RE: [WS_FTP Forum] Configuring FTP Server

[Richard L Hedrick]

Title: Message

This does indeed work.  We setup a second "public" address for FTP and built a static to the Server on the DMZ.  Combined with an access list that allows ports 20,21 and TCP ports >1023 it seems to work "fine".  Ok well than not exactly.... it seems that you can stand on your head to put your FTP server on the "outside" with it pretty much wide open (thats a warm fuzzy feeling isn't it !!!) but anyone who sits behind a firewall that needs to access your secure SSL required FTP server is in for a real headache.... if they dial into the www and use WSFTP Pro seems to work fine but if behind a firewall there is a BIG gotcha.  It seems that most firewalls are capable of handling standard FTP 20,21 and some are even smart enough to look at the PORT command so that in SSL mode the firewall knows what port the client wants to open (for SSL which uses RANDOM port >1023) and creates an appropriate hole in the firewall..... the problem with WSFTP is that the firewall cant see that PORT command because the data is encrypted so guess what...  the client sees and "invalid port" because their firewall wont' let the data back thru...   the Client side needs to get their administrator to create an access list for the two addresses that allows 20,21 and ports >1023 also.  While this seems to work I have run into very few firewall administrators who are willing to blow a hole the size of a Mack Truck though the firewall, assuming that they have a very configurable firewall such as PIX. If they are using a variety of other firewall products they do not even have the ability to make these kind of holes in the firewall and will not be able to connect to your FTP server.  I have been working with Ipswitch on this issue and it is very frustrating because their support staff has little knowledge of firewalls and you get a bunch references to NAT (which I agree is a problem because NAT uses PAT (Port address translation) which conflicts with the SSL port) but overall I find their support to be much less than knowledgable on the issues and it's a headache.    Long story short firewalls are a definite problem for FTP/SSL especially when trying to access it from behind a firewall.  Good luck and feel free to converse with me directly via email as I still have a lot of investigation and learning to do because the technology is important to us.   [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Claudio M Robles Sent: Tuesday, October 29, 2002 8:47 AM To: [EMAIL PROTECTED] Subject: Re: [WS_FTP Forum] Configuring FTP Server Dave,   One work around would be to put the server on the DMZ zone, so the router will forward all incoming connection to it.   This should work in passive mode with WS_FTP Pro version 7.6.     Claudio M. Robles FTP Development Team   ----- Original Message ----- From: Dave Caudle To: Ipswitch FTP User Forum Sent: Tuesday, October 29, 2002 11:16 AM Subject: [WS_FTP Forum] Configuring FTP Server I’ve been trying to configure WS_FTP Server.  The server PC is behind a Cisco PIX firewall and SSL is required because of the nature of the data being transmitted.  Ipswitch support tells me that FTP Server and FTP Pro client will not work together when both are behind NAT firewalls and are both performing SSL encryption because of the way that the port information gets encrypted.  This was confirmed by a Knowledge Base article I read on Ipswitch’s website.  Since the client PC’s that will connect to my FTP server will most likely all be behind firewalls I need a work around for this.   Can anyone advise me on the best way to configure the server PC so that it is not behind the NAT firewall but is still secure?   Dave Caudle 704 / 723-4252 (Phone) 704 / 723-4214 (Fax) [EMAIL PROTECTED]