Just recently I came across an issue on the new FTP 7 (also known as Out Of Band FTP 7)
You can download the FTP 7 from Microsoft FTP Publishing Service for IIS 7.0 (x86) or Microsoft FTP Publishing Service for IIS 7.0 (x64). It is recommended you don’t install both legacy FTP (seen in the Role Services) and OOB FTP 7 on the same server.
Here is the scenario:
We have a brand new installation of Windows Server 2008 SP1. We then installed FTP 7 from the above mentioned website.
We configured FTP 7 as follows:
- Under FTP Authentication we have Basic Authentication enabled.
- Under FTP Authorization Rules, we configured the FTP for a Specified User, this is a local user on the server.
- We have given Read permission for the specified user.
- Directory Browsing is configured for default “MS-DOS“
- Under FTP SSL Settings, we have “Not Selected” and with SSL Policy as Custom with Control Channel and Data Channel set to Allow.
- FTP User Isolation is default i.e. FTP root directory
Once our configuration is done, we try connecting to the FTP from another box.
Using Command Prompt when we try connecting we get Connection timed out
Let’s try and understand what’s happening.
We noticed that the request never reaches IIS 7, there is a [SYN] but no [SYN, ACK].
In Windows Server 2008 SP1, you will find Windows Firewall is turned ON by default. Since this is a Out Of Band product there are no Firewall configuration done to enable FTP on the server.
You can always add FTP in the Exceptions list manually. I tried enabling port 20 (Data Port) and 21 (Connection Port) manually as shown in the screen shot below.
You can also use the command netsh advfirewall firewall add rule name=”FTP (no SSL)” action=allow protocol=TCP dir=in localport=21.
This enables Inbound connection on the Firewall
We took a network trace from the client that shows the request made from a command prompt has a successful response.
We checked the FTP log file which is located at C:\inetpub\logs\LogFiles\FTPSVC1.
We see ControlChannel opened successfully, we enter the username and password and then the DataChannel Opens and Closes successfully.
We now tried accessing the ftp://scorpio using Windows Explorer and we see the error “The operation timed out”
Wonder what is causing this Operation timed out error when accessing using Windows Explorer?
So, we took a network trace and checked how the connections happens.
We see that this connection is making a PASSIVE request to the server. Server is trying to respond to the request on a PASSIVE port 49193. But the response never goes out of the server.
We will check FTP logs and it confirm the same.
Using the command prompt we are able to access FTP fine, because the logfile shows Control Connection happened on Port 21 and Data Connection used Port 20. This is not true for PASSIVE connection, server will respond back on any random port.
To enable PASSIVE connections, we will enable StatefulFTP using the command netsh advfirewall set global StatefulFtp enable
Now, access ftp://scorpio again and lets see what network trace shows
Frame 59 shows, there was a PASV Request and server now tries to handle the request on the PASSIVE port 49203. The following frames 61, 62, 63 and 64 does [SYN], [SYN, ACK] and [ACK] and then there is a LIST command to which the server responds by opening the data connection on frame 65.
Looking at FTP log and that confirms the same.
Please refer the article from Windows Firewall setup for Microsoft FTP Publishing Service for IIS 7.0 for better understanding on configuring Windows Firewall.