Omgili, forum search, forums search, search forums, discussion search,discussions search, search discussions, board search, boards search, search boards

	Advanced Search

Re: FTP 7.5 + SSL + Non-default port / AspNetAuth

On  Mon, 6 Jul 2009 07:39:39 -0700,  "Alun Jones" <...@texis.invalid

"DoubleJava" <...@microsoft.com...

I'm going to answer based on my experiences when working with the RFC 

drafter to help define and solidify the RFC for FTP over SSL, while writing 

WFTPD Pro's FTP over SSL support.

Don't use Implicit SSL (i.e. connecting to port 990) - use Explicit SSL, 

where the client specifically sends an "AUTH TLS" command. This should 

connect to port 21, and start in unencrypted traffic. Implicit SSL was 

deprecated before the RFC was even published, so you should not rely on it, 

as its use and availability across multiple servers and clients is expected 

to decline.

Your problem with Active versus Passive connectivity is explained by your 

firewall configuration.

The terms "Active" and "Passive" refer to how the FTP server connects.

In Active mode, the FTP server connects to the client, on a random port 

chosen by the client. Obviously, that will work if the client's firewall is 

configured to allow the connection to that port, and doesn't depend on the 

firewall at the server to do anything but allow connections outbound.

In Passive mode, the FTP client connects to the server, on a random port 

chosen by the server. This requires the server's firewall to allow the 

incoming connection, and depends on the client's firewall only to allow 

outbound connections.

The trick for passive mode configuration is to tell your FTP server to 

choose its random ports from a particular range, and then to open up that 

range of ports in your server's firewall.

One sneaky trick that you can use with WFTPD and WFTPD Pro (and which may 

work with IIS FTP) is to configure the client to use "Block" mode instead of 

"Stream" mode - in that mode, it can use the default data port and not close 

that port. This removes the need to open ports in the firewall. The downside 

is that, although Block mode has been in the FTP RFC for decades, there are 

few clients that actively support it. In the FTP over SSL case, however, 

Block mode overcomes a large number of problems with data connections.

Alun.

~~~~

-- 

Texas Imperial Software   | Web: http://www.wftpd.com/

23921 57th Ave SE         | Blog: http://msmvps.com/alunj/

Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

Fax/Voice +1(206)428-1991


	On Mon, 6 Jul 2009 09:00:01 -0700, DoubleJava <...@discussions.microsoft.com Thanks, Alun! Your explanations help a lot. I didn't understand that Implicit mode "implied" port 990, but it does make sense. Also, your explanations of passive and active mode are much more succinct than anything that I have been able to find while searching. I’ll look into wftpd and see if I can get that working. Thanks!


	On Mon, 6 Jul 2009 16:13:49 -0400, "Steve Schofield" <...@iislogs.com Nice explaination. Do you have this information posted somewhere? I'd like to refer to it in the future, say your blog? Hint hint. :) Steve Schofield "Alun Jones" <...@microsoft.com...


	On Wed, 8 Jul 2009 23:19:49 -0700, "Alun Jones" <...@texis.invalid "Steve Schofield" <...@TK2MSFTNGP05.phx.gbl... Thanks for the suggestion. Part 1: http://msmvps.com/blogs/alunj/archive/2009/07/08/1698917.aspx The SSL stuff will come in part 2, or 3 if it gets too long-winded. Alun. ~~~~ -- Texas Imperial Software \| Web: http://www.wftpd.com/ 23921 57th Ave SE \| Blog: http://msmvps.com/alunj/ Woodinville WA 98072-8661 \| WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(206)428-1991

Discussion Title: Re: FTP 7.5 + SSL + Non-default port / AspNetAuth
Title Keywords: Non-default port AspNetAuth

Omgili Home

Usenet

About

FAQ

Omgili TV Shows

Privacy

International Omgili: חיפוש בפורומים | 掲示板検索