Local user can access FTP server but not remotely (425 error)

[K Viltersten]

We have this strange situation. When we access ftp://192.168.0.3:1400 while
sitting at the server, we can see the contents of the FTP (after entering
the user/password). However, accessing the same address from the LAN (still,
the same user/password), lets us connect to the FTP-server but results then
in error 425 ("Can't open data connection").

1. We have added an inbound rule on Windows Firewall for ports 1400 -
1410.
2. We have customized IIS in FTP Firewall Support (Data Channel Port
Range) accordingly.
3. We have enabled port forwarding on the router, just in case.
4. We have restarted the service and the computer.

After several hours of googling and swearing, we decided that we can't beat
this one on our own. All suggestions are welcome! It's like there's
something to do with the access rights but we see no way to approach it.

For some reason, we don't have ADSUTIL.VBS on our computer. We run Windows
Server 2008 with IIS7.0.

--

Regards
Konrad Viltersten
--------------------------------
May all spammers die an agonizing death;
have no burial places; their souls be
chased by demons in Gehenna from one room
to another for all eternity and beyond.

[.._..]

Put your FTP client in "passive" mode.

Check from another computer on the same LAN to determine if the issue is
with the server or with your firewall/routing.

"K Viltersten" <tm...@viltersten.com> wrote in message
news:71lrlnF...@mid.individual.net...

[K Viltersten]

I've turned off the Windows Firewall. I'm behind
the firewall in my router. When i go within LAN
by the typing the following into FireFox:

ftp://192.168.0.3:1501

i get to login and then view the files. However,
if i type this into FireFox:

ftp://193.11.216.125:1501

i get to the login frame but then, i get error
425 ("Can't open data connection."). I've read
at several places that FTP requires TWO ports
and it seems to me that i only provided one,
for the commands.

How can i provide the second one? As far i can
see, i've followed every guide there's on the
net but it still doesn't work...

Also, i'm unsure what i should check and how
to perform diagnostics on this kind of issue.
Any info is appreciated.

I'm on Server 2008 and IIS7. The router is a
NetGear and i've set port forwarding on the
range 1500-1520 for 192.168.0.3 LAN address.

--

Regards
Konrad Viltersten
--------------------------------
May all spammers die an agonizing death;
have no burial places; their souls be
chased by demons in Gehenna from one room
to another for all eternity and beyond.

".._.." <tes...@jacksoncountybank.com> skrev i meddelandet
news:7mvtl.529$cW....@newsreading01.news.tds.net...

[K Viltersten]

Correction, by the way. When i go through
FireFox directly, i only get a blank page.
When i tried to connect via a "real" client,
i got error 426 ("Connection closed;
transfer aborted.") as soon as the LIST
command is issued.

So still, it seems that the command channel
work, while the data transfer channel
doesn't. I have no idea how to approach it.

[Pablo A. Allois]

This could be for a misconfiguration of passive ftp.

Please post the ftp conversation to confirm that.

Saludos!

"K Viltersten" <tm...@viltersten.com> wrote in message

news:71o67sF...@mid.individual.net...

[K Viltersten]

> This could be for a misconfiguration of passive ftp.
> Please post the ftp conversation to confirm that.
> Saludos!

It most likely is. I've found that by opening
ports 1500-1520, the data channel couldn't be
established. However, if i open 1024-65534,
i.e. ALL of the unreserved ones, the server
will establish the data channel.

The problem now is that i want to strangle the
"hole" by limiting it to ten, maybe twenty
ports. Is it doable?

How, if at all, can i make the IIS server only
use random ports in a given interval?

Thanks for the help!

[Pablo A. Allois]

This script will set the passive mode port range:

Change in IIS "Direct Database editing"

On Inetpub\AdminScripts run :
cscript.exe adsutil.vbs set /MSFTPSVC/PassivePortRange "5001-5201"

Saludos!

"K Viltersten" <tm...@viltersten.com> wrote in message

news:71rsb9F...@mid.individual.net...

[K Viltersten]

Is there a (simple) way to configure that from
the GUI? It'll be much easier to remember the
next time i need to do it.

[K Viltersten]

Byt the way, i just noticed that i don't have
the directory AdminScripts in the Intepub
directory on my drive.

Also, i've made a search and there seems to
be no file called adsutil.vbs anywhere on my
computer...

I uninstalled IIS6 and installed IIS7 during
the installation of Server 2008, perhaps
needs to be added.

What can i do here?

[Pablo A. Allois]

Please, tell us what versio of IIS are u using ?

Saludos!

"K Viltersten" <tm...@viltersten.com> wrote in message

news:71vpiaF...@mid.individual.net...

[Pablo A. Allois]

In IIS7 uninstall, de FTP that come with operating system and install de FTP
for IIS 7.
http://www.microsoft.com/downloads/details.aspx?FamilyID=2eccf14a-5c4f-4cfb-9153-cfe1204b346a&displaylang=en

That FTP is more friendly, come with some new toys and have a user friendly
interface where you can set up the ip for the passive ftp and the port
range.

Saludos!

"Pablo A. Allois" <pablo-...@allois.com.ar> wrote in message
news:O3KdFCj...@TK2MSFTNGP03.phx.gbl...

[K Viltersten]

The problem is gone! First of all - mucho
gracias for the support. Now, what was the
error? Well, for SOME reason, the scripts
weren't installed during the operation and
my beloved wife, whom i colaborate on this
project downloaded them from SOME site,
apparently targeting an other version of
IIS or another OS.

Bottom line - thanks for the help - the
issue has been resolved by reinstalling the
whole shabang. :)

[Pablo A. Allois]

It looks like you had a misconfiguration with FTP in passive mode.
Maybe the port range or the ip.

In Win2008 you need to install a feature named IIS 6 script compatibility.

Congratulatios to your wife.

Saludos!

"K Viltersten" <tm...@viltersten.com> wrote in message

news:72abaqF...@mid.individual.net...