Overview
When you want to configure MS (Microsoft) FTP 7.5 on Windows Server 2008 R2 using passive mode, specific Kerio Control settings should be applied. In order to establish a successful FTP connection from other machines, traffic rules should include appropriate services and mappings (optionally). The IIS FTP server can be mapped to a VLAN interface.
Note: a similar configuration can be applied for Windows Server 2016 environment.
Prerequisites
FTP server is configured in accordance with the recommendations from Microsoft FTP firewall settings docs
Diagnosis
While trying to establish an FTP connection using the Passive mode, the FTP server returns the following errors:
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
When you send the port command to your server, you are asking the server to connect to you (on the remote network). If the remote network also has a NAT router, and you have not port-forwarded the port you are sending with your PORT command, the server will not be able to reach you.
For FTP Passive mode configuration, the server opens up a port and the client connects to that port. With the Destination NAT that should be configured in the traffic rule, the Firewall server will mask as the client when connecting to the FTP server. What we need to do is ensure that we have added the IP address which the Firewall will use when connecting to the FTP server in the External IP address of Firewall field in the Passive config.
If the external IP address is not correct then the FTP server will drop the connection to its Passive ports because the IP address from the incoming connection is not included in its allowed list.
Solution
- Log in to Kerio Control Administration.
- On the left-hand side, click on Traffic Rules.
- Ensure the Service, Inspector, and Translation options are as shown in the following screenshot. For passive mode, in particular, it's important to have a protocol inspector disabled.
Note: replace 10.10.10.5 with the necessary IP address (Destination NAT).
- Click Apply.
Testing
When you upload or download the files using FTP the upload or download should be successful.