LockedFTPS

Author
barak
Bronze Member
  • Total Posts : 26
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/10/20 10:57:00
  • Status: online
2007/04/12 13:47:02 (permalink)
0

FTPS

I am setting up a FTP over SSL server for my company. I have everything setup and working internally. I have created profiles and the firewall policy for accessing the site externally but cannot get it working. If I turn off the SSL settings on my FTP server I can connect with no issues.

I wondering if there is a port # that I have forgotten to forward or some odd setting in my 300A I am not aware of.

Other info:
I use SSL for my exchange server with no issues
SSL/TLS port: 990
passive port: 60100-60200
ftp port: 21 (will change this once I get it working)
#1

6 Replies Related Threads

    doshbass
    Platinum Member
    • Total Posts : 862
    • Scores: 0
    • Reward points: 0
    • Joined: 2006/09/21 04:21:25
    • Location: London,UK
    • Status: offline
    RE: FTPS 2007/04/13 11:18:44 (permalink)
    0
    I don' t have an answer here, but I would do a network trace without the FG to see what ports are being used just in case.

    Still learning to type " the"
    #2
    barak
    Bronze Member
    • Total Posts : 26
    • Scores: 7
    • Reward points: 0
    • Joined: 2014/10/20 10:57:00
    • Status: online
    RE: FTPS 2007/04/13 11:49:41 (permalink)
    0
    Using CurrPorts (http://www.nirsoft.net/utils/cports.html) I can see that the server is using ports:
    21
    990
    14147 (admin interface)
    1086 (server interface)

    I have a remote FTP over SSL connection working to my home PC and it is using ports:

    4806-4809 (these map to remote port 1977(my ftp port 21) and also seem to increment on remote server refreshes)

    4902 (this maps to my passive ports 601xx, one of these is created for each transfer in effect)

    Im wondering where these 49xx ports are coming from and if I have to define them as well.
    < Message edited by dhildebrand -- 4/13/2007 11:56:27 AM >
    #3
    doshbass
    Platinum Member
    • Total Posts : 862
    • Scores: 0
    • Reward points: 0
    • Joined: 2006/09/21 04:21:25
    • Location: London,UK
    • Status: offline
    RE: FTPS 2007/04/13 12:34:49 (permalink)

    Still learning to type " the"
    #4
    red.adair
    Platinum Member
    • Total Posts : 598
    • Scores: 11
    • Reward points: 0
    • Joined: 2004/05/21 04:50:25
    • Status: offline
    RE: FTPS 2007/04/13 12:35:38 (permalink)
    0
    hhhmm - not sure if this really can work...

    FortiOS run several so called session-helper that parses different protocols that negotiate dynamic channels - like active-ftp would do for example.
    Where you have your control channel, and your data channel - the datachannel traffic (coming back) must be " opened" temporarily. same for many other protocols (you may check for session-helper in the docs)

    for ftps the communication is encrypted - hence a parser cannot determine on what port the protocols are negotiating. Is there something like " passive ftps" in case ?
    otherwise you may statically open the incoming data ports - which may be an issue in terms of security.
    most obvious we may not mix up SFTP and FTPS ;)
    i never used FTPS before - just zapping through the RFC ;)
    http://tools.ietf.org/html/rfc4217
    Section 7 may be of interest .

    -R.
    < Message edited by red.adair -- 4/13/2007 12:41:24 PM >
    #5
    barak
    Bronze Member
    • Total Posts : 26
    • Scores: 7
    • Reward points: 0
    • Joined: 2014/10/20 10:57:00
    • Status: online
    RE: FTPS 2007/04/13 13:01:48 (permalink)
    0
    Just so we are clear I am looking for FTPS not SFTP.

    I have ports (or so i believe) 21, 990 TCP/UDP open and forwarding to my server.

    Am I missing something?
    #6
    barak
    Bronze Member
    • Total Posts : 26
    • Scores: 7
    • Reward points: 0
    • Joined: 2014/10/20 10:57:00
    • Status: online
    RE: FTPS 2007/04/20 04:10:07 (permalink)
    0
    Hi,

    you must forward 60100-60200, too. As red.adair explained the FG cannot know that your FTP-Server told the client to connect to say port 60101 because the session-helper does not see the server' s response. I' d probably use a static mapping (full IP forward) for a FTP server.

    Also make sure to use Passive-FTP on the client side. Otherwise you' ll have to allow IIRC 989 -> Any outbound.

    Regards
    #7
    Jump to:
    © 2021 APG vNext Commercial Version 5.5