Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 1427 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FTP TLS in active mode not working

Dave Groenen

Recently replaced an Sonicwall FTP server with an XGS126. Customer is using CrushFTP with active FTPS with TLSv1.

The issue they are having is that their customers cannot connect with FTPS TLS in active mode, TLS auth works, but client stuck at the directory listing.

Active mode does work when TLS is disabled, but this means less secure so isn't really an option. At the same time TLS does work when the FTP client is set to passive mode (tested with Filezilla client). Unfortunately it isn't possible for some of their clients to change to passive mode. So I would really like to get the FTP server working in active mode with TLSv1.

Have searched everywhere, but not a whole lot info to be found regarding FTPS using an XGS. UTM has an FTP helper apparently, but I don't see that option anywhere in the XGS. Anyone any idea how to get it up and running?



This thread was automatically locked due to age.
Parents
  • 0

    Addition: The following ports are open and forwarded to the FTP server : 21 and 5000-6000. That 5000:6000 range is also configured in the FTP server (without it, passive mode wouldn't work). But apparently this isn't sufficient for TLS to work. Outgoing, all ports are currently allowed in the XGS for that server (to make sure that there are no issued there).

Reply
  • 0

    Addition: The following ports are open and forwarded to the FTP server : 21 and 5000-6000. That 5000:6000 range is also configured in the FTP server (without it, passive mode wouldn't work). But apparently this isn't sufficient for TLS to work. Outgoing, all ports are currently allowed in the XGS for that server (to make sure that there are no issued there).

Children
  • 0 in reply to Dave Groenen

    Check the SSL/TLS log ... possible the certificates are not OK

  • 0 in reply to dirkkotte

    No errors there, the FTP server uses a self signed cert and was working fine before with a Sonicwall. Also doesn't explain why FTPS with TLS does work properly using passive FTP. The FTP connection is established using active FTP, it just stops at the directory listing. The only firewall error in the XGS shows that the internal FTP tries to create a data connection to the external client on a random port (as to be expected using active FTP) which is blocked by the XGS (even though the FTP server has an allow all rule towards the internet). Just strange that FTP with TLS works using passive FTP (a set range of TCP ports), and active FTP (with random TCP ports) does work without TLS. Any other ideas?