Sign in with
Sign up | Sign in
Your question
Solved

Need Help with setting up FTP server (hope someone here can help)

Last response: in Networking
Share
March 18, 2010 1:05:48 AM

Ok I set up FTP on a windows 2K3 server. The server is behind a NAT router. I opened ports 20 and 21 on the router and also forwarded them on the windows firewall. For some reason when I connect I get "Failed to Retrieve Directory Listing" I actually DO connect to the server but I keep getting that error. I can actually see the folders in the directory but they won't open. If I disable the windows firewall all works perfectly. Any ideas what is wrong here?
March 18, 2010 1:29:05 AM

Try configuring the FTP client for passive mode.
m
0
l
March 18, 2010 1:32:04 AM

FTP client is set to passive. Server is set to accept anonymous connections.
m
0
l
Related resources
March 18, 2010 1:35:32 AM

Does the user have privileges to access that directory?
m
0
l
March 18, 2010 1:39:22 AM

The permissions for users are: Read&Execute, Read and List folder contents. Is this what you mean?
m
0
l
March 18, 2010 1:42:46 AM

bostonmike said:
The permissions for users are: Read&Execute, Read and List folder contents. Is this what you mean?


Depends on the FTP server. I can imagine some FTP servers could be bound to workgroup or domain users and user groups rather than users managed solely by the FTP server. If that was the case, maybe an anonymous user could connect but would otherwise be denied access. Just speculating.
m
0
l
March 18, 2010 1:46:38 AM

Hmmm, that's a good point. Does that translate to the firewall though? Disable it and I have anonymous access. Enable it and I don't.
m
0
l
March 18, 2010 1:48:53 AM

BTW the FTP server is the Domain Controller. Same machine.
m
0
l
March 18, 2010 1:49:59 AM

bostonmike said:
Hmmm, that's a good point. Does that translate to the firewall though? Disable it and I have anonymous access. Enable it and I don't.


Hmmm, well you may have a point, the part I was focusing on was the "Failed to Retrieve Directory Listing" which sounded like a permissions problem. But I have to admit, that wouldn't explain the firewall.
m
0
l
March 18, 2010 1:57:44 AM

http://slacksite.com/other/ftp.html

Read the above article, specifically regarding FTP passive mode. Notice that passive mode let's the server send back a randomly select port for the client to then reconnect with. That's probably the problem. That secondary port is NOT open. You probably need to limit the range of ports the FTP server sends back and then opening that range of ports on the firewall.

m
0
l
March 18, 2010 2:04:25 AM

eibgrad said:
http://slacksite.com/other/ftp.html

Read the above article, specifically regarding FTP passive mode. Notice that passive mode let's the server send back a randomly select port for the client to then reconnect with. That's probably the problem. That secondary port is NOT open. You probably need to limit the range of ports the FTP server sends back and then opening that range of ports on the firewall.





I haven't read the article yet but when you say that I need to limit the range of ports that the FTP server sends back, how do I set that? I thought the secondary port was supposed to be port 20.
m
0
l
March 18, 2010 2:06:07 AM

and when you say open that range of ports on the firewall, do you mean the windows firewall or the router?
m
0
l
March 18, 2010 2:16:27 AM

Quote:
In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.


IOW, the server is sending back a random port # (port P) so the client can connect back on that port. And it does that over port 21 back to the client. So the client needs port 21 open on its firewall. And the server needs whatever random port it sends back to the client open on its firewall. Whether it's the router or the client firewall just depends on whether either is behind a firewall (or perhaps has both).
m
0
l
March 18, 2010 2:52:05 AM

HMMMM, I opened port 21 on the client, I also opened a range of ports on the router and I still get nothing. Nothing being, when I connect, I get "Directory listing Successful" but when I select a folder I still get "Failed to retrieve Directory Listing".
m
0
l
March 18, 2010 2:55:03 AM

How are you testing this, are both the client and server behind firewalls? The same one? Different? I know for testing purposes ppl like to setup a scenario where they use the public IP in hopes of simulating actual usage. But that can lead to some tricky firewall issues, esp. when it comes to FTP.
m
0
l
March 18, 2010 2:58:45 AM

The server is behind a NAT Router and win server 2K3 firewall. I have a VPN connection to my computer at work and I am using that computer to test the client side.
m
0
l
March 18, 2010 3:00:44 AM

Here’s why it’s tricky.

In active mode, the client contacts the server on port 21 (commands). The client then tells the server which port to connect back to the client. And the server uses its own port 20 (data) for that purpose. IOW, port 20 doesn't even need to be opened on the server's firewall, only port 21.

But this can present a problem for the client if it’s behind a firewall, particularly one it doesn't control. That data port may not be open.

In passive mode, the client contacts the server on port 21 (commands), but this time the server tells the client which port (data) the client should use to contact the server again. Because the client initiates both connections, this eliminates any firewall issues for the client. But now the server faces a potential problem w/ its own firewall. The server’s firewall may be blocking that port (data).

And now you add a testing environment w/ the same firewall, a public IP, and well…, as I said, it gets tricky.

m
0
l
March 18, 2010 3:04:12 AM

BTW I appreciate all the help you are giving me on this! Can i email you my FTP site and see if you can connect?
m
0
l
March 18, 2010 3:09:02 AM

bostonmike said:
The server is behind a NAT Router and win server 2K3 firewall. I have a VPN connection to my computer at work and I am using that computer to test the client side.


If you use active mode, your VPN server has to open the data port specified by the FTP server. Obviously that's not happening.

If you use passive mode, then YOUR firewall has to open the data port specified by the client. That's where it's failing (imo). That is NOT port 20. It's some random port > 1023.

For the heck of it, open and forward port 1024 on your firewall and try passive mode again.
m
0
l
March 18, 2010 3:11:12 AM

Also, would it be easier if I disabled windows firewall and used a third party firewall to make this work?
m
0
l
March 18, 2010 3:16:10 AM

bostonmike said:
Also, would it be easier if I disabled windows firewall and used a third party firewall to make this work?


Well right now I'm assuming the only firewalls are those belonging to the routers (the VPN's and yours). Local firewalls only complicate matters further, but if you insist on them, then they will need to be configured to open the same ports. Whether it's Windows or a third party firewall doesn't matter, the issue is the same.

So for right now, assuming you're behind a router and its firewall, just drop the firewall on the client and server and get the problem w/ the router's firewall resolved first. Deal w/ the local firewalls later.
m
0
l
March 18, 2010 3:20:09 AM

I should clarify. Router firewall = OK. It's the win2k3 firewall that is the problem.
m
0
l
March 18, 2010 3:24:11 AM

bostonmike said:
I should clarify. Router firewall = OK. It's the win2k3 firewall that is the problem.


Well drop the win2k3 firewall, does passive mode work?
m
0
l
March 18, 2010 3:30:01 AM

Am I OK without the win 2k3 firewall?
m
0
l
March 18, 2010 3:32:09 AM

bostonmike said:
Yes


Now put the firewall back up but open ports 21, 1024, 1025, and 1026, try passive mode again.
m
0
l
March 18, 2010 3:47:11 AM

No. Did not work. I can't help but feeling that I'm doing something wrong. I will sleep on it and check bank in the morning. :-(
m
0
l
March 18, 2010 4:00:32 AM

Frankly I just wouldn't use FTP, ever... for any purpose. I'd try to get ssh / scp running... which you should be able to do running cygwin. If you're trying to host files just host them on the http side of the house.
m
0
l

Best solution

March 18, 2010 4:04:32 AM

When clients use active mode, your server only needs to open and forward port 21. But this may present issues for clients behind a firewall since the server will attempt to establish a connection back to the client for the data channel.

When clients use passive mode, that solves the firewall problem for the clients because the server allows the client to initiate the connection back to the server for the data channel (typically ports >1023). The server obviously needs to communicate that port # back to the client. The client then attempts to make that connection. But that assumes ports >1023 are open and forwarded, just like port 21. That seems to be the problem. I suspect your server’s firewall is just blocking those ports.

I did find these (perhaps a bug):

http://www.keylimetie.com/Blog/2005/12/11/Windows2003Fi...
http://blog.tjitjing.com/index.php/2006/04/problem-solv...
Share
March 18, 2010 4:41:05 PM

eibgrad, I did read the keylimetie article and I don't even have inetinfo.exe file. On the blog, I have that setting already. That is what I was looking for earlier yesterday, and when I found it, I thought everything was OK. I could see all the folders in my directory at that point but I could not open them. Now I just discovered something else that's weird. I have 3 folders in the directory. I have been trying to open the first one with no luck unless I disable windows firewall. However I just tried to open the third folder and it opens! and I can see and access all the sub-folders. I have tried from 2 different FTP clients and they can both open the third folder in the directory but not the first two! Maybe this narrows things down a little bit but I still cant figure out why I'm getting "Failed to Retrieve Directory Listing" when I try to open the other two!!!
m
0
l
March 24, 2010 2:17:05 PM

Thanks for your help on this eibgrad. I ended up disabling windows firewall and went with another firewall. Work like a charm now.
m
0
l
March 24, 2010 2:17:27 PM

Best answer selected by BostonMike.
m
0
l
!