# Can't Connect to my Windows IIS 8 FTP Server outside of network?



## finsfree (Dec 30, 2016)

I'm connected...sort of. For some reason I can't see my directory. I have posted the log file below. 

I've also used other FTP clients like WinSCP and I am getting the same error message "Retrieving directory listing...". By the way, I running my FTP server on IIS 8 Windows Server 2012. 

Thanks,

Connecting to (My Public IP Address)
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (My Public IP Address)
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Connecting to (My Public IP Address)
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...


----------



## Agent Smith (Dec 30, 2016)

Not really sure. Try this. In WinSCP under connection increase the timeout.


----------



## beers (Dec 30, 2016)

What kind of PASV config do you have on the FTP server?  We have a couple boxes at work that require a separate listening IP to be defined when we SNAT on our network, otherwise it gives wonky behavior like what you listed.

You may be able to add an entry for your public IP.


----------



## finsfree (Dec 30, 2016)

beers said:


> What kind of PASV config do you have on the FTP server?  We have a couple boxes at work that require a separate listening IP to be defined when we SNAT on our network, otherwise it gives wonky behavior like what you listed.
> 
> You may be able to add an entry for your public IP.



Yeah, in the IIS settings I click on firewall and put in my public IP address and a range of ports (example 5000-6000). I have used FTP apps before that work great, but I'm trying to use Windows Server 2012 built in IIS 8 FTP and I'm running into all kinds of issues.

Actually, what I read on the internet is that FTP is old and it was meant for local use only. Reading some more I found out with passive mode to retrieve data, or to even see the data in my case, it uses a different port then 21 (the one you used to connect in the first place).


----------



## finsfree (Dec 30, 2016)




----------



## beers (Dec 31, 2016)

I like how that example gives you a private address.

Did you also forward 990?  I haven't done too many FTPS setups, always SFTP.  Might be easier in your case since it just leverages SSH


----------



## finsfree (Dec 31, 2016)

Yeah, that had me scratching my head a bit at first

I think we are on to something there with port 990. I can't seem to open port 990 (SSL). Under the server's firewall is said it was enabled, but when I run "netstat -an" it doesn't show up as an open port. I then created a "new rule" and explicitly opened port 990 and it still won't show up as an open port running "netstat -an".

Any Ideas?


----------



## Cromewell (Dec 31, 2016)

Does it work internally? That is, on your private ip address or just from the Server to itself via loopback?


----------



## finsfree (Dec 31, 2016)

Yes, it works internally. I can access the FTP server using Filezilla client on another workstation.

Why can't I open port 990? That is the real question?


----------



## Cromewell (Jan 1, 2017)

finsfree said:


> Yes, it works internally. I can access the FTP server using Filezilla client on another workstation.


OK. So your FTP SSL settings are probably OK then.


finsfree said:


> Why can't I open port 990? That is the real question?


Maybe try (from cmd as admin):
netsh advfirewall firewall add rule name=”FTP Service” action=allow service=ftpsvc protocol=TCP dir=in
netsh advfirewall set global StatefulFTP disable


----------



## finsfree (Jan 1, 2017)

Cromewell said:


> OK. So your FTP SSL settings are probably OK then.
> 
> Maybe try (from cmd as admin):
> netsh advfirewall firewall add rule name=”FTP Service” action=allow service=ftpsvc protocol=TCP dir=in
> netsh advfirewall set global StatefulFTP disable



Sorry man, still didn't work.

Tried Using Total Commander (file manager) on my android to connect using cellular signal and I get a message, "Getting directory 227 Entering Passive Mode (My Public IP address) ///FTP/home". It's the passive mode that is not working.

I did configure the passive mode on the IIS 8 Server 2012.

Why is this so damn difficult???


----------



## Cromewell (Jan 3, 2017)

I think maybe we got fixated on port 990. Can you make sure your public firewall (or router) has the passive port range open/forwarded to the server?


----------



## finsfree (Jan 4, 2017)

I did do the port forwarding on the router. I also did "port range forwarding" (although I don't think this is the issue. I did it anyways).

The picture shows my router (left) with the "port forward range". On the right is my IIS Server 2012 running as a VM.

I know I did not show the "port forwarding" tab, but I know it works because I can RDP into the host machine using the public IP plus port 3389. RDP works every time.

BTW, thanks for hanging in there with me


----------



## Cromewell (Jan 4, 2017)

The only other thing I can find, that I'm sure you've probably tried by now is restarting the FTP service after the Windows Firewall powershell stuff we tried a bit ago.

Looking at packet captures from the client, server and firewall/router might shed some light on what's happening and maybe be able to point in the right direction.


----------

