Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » ftp active data connection
  •  
cane

Messages: 16
Karma: 0
Send a private message to this user
Hi,

I am having problems with clients accessing a FTP-Server protected with Kerio.

Kerio is on the same machine as the FTP-D (Serv-u) is.

Customers cannot connect using MS-Frontpage FTP-Client, nor with DOS FTP-Clients.

Directory listing just time out.

Is Kerio not allowing active ftp data connections?

FTP-Connections using PASV-Mode are working.. But this is not what I need Kerio to work with.

Thanks for letting me know.
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
Check the FTP policy
  •  
cane

Messages: 16
Karma: 0
Send a private message to this user
are you kidding me?

More then opening ftp port 21 -- what should be done?

Maybe you can give me a more useful suggestion.

Thanks.

  • Attachment: kerio.jpg
    (Size: 15.36KB, Downloaded 719 times)
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
You probably do not know the FTP protocol very well, otherwise you'd now that you can never simply connect to FTP-servers behind a firewall/NAT router (especially not through a single port such as 21) using active mode FTP.

If you want active mode: do not place the FTP server behind a firewall or NAT device. If you do: use passive mode.

(See here for an explanation on FTP active mode http://en.wikipedia.org/wiki/File_Transfer_Protocol and you'll understand why it cannot work.)
  •  
Jan Jezek (Kerio)

Messages: 103
Karma: 0
Send a private message to this user
Or simply do not disable the protocol inspector in your traffic rule. You apparently did that according to the screenshot.

Jan Jezek
Product Development Manager - Kerio Control
Kerio Technologies
  •  
cane

Messages: 16
Karma: 0
Send a private message to this user
well, nothing of all those has to be done. I have found the solution now:

Let me explain in detail, as this solution may me helpful for others here too in certain situations.

Kerio protects a Win2000 or Win20003SRV, which is direclty connected to the internet.

So the WAN-Adress is a public adress.

This is what has to be done:

1) Create a TCP rule (ftp_rule_incoming), port 21 leave source prt range blank.
2) Create a TCP rule (ftp_rule_outgoing), port > 1023. source port 20
3) Create 2 rules for your FTP-connections:

SOURCE - any
DEST - FTPServer (Firewall)
SERVICE - FTP_rule_incoming
ACTION - ACCEPT

SOURCE - FTPServer (Firewall)
DEST - ANY
SERVICE - FTP_rule_outgoing
ACTION - ACCEPT

The special ftp_outgoing_rule is the hint!
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
>> are you kidding me?
No.

I see you found a solution. Its not what I would have done but if it works for you...
  •  
cane

Messages: 16
Karma: 0
Send a private message to this user
Feite.

Why don't you simple tell/me what YOU would have done.

Thanks
Previous Topic: Static IP Address
Next Topic: Great trouble with Proxy...
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 07:02:07 CET 2017

Total time taken to generate the page: 0.00459 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.