Setting Up An FTPS Server Behind A Firewall or NAT For PASV Mode Data Transfers

Explains the proper way of setting up an FTPS server behind a firewall and allow it to support passive (PASV) mode data transfers.

  1. Blog

It’s never easy to set up an FTP server the moment firewalls get involved. But it gets even more difficult once you start using the secure version of FTP, known as FTPS. In this post, we’ll talk about the problem you’ll usually encounter when your FTPS server is behind a firewall and your client is attempting to perform a file transfer using passive mode or PASV.

Let me explain.

When an FTP/S client wants to conduct a data transfer using Passive Mode, it issues the PASV command. Upon receiving that command, the FTP/S server responds with the server’s IP address and the port number on which it wants the client to connect to.ftps pasv response.png

Note: The passive port number calculates to: (192 x 256) + 25 = 49177

Prefer to watch a video version of this blog post instead?

This shouldn’t be a problem for direct connections. But once you have a firewall or NAT router in between, things can get pretty messy.

So, let’s say we have an FTPS server sitting behind a firewall. Basically, the FTPS server is in an internal network and has an internal IP address assigned to it. The client, which is is outside the internal network, is connecting to the FTPS server via the firewall's external IP address. We’ll be using the term ‘firewall’ but this kind of situation applies to NAT routers, reverse proxies and other routing devices as well.ftps server internal network firewall.pngSo now, when the FTPS server responds to the PASV command, its response will specify the FTPS server’s internal IP address and the port number it will be listening on.

ftp pasv response.png

What then happens is that, when the client, in turn, attempts to connect, it will attempt to connect to that internal IP address. Since the client does not belong to the internal network, it will naturally fail to connect and eventually time-out.

In addition, if the port number specified in the response has not been opened on the firewall or routing device, that would also cause the connection to fail.

ftp pasv response problem-1.png

Of course, modern firewalls, NAT routers, reverse proxies, and other routing devices, are smart enough to address this particular situation. Once they have identified the conversation taking place as that of FTP and are able to detect the PASV command, they simply assume that the client is going to be connecting back to the FTP server through another port and IP address.

They then dynamically open that port to the FTP server in anticipation of the request from the client software. They also modify the response packet to instruct the client software to connect back at the external IP address, not the FTP server's internal IP address. Once they receive the client’s request, they then simply make the necessary substitutions.

ftp pasv aware firewall.png

ftp pasv aware firewall 2.png

However, when the packets are encrypted with TLS, as in the case of FTPS, the firewall can't examine the packets and so will have difficulty determining what ports to open and what IP addresses to substitute with. ftps pasv response encrypted.pngThis what you do to resolve the problem. In your FTPS server, you need to specify a passive IP address and a passive port range. These settings are going to be used when responding to PASV client requests.

The passive IP address should be the external IP address of your firewall, NAT, reverse proxy, or other routing device. On the other hand, the passive port range should be the range of ports you want the FTPS server to be listening on. For this to work, those range of ports should likewise be opened on your firewall.

To configure this on JSCAPE MFT Server, do the following. Login to the JSCAPE MFT Server Manager, navigate into the domain on which your FTPS service is running, and then go to the Services module and navigate into the FTP/S tab. Specify the external IP address in the Passive IP field. Tick the “Passive port range” check box and specify a passive port range. passive-ftp-settings-resized-600.png Once you’re done, click Apply. That’s it. Your internal FTPS server will now be ready to respond to PASV mode data transfers.

Try this out yourself. Download the free, fully-functional evaluation edition of JSCAPE MFT Server.

Download JSCAPE MFT Server Trial

Related articles

Active v.s. Passive FTP Simplified - Understanding FTP Ports

Mapping FTP, FTPS, or SFTP Server User Directories To Samba Shares

Understanding Key Differences Between FTP, FTPS and SFTP

Securing Trading Partner File Transfers w/ Auto PGP Encryption & FTPS

How To Set Up SSL Client Authentication on an HTTPS and FTPS Server