I'm going to be dealing with this very issue myself. Please keep me
informed about any solutions you find. A couple of questions I have are 1)
If you are using active connections, does the Pix need to open ports other
than 20 and 21, i.e. for the SSL connection? IPSwitch documentation says no
but I'm not comfortable with their advice either; and 2) if you are using
the default ports 20 and 21 (and SSL), can you make the connection (active)
if both ends use NAT?
Jim Herndon
[EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [WS_FTP Forum] Configuring FTP Server
Date: Wed, 30 Oct 2002 09:01:00 +0800
I definitely agree with Richard. This has been an ongoing issue I've been
trying
to resolve with Ipswitch too. And well, eventually I couldn't be bothered
with
it because like what Richard had mentioned, their support staff had little
knowledge on firewalls & the SSL they're implementing. It's frustrating
especially when the replies are of no use and worse, it points u to the
knowledge base(which gives such a high level view on the problem everybody
thinks they're technical experts)
Anyway, how my side solve this problems is to, well, ask users to use dial
up
which will not have to go thru a firewall. (Cos normally all LAN will have
firewalls). On the server-side, there's still a firewall(there's NAT)
configured
to protect the ftp server. In our case, users come in via active ftp, not
passive.
"Richard L Hedrick" <[EMAIL PROTECTED]> on 30/10/2002 01:36:38 AM
Please respond to [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc: (bcc: Jason Lee/NETS)
Subject: RE: [WS_FTP Forum] Configuring FTP Server
Fax to:
This does indeed work. We setup a second "public" address for FTP and
built a static to the Server on the DMZ. Combined with an access list
that allows ports 20,21 and TCP ports >1023 it seems to work "fine". Ok
well than not exactly.... it seems that you can stand on your head to
put your FTP server on the "outside" with it pretty much wide open
(thats a warm fuzzy feeling isn't it !!!) but anyone who sits behind a
firewall that needs to access your secure SSL required FTP server is in
for a real headache.... if they dial into the www and use WSFTP Pro
seems to work fine but if behind a firewall there is a BIG gotcha. It
seems that most firewalls are capable of handling standard FTP 20,21 and
some are even smart enough to look at the PORT command so that in SSL
mode the firewall knows what port the client wants to open (for SSL
which uses RANDOM port >1023) and creates an appropriate hole in the
firewall..... the problem with WSFTP is that the firewall cant see that
PORT command because the data is encrypted so guess what... the client
sees and "invalid port" because their firewall wont' let the data back
thru...
the Client side needs to get their administrator to create an access
list for the two addresses that allows 20,21 and ports >1023 also.
While this seems to work I have run into very few firewall
administrators who are willing to blow a hole the size of a Mack Truck
though the firewall, assuming that they have a very configurable
firewall such as PIX. If they are using a variety of other firewall
products they do not even have the ability to make these kind of holes
in the firewall and will not be able to connect to your FTP server. I
have been working with Ipswitch on this issue and it is very frustrating
because their support staff has little knowledge of firewalls and you
get a bunch references to NAT (which I agree is a problem because NAT
uses PAT (Port address translation) which conflicts with the SSL port)
but overall I find their support to be much less than knowledgable on
the issues and it's a headache.
Long story short firewalls are a definite problem for FTP/SSL especially
when trying to access it from behind a firewall. Good luck and feel
free to converse with me directly via email as I still have a lot of
investigation and learning to do because the technology is important to
us.
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:WSFTP_Forum-owner@;list.ipswitch.com] On Behalf Of Claudio M
Robles
Sent: Tuesday, October 29, 2002 8:47 AM
To: [EMAIL PROTECTED]
Subject: Re: [WS_FTP Forum] Configuring FTP Server
Dave,
One work around would be to put the server on the DMZ zone,
so the router will forward all incoming connection to it. This
should work in passive mode with WS_FTP Pro version 7.6.
Claudio M. Robles
FTP Development Team
----- Original Message -----
From: Dave Caudle <mailto:dcaudle@;jbarry.com>
To: Ipswitch FTP User Forum <mailto:wsftp_forum@;list.ipswitch.com>
Sent: Tuesday, October 29, 2002 11:16 AM
Subject: [WS_FTP Forum] Configuring FTP Server
I've been trying to configure WS_FTP Server. The server PC is behind a
Cisco PIX firewall and SSL is required because of the nature of the data
being transmitted. Ipswitch support tells me that FTP Server and FTP
Pro client will not work together when both are behind NAT firewalls and
are both performing SSL encryption because of the way that the port
information gets encrypted. This was confirmed by a Knowledge Base
article I read on Ipswitch's website. Since the client PC's that will
connect to my FTP server will most likely all be behind firewalls I need
a work around for this.
Can anyone advise me on the best way to configure the server PC so that
it is not behind the NAT firewall but is still secure?
Dave Caudle
704 / 723-4252 (Phone)
704 / 723-4214 (Fax)
[EMAIL PROTECTED]
<< att1.htm >>
Jason Lee
Systems Executive
E-Commerce
DID : 65-6374-0503
TEL : 65-6272-0533
FAX : 65-6272-2334
Network For Electronic Transfers (S) Pte Ltd
298 Tiong Bahru Road
#04-01/06 Central Plaza
Singapore 168730
http://www.nets.com.sg
********************************************************************************
IMPORTANT NOTICE: This email and any files transmitted with it is intended
only for the use of the person(s) to whom it is addressed, and may
contain
information that is privileged, confidential and exempt from disclosure
under
applicable law. If you are not the intended recipient, please immediately
notify
the sender and delete the email. Thank you.
********************************************************************************
_________________________________________________________________
Unlimited Internet access -- and 2 months free!� Try MSN.
http://resourcecenter.msn.com/access/plans/2monthsfree.asp
Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list.
- [WS_FTP Forum] Configuring FTP Server Dave Caudle
- Re: [WS_FTP Forum] Configuring FTP Server Claudio M Robles
- RE: [WS_FTP Forum] Configuring FTP Server Richard L Hedrick
- RE: [WS_FTP Forum] Configuring FTP Server jasonlee
- RE: [WS_FTP Forum] Configuring FTP Server James Herndon
- RE: [WS_FTP Forum] Configuring FTP Server jasonlee
- RE: [WS_FTP Forum] Configuring FTP Server Roger Flemming/SYD/CEtv
- RE: [WS_FTP Forum] Configuring FTP Server Skiff, Eric
