About two weeks ago, I need the necessity to change the IP address of my housed server toward a new C class range.
The operation, which normally requires just a change on the DNS and the Firewall’s rules in the IIS console, got myself in troubles for about half day as I was not anymore able to remote write any file. The strange this was that I was perfectly able to connect to remote FTP, grant authentication, and get the list of files present.
The need: a working server
Useless to say I need my server back to normal, so I get armed with a lot of patience and I’d started investigating on the reason every transfer was failing.
The first thing to which I though has been the Windows Firewall service of Windows Server 2003. In a first moment I noticed that the IP address hasn’t taken in consideration. In fact I was able to connect also with the checkbox on FTP Server advanced rule disabled. Fixed that, with a service restart, I’ve continued the investigation.
I’ve gone through the server’s log files without success, but there weren’t any DENY message, just AUTH and CD. How this was possible, again it was a mystery!
Next test was to completely disable the firewall service. Unfortunately it was the cause, since I was then able to connect and remote write. Well, at least I was sure where to focus my attention. I’ve checked then my entire Firewall configuration without any luck. I then tried to connect to remote server using a Windows computer. Was I able to connect? Yes.
So there were some problems on my Mac FTP client - Cyberduck - and the remote Microsoft FTP. But what? Cyberduck in its session log didn’t show me any error message. I then tried using the Terminal and the manual command to see if I was able to get additional error message and finally I got the problem:
ftp> put bookmarks.html local: bookmarks.html remote: bookmarks.html 500 'EPSV': command not understood 421 Service not available, remote server has closed connection
The problem was found
All the log was saying is that I couldn’t connect in passive mode.
The error code 500 and EPSV stands for the command used to change the client mode connection from active to passive (that’s what normally happen when you see connection mode set up to auto in your client configuration). The passive connection had been invented to solve all the problems bore with the use of an FTP service behind a Firewall service. If you are looking for further clarification about active and passive, please have a look at this document.
Changing the settings of Cyberduck to active, I was finally able to connect and write files on the remote server. At this stage I need only to apply again the settings to let my FTP service work in passive mode. How? You can follow the Microsoft KB to learn how to set up the port range on which you want your server work, but obviously THIS ISN’T ALL YOU NEED, because on the document nobody say that you need also to force the firewall to accept incoming connection from different ports rather than the standard 21.
How can I force the firewall to accept connection?
Here it’s the solution step-by-step:
- Open the windows Firewall management window, then advanced properties
- Select the NIC adapter where your IP was configured, then choose properties
- Disable FTP Server (Although this doesn’t make sense, trust me, it works!)
- Close all the dialogs, then switch to the Exception tab and choose add service. 5. Browse your computer to C:\Windows\system32\intesrv and select the file InetInfo.exe (that stands for IIS Admin Service).
- Close all the dialogs then restart your server.
At this point you are able to connect to your Microsoft FTP server using a passive connection.