick"
<EuroMaverick@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:60BB5F4B-BDD8-4C26-9108-5AFAF30C3D19@xxxxxxxxxxxxxxxx
Hello people,

I don't know if this is a documented bug or
if the information is wide
spread, but since we spend about two days
tracking this down, I think it
makes sense to share this information with
whoever is interested in it.

This is the setup where this will occur:
- Windows 2003 server with SP1
- Windows firewall turned on
- IIS on the same machine
- FTP within that IIS

Now, add a welcome message to the ftp. As
soon as this welcome message
contains a <return>, your browser will hang
when you navigate to the
ftp-site. It does not actually hang, but
returns an error much later and your
ftp-site is not accessible.

Remove all returns from the welcome
message, and the ftp-server works just
fine...

Regards,

Benoit Somers.

































































.

Quantcast