TMG firewall issue cant access ftps server

robertkwild

Active Member
hi all,

i have made a vsftpd ftps server and i can access it using my pc, filezilla client no problem if its on the "internal" network but when i make it on the "perimiter" network i cant access it atall

the rule is 115 and i have opened up the ports, ie 21 ftp and the passive ports 52472-52486, so i really dont know what the issue is here

do you think i need an inbound rule aswell??

many thanks,

rob
tmg.png
 
You need to change your data channel port rule to inbound. 52472-52486 Also make sure the vsftpd server accepts data connections on those same ports and that the client will also only use those ports in it's passive data channels.

If you have a default "block all outbound" then you may also need the data channel ports outbound as well.
 
when you say my data channel rule, do you mean this rule?

what if i leave the rule like so and add the following

secondary connections

52472-52486-TCP-Inbound

as maybe the passive ports are getting to the ftp server but i need to allow them back in to get a connection going?
 
Yeah that should work. When I say data channel I mean the port used for data transfer. In passive ftp the client send the a request to the command port (21) on the server to specify which high numbered port it will use. The ftp server will then listen on that port, but if the inbound firewall is blocking that port it wont connect.

You could see this with wireshark on the client when it tries to connect to the data port it selects, you would either see no reply from the server or a RST depending on the firewall configuration.
 
yeah on my vsftpd server i have that passive port range open and aswell as on the tmg firewall

but i have checked and the secondary ports are meant for new connections after the initial connection has been established but i have already put port 21 and the passive range down as the primary range so it really shouldnt be using the secondary ports as there the same ports
 
Did you create the allow inbound rule for the 50000+ ports you have assigned? You do need that. If it still is not working I would run wireshark on the client, try to ftp, stop and save the pcap file from wireshark. You may PM it to me if you don't want the data exposed publicly.
 
No i have just created an allow outbound rule from internal network ie ftp client to permiter ie ftp server for port 21 and the passive port range

the default rule for tmg is to block all traffic to anywhere
 
Last edited:
Ok i think i know what to do now

Create two access rules (ie outbound rules) for 21 and the passive ports

One rule is from internal to perimiter and the other rule is visa versa so they can both talk to eachother
 
im going to give up lol, this is crazy

https://s32.postimg.org/z8bs85dph/ftps_issue.png

i have allowed a wide range of ports and it still doesnt work (see link)

when i hash out all the ftps lines on my ftp server config file i can connect to it via normal ftp so i know it works (on the same lan ie perimiter)

theres a rule on my tmg firewall at the bottom that allows outbound port 21 "internal" to "perimiter" hence why i can connect to it via normal ftp and i dont need to create another rule for outbound 21 "perimiter" "internal"

i used wire shark and it listed it being port 64xxx to 652xx so my rule should def work but it doesnt and i dont know why

cheers,

rob
 
At least from the screenshot I don't see the inbound rule for the data ports.
  • Is the firewall you are configuring on the same system with the ftp server?
  • Are the server and client on the same LAN?

Hypothetical setup
FTP Server in passive mode
  • FTP setup
    • Allow data on ports 50000-50100
    • Port 21 control port
  • Firewall Rules
    • Allow > Inbound > 21 tcp
    • Allow > Inbound > 50000-50100
Client
  • No rules needed
Really high overview of how it should connect
Client (randomport#1) > Server 21 (Hi I want to ftp)
Server 21 > Client (randomport#1) (Ok use port 50000)
Client (randomport#2) > Server 50000 (Sending data)
 
so are you saying i need to publish/NAT my FTP server on the DMZ lan, to my internal users on the internal LAN ie like when i publish/NAT my email server ports 25/143 on the dmz network to the public external network ie WAN?

i didnt think you would need to publish/NAT it as there both in the lan or private network (even tho the internal lan and perimiter lan are complete seperate networks) and not talking to the public network ie the wan
 
If the clients and server are on different LAN segments and there is NAT between them, than yes you will need to setup NAT forward rules for the range of data ports on the FTP server and port 21.
 
Ok but just so were on the same page

when i say nat i mean create a publish rule ie inbound rule so you publish a machine to the public network like a email or ftp server

When i say access rule i mean a route rule ie outbound rule so a network can talk to another network ie lan or wan
 
When I say NAT, I mean NAT as in when data is coming out the egress point of a router and it gets translated to a different address. Anything to do with inbound/outbound rules typically relate to firewalls. As I don't really know what your network layout is like, it does make it pretty difficult to troubleshoot. Typically in non-home networks there will not be any NAT accept at the border gateway/firewall. If any clients are connecting to the FTP server from outside your network then you will need both inbound firewall rules to permit the traffic into your network and forwarding rules so the traffic can get to the server. If the clients are on the same LAN as the server they will need inbound rules for 21 and the data ports on the server provided it has a firewall. If the the clients are on a different LANs then you will need that traffic to be routable to the server's LAN, and the firewall rules on the server (inbound)
 
Yeah that is what i thought, nat is only for servers that need to get accessed from the wan ie outside world

Ms tmg calls this a publishing rule, ie inbound

We have a dmz network for this so the outside world can hit the servers ie email ftp on the dmz but as the dmz is on its own private neteork theres no way of them to latch on our internal network where out user computers are on

But what if our user computers want to connect to the ftp server aswell that is on our dmz so two complete different networks that cant talk to eachother

Ms tmg has another rule called access rules were you can make a network talk to another network

Access rules are outbound cant be inbound

I thought i would create an access rule for internal computers to connect to the ftp server on the dmz network but i have tried and it doesnt work and i dont know why
 
May need to consult the firewall documentation. You will need to setup a rule internal > DMZ to allow port 21 and your data ports
 
Think i have found the answer



I was only allowing one way traffic (from internal computers to ftp server) but this is visa versa (from ftp to internal)
 
Back
Top