We have an server in our DMZ running Windows Server 2016, with IIS are are having some issues using FTP in Passive mode from our internal network. We want to be able to use this both from our inside network, as well as from outside our network.
At the root server level I've configures the Data Channel Port Range 50000-50100
Next at the FTP site level I've configured "FTP Firewall Support" and entered the outside address that our network admin configured in the firewall for the "External IP Address of Firewall" field.
I've also configured the other settings such as
- FTP Authentication – Basic Authentication Enabled
- FTP Authorizations
Rules – Read & Write permission for specific local windows accounts - FTP SSL Settings – Specified SSL certificate, Set SSL Policy to
Require SSL Connections, and enabled user 128-bit encryption for SSL
Connections - FTP User Isolation – Set to User name directory (disable
global virtual directories)
If I connect from outside our network everything works great, however if I connect from inside our network using FileZilla in passive mode, it connects to the server, establishes the TLS , but fails to retrieve the directory listing. I can see that when it enters passive mode that in reports back the external IP, instead of the one from our internal dns. Obviously this is due to the FTP Firewall Support configuration made to get things to work externally.
If I remove the setting specifying our "External IP Address of Firewall" it then works internally, but no longer works externally.
Is there a way to configure this to work in passive mode both for the internal and external network?
Best Answer
Yes, but it is a firewall configuration issue. You need to set the "External IP Address of Firewall" in IIS to the server's internal IP address. Then, the firewall needs to be configured for 1:1 NAT from the external IP address to the internal IP address. There will probably be other firewall configuration issues, e.g. pfSense requires a FTP Proxy package be installed to handle the PASV ports, but those requirements are going to be specific to the firewall in use. Most commercial-grade firewalls should have some method for configuring this setup.