TMG firewall issue cant access ftps server

Discussion in 'Windows Server Forums' started by robertkwild, Jul 20, 2016.

  1. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    hi all,

    i have made a vsftpd ftps server and i can access it using my pc, filezilla client no problem if its on the "internal" network but when i make it on the "perimiter" network i cant access it atall

    the rule is 115 and i have opened up the ports, ie 21 ftp and the passive ports 52472-52486, so i really dont know what the issue is here

    do you think i need an inbound rule aswell??

    many thanks,

    rob
    [​IMG]
     
  2. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    366
    You need to change your data channel port rule to inbound. 52472-52486 Also make sure the vsftpd server accepts data connections on those same ports and that the client will also only use those ports in it's passive data channels.

    If you have a default "block all outbound" then you may also need the data channel ports outbound as well.
     
  3. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    when you say my data channel rule, do you mean this rule?

    what if i leave the rule like so and add the following

    secondary connections

    52472-52486-TCP-Inbound

    as maybe the passive ports are getting to the ftp server but i need to allow them back in to get a connection going?
     
  4. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    366
    Yeah that should work. When I say data channel I mean the port used for data transfer. In passive ftp the client send the a request to the command port (21) on the server to specify which high numbered port it will use. The ftp server will then listen on that port, but if the inbound firewall is blocking that port it wont connect.

    You could see this with wireshark on the client when it tries to connect to the data port it selects, you would either see no reply from the server or a RST depending on the firewall configuration.
     
  5. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    yeah on my vsftpd server i have that passive port range open and aswell as on the tmg firewall

    but i have checked and the secondary ports are meant for new connections after the initial connection has been established but i have already put port 21 and the passive range down as the primary range so it really shouldnt be using the secondary ports as there the same ports
     
  6. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    366
    Did you create the allow inbound rule for the 50000+ ports you have assigned? You do need that. If it still is not working I would run wireshark on the client, try to ftp, stop and save the pcap file from wireshark. You may PM it to me if you don't want the data exposed publicly.
     
  7. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    No i have just created an allow outbound rule from internal network ie ftp client to permiter ie ftp server for port 21 and the passive port range

    the default rule for tmg is to block all traffic to anywhere
     
    #7 robertkwild, Jul 21, 2016
    Last edited: Jul 21, 2016
  8. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    Ok i think i know what to do now

    Create two access rules (ie outbound rules) for 21 and the passive ports

    One rule is from internal to perimiter and the other rule is visa versa so they can both talk to eachother
     
  9. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    im going to give up lol, this is crazy

    https://s32.postimg.org/z8bs85dph/ftps_issue.png

    i have allowed a wide range of ports and it still doesnt work (see link)

    when i hash out all the ftps lines on my ftp server config file i can connect to it via normal ftp so i know it works (on the same lan ie perimiter)

    theres a rule on my tmg firewall at the bottom that allows outbound port 21 "internal" to "perimiter" hence why i can connect to it via normal ftp and i dont need to create another rule for outbound 21 "perimiter" "internal"

    i used wire shark and it listed it being port 64xxx to 652xx so my rule should def work but it doesnt and i dont know why

    cheers,

    rob
     
  10. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    366
    At least from the screenshot I don't see the inbound rule for the data ports.
    • Is the firewall you are configuring on the same system with the ftp server?
    • Are the server and client on the same LAN?

    Hypothetical setup
    FTP Server in passive mode
    • FTP setup
      • Allow data on ports 50000-50100
      • Port 21 control port
    • Firewall Rules
      • Allow > Inbound > 21 tcp
      • Allow > Inbound > 50000-50100
    Client
    • No rules needed
    Really high overview of how it should connect
    Client (randomport#1) > Server 21 (Hi I want to ftp)
    Server 21 > Client (randomport#1) (Ok use port 50000)
    Client (randomport#2) > Server 50000 (Sending data)
     
  11. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    so are you saying i need to publish/NAT my FTP server on the DMZ lan, to my internal users on the internal LAN ie like when i publish/NAT my email server ports 25/143 on the dmz network to the public external network ie WAN?

    i didnt think you would need to publish/NAT it as there both in the lan or private network (even tho the internal lan and perimiter lan are complete seperate networks) and not talking to the public network ie the wan
     
  12. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    366
    If the clients and server are on different LAN segments and there is NAT between them, than yes you will need to setup NAT forward rules for the range of data ports on the FTP server and port 21.
     
  13. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    Ok but just so were on the same page

    when i say nat i mean create a publish rule ie inbound rule so you publish a machine to the public network like a email or ftp server

    When i say access rule i mean a route rule ie outbound rule so a network can talk to another network ie lan or wan
     
  14. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    366
    When I say NAT, I mean NAT as in when data is coming out the egress point of a router and it gets translated to a different address. Anything to do with inbound/outbound rules typically relate to firewalls. As I don't really know what your network layout is like, it does make it pretty difficult to troubleshoot. Typically in non-home networks there will not be any NAT accept at the border gateway/firewall. If any clients are connecting to the FTP server from outside your network then you will need both inbound firewall rules to permit the traffic into your network and forwarding rules so the traffic can get to the server. If the clients are on the same LAN as the server they will need inbound rules for 21 and the data ports on the server provided it has a firewall. If the the clients are on a different LANs then you will need that traffic to be routable to the server's LAN, and the firewall rules on the server (inbound)
     
  15. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    Yeah that is what i thought, nat is only for servers that need to get accessed from the wan ie outside world

    Ms tmg calls this a publishing rule, ie inbound

    We have a dmz network for this so the outside world can hit the servers ie email ftp on the dmz but as the dmz is on its own private neteork theres no way of them to latch on our internal network where out user computers are on

    But what if our user computers want to connect to the ftp server aswell that is on our dmz so two complete different networks that cant talk to eachother

    Ms tmg has another rule called access rules were you can make a network talk to another network

    Access rules are outbound cant be inbound

    I thought i would create an access rule for internal computers to connect to the ftp server on the dmz network but i have tried and it doesnt work and i dont know why
     
  16. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    366
    May need to consult the firewall documentation. You will need to setup a rule internal > DMZ to allow port 21 and your data ports
     
  17. robertkwild

    Joined:
    Feb 27, 2016
    Messages:
    12
    Likes Received:
    0
    Think i have found the answer



    I was only allowing one way traffic (from internal computers to ftp server) but this is visa versa (from ftp to internal)
     

Share This Page

Loading...