How to allow FTP on Google Compute Engine Windows VM?

11,512 views
Skip to first unread message

Ted Matson

unread,
Mar 9, 2016, 4:56:10 PM3/9/16
to gce-discussion

All of the Google Cloud Platform instructions seem to be about setting up FTP in other OS like debian, etc. 


On the Windows 2012 Server, I have setup FTP in IIS properly, but the firewall will not let me connect from the outside with FileZilla.  Connection just times out.


These Google Cloud Network firewall rules are already in place.

Name Source tag / IP range Allowed protocols / ports Target tags

allow-ftp 0.0.0.0/0 tcp:21 ftp-server

allow-passive-ftp 0.0.0.0/0 tcp:5000-6000 Apply to all targets

allow-passive2-ftp 0.0.0.0/0 udp:5000-6000 Apply to all targets


I also made an inbound rule for FTP on port 21 in Windows Firewall.


Still cannot connect. What am I missing?


Thanks

Kamran (Google Cloud Support)

unread,
Mar 9, 2016, 8:51:34 PM3/9/16
to gce-dis...@googlegroups.com

Is running ftp localhost command from inside Windows 2012 server lets you to connect to the ftp server?

This is an official document from Microsoft that describes building an FTP site on IIS step by step. After configuring the FTP site, run the following command to make sure that the ftp server is listening on the desired port (the bold line):

C:\>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING

Run the following command to verify that you can connect to ftp server:

C:\>ftp localhost
Connected to win2012.
220 Microsoft FTP Service
User (win2012:(none)):


If running the both commands confirms that the ftp service is up and running, then you will need to investigate the firewall rules to make sure they are properly configured and ftp traffic from external IP addresses are allowed. At the end, you may want to make the ftp firewall rules more specific to allow only trusted hosts to be able to connect to your ftp server.

I hope this helps you to successfully troubleshoot the issue.

Sincerely,

Ted Matson

unread,
Mar 10, 2016, 3:48:48 PM3/10/16
to gce-discussion

Thank you Kamran,

Running the commands you suggested indeed confirms that the FTP is up and running.  I am familiar with setting up FTP in Windows servers, so I'm confident that isn't the issue.  Also, I AM able to connect from another server within the same project. So, it's clear that I do have a firewall issue.

Shouldn't the settings mentioned in this post let this traffic through?  Is there some checklist of necessary firewall settings available? 

Also, where should I be making these settings?  I am making them in Windows Firewall with Advanced Security AND in COMPUTE > Networking.  Is there somewhere else?

Kamran (Google Cloud Support)

unread,
Mar 10, 2016, 4:03:56 PM3/10/16
to gce-discussion

Hello Ted,

The firewall rules looks good. However, the Windows VM instance needs to be tagged by ftp-server tag so the first rule applies to it.

Sincerely,

Ted Matson

unread,
Mar 10, 2016, 4:24:50 PM3/10/16
to gce-discussion
Aha! I wasn't familiar with the tagging...  

Yes, that makes the connection possible.  But, I am still having problems retrieving the directory listing.  Here is the FileZilla log:

Status: Resolving address of mydomainname.com
Status: Connecting to ###.###.###.###:21...
Status: Connection established, waiting for welcome message...
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

Thank you!

Ted

Ted Matson

unread,
Mar 10, 2016, 4:54:12 PM3/10/16
to gce-discussion
Kamran, thank you for your help!  

I solved the problem of retrieving the directory listing.  Posting the link to the 2 part solution that fixed things for me.


Ted

Kamran (Google Cloud Support)

unread,
Mar 10, 2016, 4:57:21 PM3/10/16
to gce-discussion

Great. I just want to send you this link as well. I'm glad that you resolved the issue.

Sincerely,

Barry Gallagher

unread,
Jun 21, 2016, 5:55:22 PM6/21/16
to gce-discussion
Hi Kamram,
I have the same issue. I can connect to the ftp server on localhost but hove no idea how to access it externally.
Would you be kind enough to explain what you mean by the instruction:

"the Windows VM instance needs to be tagged by ftp-server tag so the first rule applies to it."

Thank you
Barry

Kamran (Google Cloud Support)

unread,
Jun 22, 2016, 6:29:07 PM6/22/16
to gce-dis...@googlegroups.com

Hi Barry,

If a target tag is specified for a GCE firewall rule, the target VM instance has to also be tagged with the same value. If you leave the target tags field empty, then the firewall rule will be applied to all VM instances in that network.

I suggest investigating the internal firewall of your Windows VM as well to make sure that the traffic for the desired ports and protocols is allowed.

Hope this helps.

Sincerely,
Reply all
Reply to author
Forward
0 new messages