Overview
While connecting to FTPS service (port 990) from the remote location, the connection is not reachable. The connection is successful from the local interface or using standard FTP port 21.
The FileZilla server throws the following errors:
227 Entering Passive Mode (192,168,10,13,243,247)
PORT 89,221,223,51,239,1
200 Port command successful
MLSD
150 Opening data channel for directory listing of "/"
425 Can't open data connection for transfer of "/"
This article provides information on how to configure Traffic Rules to allow such traffic flow.
Solution
Usually, FTP servers are located on a separate workstation/PC connected to the Kerio Control firewall. If that is the case, you need to map the IP address of the FTP host using NAT.
FileZilla Server settings should be set correctly as well.
Custom Port range: 50000-51000
Use the following IP: <Kerio_Control_IP>
Depending on the configuration, you may want to test using the WAN IP
Enable FTP over TLS (FTPS) and Generate new Certificate
Listen to implicit FTP over TLS connection on the following ports: 990
Afterward create a traffic rule to allow FTP/FTPS services.
Source: Any
Destination: Firewall
Service: FTP, FTPS, TCP 50000-51000
Translation: MAP <FTP_workstation_IP>
Inspector: None
Testing
Open FTPS connection from the remote site to ensure the traffic is passing through the firewall (Last Used column will show "just now").
Troubleshooting
If Debug logs with "Packets dropped for some reason" show the following entries:
{pktdrop} packet dropped: 3-way handshake not completed (from PEDAGO, proto:TCP, len:40, 172.16.X.X:50062 -> x.x.x.x:990, flags:[ RST ACK ], seq:3962769934 ack:2601215957, win:0, tcplen:0)
consider disabling the 3-way handshake variable by modifying Kerio Control configuration parameters.