Re: SBS 2003 cant ftp from outside lan

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

SBStech08 wrote:
No, the router device firewall is off...I even turned off the sbs
firewall and it still did not work.....I did find a post elsewhere
that mentioned turning off the service "application layer gateway
service", which when tried did allow outside access...not sure why or
if upgrading to r2 would also help fix it.


To the best of my knowledge, there is no application level gateway (basically a proxy server) in the SBS basic firewall, that's the sort of thing you get with ISA.

Does the SBS have one NIC or two, and if two, does FTP access work from the SBS external network (plug a laptop into a spare router LAN port if you have one, use a small switch otherwise)?

If that's OK, or if there's only one NIC, then it's the router that's the issue. Henrik asked if you had opened it for FTP, and you replied as above, but that's not the answer to the question. The router will be operating NAT, even if you 'disable the firewall', and FTP isn't a straightforward protocol. It uses two channels, one for control and the other for data, whether it is the active or passive protocol version.

This means that the initial connection must set up a NAT table entry not only for that connection, normally on port 21, but must set up the same translation for port 20, the data port, from which it has not yet seen any connection. To do this, the router must be 'aware' of FTP requirements, and this usually means you have to explicitly forward 'FTP' in the router configuration, not just the ports separately. This is what Henrik was asking. It also means that not all routers can work with non-standard FTP ports, that depends on whether the router can be configured for those ports while understanding that they are paired for FTP usage.

--
Joe
.

Relevant Pages

  • Re: Routers Firewall
    ... I ask him do you have a firewall and he says yes. ... I still have an IDS/firewall on all my machines behind the router. ... > to connect to a port your public IP address the router would reject the ... > An open port on the router could be connected to a service running on the ...
    (comp.security.firewalls)
  • Re: Possible Mail Relay or just new usages of returned mail by spammers
    ... If you have ANY type of firewall, be it a NAT router or true firewall ... ISA can be used in conjunction with the router/firewall, but if you do, you ... to be done twice...once in ISA, and once in the router to port forward to ...
    (microsoft.public.windows.server.sbs)
  • Re: Hacked? External address knocks on internal private address...
    ... The important part of your message is that FTP is allowed out... ... You open a connection to an FTP Server and logon. ... When you ask the server for a file the server issues a "PORT" command ... so it can open a port on the firewall to allow the incoming Data ...
    (comp.security.firewalls)
  • Re: Home firewall Hits
    ... >Port 162 with a UDP message. ... than theres nothing blocking access from the internet to your router. ... >Subject: Home firewall Hits ... >simplify the management and deployment of PGP and reduce overall PGP costs ...
    (Security-Basics)
  • Re: Routers Firewall
    ... > indicates that it has firewall technology, then the router doesn't have a ... What your router does have is NAT. ... ZA is a fine product which will protect a computer ... Port 80 is the WEB access port and port 21 is the FTP ...
    (comp.security.firewalls)