Overview

While connecting to FTPS service (port 990) from the remote location, the connection is not reachable. The connection is successful from the local interface or using standard FTP port 21.

The FileZilla server throws the following errors:

  227 Entering Passive Mode (192,168,10,13,243,247)

  PORT 89,221,223,51,239,1

  200 Port command successful

  MLSD

  150 Opening data channel for directory listing of "/"

  425 Can't open data connection for transfer of "/"

This article provides information on how to configure Traffic Rules to allow such traffic flow.

Solution

Usually, FTP servers are located on a separate workstation/PC connected to the Kerio Control firewall. If that is the case, you need to map the IP address of the FTP host using NAT.

FileZilla Server settings should be set correctly as well.

Custom Port range: 50000-51000

Use the following IP: <Kerio_Control_IP>

Enable FTP over TLS (FTPS) and Generate new Certificate

Listen to implicit FTP over TLS connection on the following ports: 990

Afterward create a traffic rule to allow FTP/FTPS services.

Source: Any

Destination: Firewall

Service: FTP, FTPS, TCP 50000-51000

Translation: MAP <FTP_workstation_IP>

Inspector: None

Testing

Open FTPS connection from the remote site to ensure the traffic is passing through the firewall (Last Used column will show "just now").

Troubleshooting

If Debug logs with "Packets dropped for some reason" show the following entries:

{pktdrop} packet dropped: 3-way handshake not completed (from PEDAGO, proto:TCP, len:40, 172.16.X.X:50062 -> x.x.x.x:990, flags:[ RST ACK ], seq:3962769934 ack:2601215957, win:0, tcplen:0)

consider disabling the 3-way handshake variable by modifying Kerio Control configuration parameters.