0

I can find many resources on how to configure a Windows server as an FTP server, but for this situation I have not figured it out.

I'd like to configure a Windows server 2012 firewall to allow FTP traffic from an intranet computer to an external webserver. So the FTP connection is not from or to the server. I had this working in the past, but opening up ports 20-21 does not seem to be working and I cannot recall how this used to work in the past.

So, what do I need more to allow a Windows Server 2012 to pass FTP traffic from the internet Client to the external server?

Neograph734
  • 101
  • 1
  • 1
  • 10
  • When you say "Windows Server 2012 firewall", do you mean the built-in software firewall that is meant to secure the server's interaces, or are you talking about Microsoft ISA Server? You'll need the latter (or something like it) to do what you want to do. – Todd Wilcox May 17 '16 at 13:53
  • I meant the "Windows Firewall with advanced security" that shipped with Windows Server 2012, and I am pretty sure that worked fine in the past but I am starting to doubt that now... – Neograph734 May 17 '16 at 13:56
  • Have you configured routing and remote access? – Drifter104 May 17 '16 at 14:13
  • Yes, but we use VPN only. DirectAccess is not configured. – Neograph734 May 17 '16 at 14:15
  • The only way to do this AFAIK is to configure routing and remote access with a public and private interface. Then configure it with NAT – Drifter104 May 17 '16 at 14:16
  • @Drifter104 I'll see if I can get that to work :) – Neograph734 May 17 '16 at 14:20

2 Answers2

0

Add an inbound rule for the command channel and allow connections to port 21, 

netsh advfirewall firewall add rule name="FTP (non-SSL)" action=allowprotocol=TCP dir=in localport=21

Disable stateful FTP filtering so that Windows Firewall will not block FTP traffic to the passive port range

netsh advfirewall set global StatefulFtp disable

RRAS troubleshoot

  • Enable the audit for WFP on RRAS server:
  • auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
  • auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
  • Reproduce the issue.
  • Run command netsh wfp show state to get a .xml file.
  • Check the event viewer of the RRAS server, we should find the audit log of the dropping packet.
  • Find the Filter Run-time ID of the filter. Then search the id in the .xml file to find which rule block the FTP traffic
El Chapo Gluzman
  • 396
  • 2
  • 16
  • This makes more sense, but unfortunately does not work either... – Neograph734 May 17 '16 at 14:25
  • Make sure to manually restart the entire Microsoft FTP Service from the Administrative Tools > Services applet. – El Chapo Gluzman May 17 '16 at 14:30
  • I do not have such service (The FTP server role is not enabled as we do not need it). Should I enable it? – Neograph734 May 17 '16 at 14:33
  • I am assuming you are trying to set-up a Passive Mode FTP Server within your 2012 server; otherwise its just an issue of routing and remote access and nothing to do with the actual server. – El Chapo Gluzman May 17 '16 at 14:35
  • No, the Windows machine should not be the FTP server. I want a client on the intranet to be able to connect to a remote FTP server, which currently gets blocked by the Firewall (if I disable it, the connection works). I'll look into RRaS. – Neograph734 May 17 '16 at 14:44
  • 1
    Check the RRAS troubleshoot I added – El Chapo Gluzman May 17 '16 at 14:48
0

It did appear to be a problem With Routing an Remote Access, and the firewall did not have much to do with it. At least not any of the configurable zones.

In the end I resolved it using this thread, which concludes to entering this in the command prompt on the NAT server:

netsh routing ip nat delete ftp

So I suppose the NAT server attempted to intercept the FTP traffic and route it locally (or something), which it no longer does now.

Neograph734
  • 101
  • 1
  • 1
  • 10