|
I'm seeing the same behavior. Bottom line:
WS_FTP Server does NOT work with SSL in our experience recently. Like you,
I've tried every combination, and I have the ports setup in the firewall,
etc. No go.
I've used a previous version several years ago, which
worked fine, for the exact same function, to provide secure FTP to transfer
files to and from a web server.
We're using FileZilla right now, which is working
fine. Good thing...
I am NOT happy that I've spent money for WS_FTP Server and
it doesn't work to provide what I bought it for, which is SECURE FTP between
our workstations running the WS_FTP Client and our web server.
And I don't hear any answers forthcoming to provide such a solution. Not
good, folks.
Terry J. LeBlanc
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Troy D. Hilton Sent: Monday, February 06, 2006 11:01 AM To: [email protected] Subject: RE: [WS_FTP Forum] Connection timeout error when making SSL connection Correction to my
previous email. If I enable SSL, whether active or passive mode, it will not
connect. I have configured ports 1024-65535 on the firewall for both inbound and
outbound. Any suggestions? What am I missing here? I did read an article from
the KB regarding setting ports 1024 and up for traffic when using active or
passive modes which I’ve followed. Still no dice. I noticed a lot of
folks “unsubscribing”. Hopefully, someone is still here that can provide some
direction. Troy
D. Hilton
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Troy D.
Hilton OK, so here’s where I
am. I have SSL enabled on the server. I configured ports 1024-1034 to point from
the public side of the firewall to the private IP of the FTP server. I’ve also
configured port 443 for the FTP IP address as well. Now, when I attempt a login
with SSL enabled and Passive Mode disabled I get the
following: WINSOCK.DLL:
WinSock 2.0 WS_FTP Pro,
Version 7.5, 2002.02.28 Connecting
to 208.255.176.210:21 Connected
to 208.255.176.210:21, Waiting for Server Response 220-CG2Direct.210
X2 WS_FTP Server 4.0.1 (204830698) 220-CG2
Direct FTP Server 220
CG2Direct.210 X2 WS_FTP Server 4.0.1 (204830698) Host type
(1): WS_FTP Server AUTH
SSL 234 SSL
enabled and waiting for negotiation XAUT 2
C9;;;?7:C9;>;:6<D><98784?7;6<67;C<87876<C;<7;7<2C?81 230-user
logged in 230-Howdy!!! 230 user
logged in Host type
(I): WS_FTP Server Host type
(I): WS_FTP Server PWD 257 "/" is
current directory PORT
10,0,0,253,8,222 200 command
successful MLSD No
socket PASV 421 invalid
command during xfer No
socket XPSV 421 invalid
command during xfer No
socket If I enable Passive
Mode and SSL I can login without issue and can view all my directories. If I
just select Passive Mode I can login. I’m not forcing SSL right now though I’d
like to. I feel I’m so close to nailing it down. Troy
D. Hilton
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Troy D.
Hilton Hey
Claudio, Well, my system does
use a fixed IP but not everyone who accesses this server can say that. It sounds
like I need to open some ports on the new firewall on the server side to allow
for ports 1024 to 1034 for SSL. Btw, the firewall is a SonicWall TZ150.
Troy
D. Hilton
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Claudio
Robles We can see in
the log that both sides have a NAT firewall. The client is in 10.0.0 and
the server is in 192.168.168 So for that to work
(meaning to be able to transfer files and directories in SSL), you would need to
open and forward some ports on at least one of those firewalls. You need
fixed IP on the side you setup because you need to forward those ports to the
right machine. I imagine that your client you could have DHCP so without
fixed IP there, it would be better to do the setup on the server
side. The setup
includes picking a range of ports that would be used to listen on when
establishing data channel, setting up the server to listen on those ports, and
setting up the firewall to forward those ports to the server. Since
you are NATing on the server, you would also need to tell the server your
external IP address. Your external IP
address is 208.255.176.210 and you could choose ports 1024-1034.
Define those in the server firewall options. After
setting up the server, you would need to setup the firewall to forward the same
ports to the server. Do not know the details of your firewall so,
not sure how to do that. Claudio
Robles WS_FTP
Team Ipswitch,
Inc From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Troy D.
Hilton Hey
Claudio, Here is my session
log. Connecting
to 208.255.176.210:21 Connected
to 208.255.176.210:21, Waiting for Server Response 220-CG2Direct.210
X2 WS_FTP Server 4.0.1 (191203526) 220-CG2
Direct FTP Server 220
CG2Direct.210 X2 WS_FTP Server 4.0.1 (191203526) Host type
(1): FTP PC/TCP AUTH
SSL 234 SSL
enabled and waiting for negotiation XAUT 2
B3>[EMAIL PROTECTED]>45:74A;A=72<8=;>@;@87B>A68:;7C?=<7474=5=@;6 230-user
logged in 230-Howdy!!! 230 user
logged in Host type
(I): FTP PC/TCP Host type
(I): FTP PC/TCP PWD 257 "/" is
current directory PORT
10,0,0,253,12,47 200 command
successful LIST 425 Can't
open data connection. PASV 227
Entering Passive Mode (192,168,168,210,4,32). connecting
data channel to 192.168.168.210:1056 connection
timed out; the connection timed out while waiting for a response from the
server. I tried it without the
SSL and it connects but the directory listing is screwed up. Meaning, it shows a
bunch of binary files titled “System”. Nothing
more. Any
thoughts? Troy
D. Hilton
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Claudio
Robles Could you send
the session logs from the client. So, it does not
work in SSL and it does work without it. In those cases, the
firewall automatically opens and forward the ports that it see (interpreting the
FTP protocol), that the client and server are negotiating for transferring files
and directory listings. In SSL, the server can not see or interpret the
FTP Protocol because the conversation is encrypted. Claudio
Robles WS_FTP
Team Ipswitch,
Inc From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Troy D.
Hilton Hello
All, I realize my last email
wasn’t quite clear in accurately describing my problem. Let’s see if I can
explain it better. This firewall is protecting 1
server, which is running FTP with SSL enabled. This server also has a couple
test websites, but that's it. Changing the firewall was actually
relatively easy once I understood the User Interface. I'm not as familiar with
the SonicWall appliances. I first tried the configuration using a test laptop to
mimic the server. For the test, FTP worked like a charm.
The difference between the laptop config and production server are
these: 1.
The production server and regional firewall were configured in
transparent mode, instead of NAT. Why? The original owner wanted it that
way. 2.
The production server is running WS_FTP Server ver. 4.0 with a private SSL Cert.
The laptop is running IIS 5 with FTP services and no
SSL. So,
I decided to change the configuration from transparent mode
to NAT mode since the original owner is gone and I have greater liberty. I
configured the new firewall for One-to-One NAT and gave the server all new
private IP addresses and a private gateway which matched the private IP
of the firewall. The public
side of the firewall has the original public IP from the previous firewall. I
made sure that all of my route tables are correct. I then reconfigured WS_FTP
Server to use the new private IP address. And
rebooted the server. The result? I am able to communicate from the server to the
internet and can access the test websites on the server from the internet, which
means inbound and permitted outbound traffic is
fine. This is where I have my problem.
When I attempt an FTP connection it makes the initial Helo and will authenticate
my username and password. I'm then prompted regarding the SSL Certificate and am
able to accept it. After a long pause (I have my WS_FTP Pro
client set for a 2 minute wait) I get an error that the connection timed out,
but I also get the "horn" that means the connection was successful. In fact I
even have the active button to disconnect from the session. From what I figure,
I'm actually logged in but not retrieving the directory
listing. As
for the NIC, it has two ports but I'm not using both ports at the same time so
there is no conflict of subnets and routes. I did switch ports on the card
thinking that perhaps there was a potential failure of that
port. I
hope this helps to clarify my situation. I My feeling is that's something simple
that's not set or that I'm overlooking. Darned if I know what it is
though. Serveon,
Inc. 302-529-8640 |
Title: Connection timeout error when making SSL connection
- RE: [WS_FTP Forum] Connection timeou... Troy D. Hilton
- RE: [WS_FTP Forum] Connection ti... Claudio Robles
- RE: [WS_FTP Forum] Connection timeout error when making SS... Casey
- Re: [WS_FTP Forum] Connection timeout error when maki... Barry West
- RE: [WS_FTP Forum] Connection timeout error when ... Michael Blakley
- RE: [WS_FTP Forum] Connection timeout error when making SS... Terry LeBlanc
- RE: [WS_FTP Forum] Connection timeout error when maki... Troy D. Hilton
- RE: [WS_FTP Forum] Connection timeout error when making SS... Terry LeBlanc
- RE: [WS_FTP Forum] Connection timeout error when maki... Troy D. Hilton
- RE: [WS_FTP Forum] Connection timeout error when making SS... Terry LeBlanc
- RE: [WS_FTP Forum] Connection timeout error when making SS... Terry LeBlanc
