Just recently I was setting up IIS with FTPS and had a bear of a time getting it to work. Both because I needed to learn a bit about FTP and Microsoft’s scheme for getting things configured wasn’t exactly what I’d call intuitive. If you’re in the same place I was you received an error that looked like this:
Line 1: Command: PASV
Line 2: Response: 227 Entering Passive Mode (192,168,1,2,211,235)
Line 3: Status: Server sent passive reply with unroutable address. Using server address instead.
and/or
Problem #2:
Command: PASV
Response: 227 Entering Passive Mode (<your public ip here>,211,117).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out
Error: Failed to retrieve directory listing
So you’re actually running up against two problems here that if you haven’t decided to delve into the annals of FTP you haven’t seen or cared about before. If you already understand FTP or don’t give a crap about the problem then skip this and go to Fixing Problem #1.
Understanding The Problem – FTP Passive Mode
In FTP passive mode your client node will contact the FTP server on port 21, which is what’s called the command channel. If your client is using passive mode (the usual default) it will at some point send the command PASV alerting the server that it wants to enter passive mode. The server will send a response message like this:
Response: 227 Entering Passive Mode (x,x,x,x,y1,y2)
Where the x’s are the server’s IP address and the y’s are two numbers from 0-255. This line is sent to the client, telling the client what IP address to connect to and what port to use for the data channel. The port to use may not be so obvious. The port is actually calculated via the following formula y1*256+y2. You may also not know what the data port is. FTP uses to channels – a command port and a data port. The command port is used to send commands such as LIST, PASV, PWD, etc and the data channel is the channel actually used to transfer your data.
Understanding Problem #1:
If you have the above problems than you probably have seen a line similar to this in your FTP output and if you haven’t, it’s there just look again :-D:
Line 1: Command: PASV
Line 2: Response: 227 Entering Passive Mode (192,168,1,2,211,235)
Line 3: Status: Server sent passive reply with unroutable address. Using server address instead.
Now that you know that the 192,168,1,2 is an IP address (explanation above) it’s probably not hard to figure out why you’re being told it’s unroutable. 192.168.1.2 (or whatever one you’re using) is not a publicly routable address. Your server is sending its response based on the local interface address rather than the external address of your NAT router.
Fixing Problem #1:
1) Open IIS Manager
2) Expand your sites and click your FTP site as pictured below:
3) Double click FTP Firewall Support
4) Under “External IP address of firewall” enter your publicly routable IP address
5) Click Apply
Understanding Problem #2:
Let’s take a look back at our problem output.
Line 1: Command: PASV
Line 2: Response: 227 Entering Passive Mode (192,168,1,2,211,235)
Line 3: Status: Server sent passive reply with unroutable address. Using server address instead.
Now after you’ve implemented the fix above that should have bailed you out of one problem. Chances are you’re still getting something like this:
Command: PASV
Response: 227 Entering Passive Mode (<your public ip here>,211,117).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out
Error: Failed to retrieve directory listing
If you read the original explanation for passive FTP you may already know where I’m going with this. In this example the 211 and 117 are plugged into the equation y1*256+y2 to determine the data port the server will open on its side. In our case, you have 211*256+117=54133. Chances are you forwarded port 21 on your router to the server and maybe even port 20, but you probably didn’t forward port 54133. So when your client goes to connect to port 54133 the router silently drops the connection.
Fixing Problem #2:
You have to tell IIS to limit the ports that it will tell the client to use for the data channel and then forward those ports.
1) Click on the SERVER node in IIS manager. Not the site node. Under the server node click FTP firewall support as in the below picture:
2) Enter the port range you want IIS to use for the data port.
3) Click apply
4) Now here’s the fun part where Microsoft really did a great job of making things intuitive. You have to restart the Microsoft FTP service under the services manager.
The changes to the port range will not take effect until you restart this service!
Hope this helps.