I definitely agree with Richard. This has been an ongoing issue I've been trying to resolve with Ipswitch too. And well, eventually I couldn't be bothered with it because like what Richard had mentioned, their support staff had little knowledge on firewalls & the SSL they're implementing. It's frustrating especially when the replies are of no use and worse, it points u to the knowledge base(which gives such a high level view on the problem everybody thinks they're technical experts) Anyway, how my side solve this problems is to, well, ask users to use dial up which will not have to go thru a firewall. (Cos normally all LAN will have firewalls). On the server-side, there's still a firewall(there's NAT) configured to protect the ftp server. In our case, users come in via active ftp, not passive.
"Richard L Hedrick" <[EMAIL PROTECTED]> on 30/10/2002 01:36:38 AM
Please respond to [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc: (bcc: Jason Lee/NETS)
Subject: RE: [WS_FTP Forum] Configuring FTP Server
Fax to:
This does indeed work. We setup a second "public" address for FTP and
built a static to the Server on the DMZ. Combined with an access list
that allows ports 20,21 and TCP ports >1023 it seems to work "fine". Ok
well than not exactly.... it seems that you can stand on your head to
put your FTP server on the "outside" with it pretty much wide open
(thats a warm fuzzy feeling isn't it !!!) but anyone who sits behind a
firewall that needs to access your secure SSL required FTP server is in
for a real headache.... if they dial into the www and use WSFTP Pro
seems to work fine but if behind a firewall there is a BIG gotcha. It
seems that most firewalls are capable of handling standard FTP 20,21 and
some are even smart enough to look at the PORT command so that in SSL
mode the firewall knows what port the client wants to open (for SSL
which uses RANDOM port >1023) and creates an appropriate hole in the
firewall..... the problem with WSFTP is that the firewall cant see that
PORT command because the data is encrypted so guess what... the client
sees and "invalid port" because their firewall wont' let the data back
thru...
the Client side needs to get their administrator to create an access
list for the two addresses that allows 20,21 and ports >1023 also.
While this seems to work I have run into very few firewall
administrators who are willing to blow a hole the size of a Mack Truck
though the firewall, assuming that they have a very configurable
firewall such as PIX. If they are using a variety of other firewall
products they do not even have the ability to make these kind of holes
in the firewall and will not be able to connect to your FTP server. I
have been working with Ipswitch on this issue and it is very frustrating
because their support staff has little knowledge of firewalls and you
get a bunch references to NAT (which I agree is a problem because NAT
uses PAT (Port address translation) which conflicts with the SSL port)
but overall I find their support to be much less than knowledgable on
the issues and it's a headache.
Long story short firewalls are a definite problem for FTP/SSL especially
when trying to access it from behind a firewall. Good luck and feel
free to converse with me directly via email as I still have a lot of
investigation and learning to do because the technology is important to
us.
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:WSFTP_Forum-owner@;list.ipswitch.com] On Behalf Of Claudio M
Robles
Sent: Tuesday, October 29, 2002 8:47 AM
To: [EMAIL PROTECTED]
Subject: Re: [WS_FTP Forum] Configuring FTP Server
Dave,
One work around would be to put the server on the DMZ zone,
so the router will forward all incoming connection to it. This
should work in passive mode with WS_FTP Pro version 7.6.
Claudio M. Robles
FTP Development Team
----- Original Message -----
From: Dave Caudle <mailto:dcaudle@;jbarry.com>
To: Ipswitch FTP User Forum <mailto:wsftp_forum@;list.ipswitch.com>
Sent: Tuesday, October 29, 2002 11:16 AM
Subject: [WS_FTP Forum] Configuring FTP Server
I've been trying to configure WS_FTP Server. The server PC is behind a
Cisco PIX firewall and SSL is required because of the nature of the data
being transmitted. Ipswitch support tells me that FTP Server and FTP
Pro client will not work together when both are behind NAT firewalls and
are both performing SSL encryption because of the way that the port
information gets encrypted. This was confirmed by a Knowledge Base
article I read on Ipswitch's website. Since the client PC's that will
connect to my FTP server will most likely all be behind firewalls I need
a work around for this.
Can anyone advise me on the best way to configure the server PC so that
it is not behind the NAT firewall but is still secure?
Dave Caudle
704 / 723-4252 (Phone)
704 / 723-4214 (Fax)
[EMAIL PROTECTED]
Title: Message
|
This
does indeed work. We setup a second "public" address for FTP and built a
static to the Server on the DMZ. Combined with an access list that allows
ports 20,21 and TCP ports >1023 it seems to work "fine". Ok well than
not exactly.... it seems that you can stand on your head to put your FTP server
on the "outside" with it pretty much wide open (thats a warm fuzzy feeling isn't
it !!!) but anyone who sits behind a firewall that needs to access your secure
SSL required FTP server is in for a real headache.... if they dial into the www
and use WSFTP Pro seems to work fine but if behind a firewall there is a BIG
gotcha. It seems that most firewalls are capable of handling standard FTP
20,21 and some are even smart enough to look at the PORT command so that in SSL
mode the firewall knows what port the client wants to open (for SSL which uses
RANDOM port >1023) and creates an appropriate hole in the firewall..... the
problem with WSFTP is that the firewall cant see that PORT command because the
data is encrypted so guess what... the client sees and "invalid port"
because their firewall wont' let the data back thru...
the
Client side needs to get their administrator to create an access list for the
two addresses that allows 20,21 and ports >1023 also. While this seems
to work I have run into very few firewall administrators who are willing to blow
a hole the size of a Mack Truck though the firewall, assuming that they have a
very configurable firewall such as PIX. If they are using a variety of other
firewall products they do not even have the ability to make these kind of
holes in the firewall and will not be able to connect to your FTP server.
I have been working with Ipswitch on this issue and it is very frustrating
because their support staff has little knowledge of firewalls and you get a
bunch references to NAT (which I agree is a problem because NAT uses
PAT (Port address translation) which conflicts with the SSL port) but overall I
find their support to be much less than knowledgable on the issues and
it's a headache.
Long
story short firewalls are a definite problem for FTP/SSL especially when trying
to access it from behind a firewall. Good luck and feel free to converse
with me directly via email as I still have a lot of investigation and learning
to do because the technology is important to us.
[EMAIL PROTECTED]
|
Jason Lee Systems Executive E-Commerce DID : 65-6374-0503 TEL : 65-6272-0533 FAX : 65-6272-2334 Network For Electronic Transfers (S) Pte Ltd 298 Tiong Bahru Road #04-01/06 Central Plaza Singapore 168730 http://www.nets.com.sg ******************************************************************************** IMPORTANT NOTICE: This email and any files transmitted with it is intended only for the use of the person(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and delete the email. Thank you. ********************************************************************************
