[Last updated on July 17, 2019] It’s never easy to set up an FTP server the moment firewalls get involved. But it gets even more difficult once you start using the secure version of FTP, known as FTPS. In this post, we’ll talk about the problem you’ll usually encounter when your FTPS server is behind a firewall and your client is attempting to perform a file transfer using passive mode or PASV.
Let me explain.
When an FTP/S client wants to conduct a data transfer using Passive Mode, it issues the PASV command. Upon receiving that command, the FTP/S server responds with the server’s IP address and the port number on which it wants the client to connect to.
Note: The passive port number calculates to: (192 x 256) + 25 = 49177
Prefer to watch a video version of this blog post instead?
This shouldn’t be a problem for direct connections. But once you have a firewall or NAT router in between, things can get pretty messy.
So, let’s say we have an FTPS server sitting behind a firewall. Basically, the FTPS server is in an internal network and has an internal IP address assigned to it. The client, which is is outside the internal network, is connecting to the FTPS server via the firewall's external IP address. We’ll be using the term ‘firewall’ but this kind of situation applies to NAT routers, reverse proxies and other routing devices as well.
So now, when the FTPS server responds to the PASV command, its response will specify the FTPS server’s internal IP address and the port number it will be listening on.
What then happens is that, when the client, in turn, attempts to connect, it will attempt to connect to that internal IP address. Since the client does not belong to the internal network, it will naturally fail to connect and eventually time-out.
In addition, if the port number specified in the response has not been opened on the firewall or routing device, that would also cause the connection to fail.
Of course, modern firewalls, NAT routers, reverse proxies, and other routing devices, are smart enough to address this particular situation. Once they have identified the conversation taking place as that of FTP and are able to detect the PASV command, they simply assume that the client is going to be connecting back to the FTP server through another port and IP address.
They then dynamically open that port to the FTP server in anticipation of the request from the client software. They also modify the response packet to instruct the client software to connect back at the external IP address, not the FTP server's internal IP address. Once they receive the client’s request, they then simply make the necessary substitutions.
However, when the packets are encrypted with TLS, as in the case of FTPS, the firewall can't examine the packets and so will have difficulty determining what ports to open and what IP addresses to substitute with.
This what you do to resolve the problem. In your FTPS server, you need to specify a passive IP address and a passive port range. These settings are going to be used when responding to PASV client requests.
The passive IP address should be the external IP address of your firewall, NAT, reverse proxy, or other routing device. On the other hand, the passive port range should be the range of ports you want the FTPS server to be listening on. For this to work, those range of ports should likewise be opened on your firewall.
To configure this on JSCAPE MFT Server, do the following. Login to the JSCAPE MFT Server Manager,
navigate into the domain on which your FTPS service is running, and then go to the Services module and navigate into the FTP/S tab.
Specify the external IP address in the Passive IP field. Tick the “Passive port range” check box and specify a passive port range.
Once you’re done, click Apply.
That’s it. Your internal FTPS server will now be ready to respond to PASV mode data transfers.
Try this out yourself. Download the free, fully-functional evaluation edition of JSCAPE MFT Server.
Want to be updated on posts like this? Connect with us...