About two weeks ago, I need the necessity to change the IP address of my housed server toward a new C class range. The operation – that apart the required DNS changes – doesn’t require anything more on the server that correctly setup the Firewall’s rules and the IIS console, let me scratch my head on the wall for about half day, trying to understand where was the matter. In fact, after this small change, I wasn’t able to write any more files on my remote server.
The strange this was that I was perfectly able to connect to remote FTP, grant authentication, and get the list of files present.
The necessity to get back a working system is obvious, so I get armed with a lot of patience and I’d started to investigate why I was getting always transfer incomplete message.
The first thing to which I though has been the Windows Firewall service of Windows Server 2003. In a first moment I noticed that the IP address change performed wasn’t completely take in consideration. In fact I was able to connect also with the checkbox on FTP Server advanced rule disabled. Fixed that, with a service restart, I’ve continued the investigation.
I’ve gone through the server’s log files without success, but there weren’t any DENY message, just AUTH and CD. How was this possible it’s again a mystery for me!
Next test I did, it has been to completely disable the firewall service. Unfortunately it was the cause, since I was then able to connect and remote write files. Well, at least I then focused myself where spending my time.
I’ve checked then my entire Firewall configuration, but all seem fine. I then tried to connect to remote server using a Windows computer. Was I able to connect to it? Yes. So there were some problems on my Mac FTP client – Cyberduck – and the remote Microsoft FTP. But what? Cyberduck in its session log didn’t show me any error message. I then tried using the Terminal and the manual command to see if I was able to get additional error message and finally I got the problem:
ftp> put bookmarks.html
local: bookmarks.html remote: bookmarks.html
500 'EPSV': command not understood
421 Service not available, remote server has closed connection.
Problem found: I wasn’t able to connect in passive mode. The error code 500 and EPSV stands for the command used to change the client mode connection from active to passive (that’s what normally happen when you see connection mode set up to auto in your client configuration). The passive connection had been invented to solve all the problems bore with the use of an FTP service behind a Firewall service. If you are looking for further clarification about active and passive, please have a look at this document.
Changing the settings of Cyberduck to active, I was finally able to connect and write files on the remote server.
At this stage I need only to apply again the settings to let my FTP service work in passive mode. How? You can follow the Microsoft KB to learn how to set up the port range on which you want your server work, but obviously THIS ISN’T ALL YOU NEED, because on the document nobody say that you need also to force the firewall saying to accept incoming connection from different ports rather than the standard 21.
How can I do that? Here it’s the solution step-by-step:
First: open the windows Firewall management window, then go to the advanced properties, select the NIC adapter where you IP have been configured, then choose properties and disable FTP Server. This make a non-sense, but trust me, it works!
Close this additional dialog pressing ok, then switch to the Exception tab and choose add service. Browse your computer to C:\Windows\system32\intesrv and select the file InetInfo.exe that stands for IIS Admin Service. Close all the windows pressing ok then restart your pc.
At this point you are able to connect to your Microsoft FTP server using a passive connection.