FTPS Server on DMZ , external Users can not access !

Question

Hi All, 
 FW: XG SFOS 18.5.4 MR-4-Build418 
 i'm using ftps server configured with windows os server (IIS) in DMZ With user isolation. users will connect from external to only upload files There are dnat rule and firewall rule configured: dnat rule:---------- original src=any original dest= wan interface (Public ip) original service: 990 
 SNAT=Original DNAT=ftps-server ip PAT=Original 
 Inbound interface= Port wan outband interface= Any 
 Firewall rule:----------- WAN > DMZ SRC Zone=WAN SRC Network & devices=Any During scheduled time= All the time 
 Dest Zone=DMZ Dest Networks= WAN interface (Public IP) Services= Any 
 remote Clients computers has tool to only upload files on ftp server task automatically configured: ftp://ip public (HQ) Port 990 Implicit connexion passive mode Username & password (already configured on ftp server and has all permissions on folders 
 But user can not access to ftp server, i dont' know if i forgot something when configuring rules on FW the log of tool is: ___________________________________ 
 Licence expiry date: 31/12/9999 Set LocalDirectory to C:\Windows\System32 Licence expiry date: 31/12/9999 SetSSLProtocol: min=DETECT, max=DETECT waitOnShutdownSSL=True StrictReturnCodes=False 
 Starting handshake ........... .......... .......... Handshake started Waiting for handshake completion Processing hello ProcessMessages(Handshake) Handshake Message: ServerHello Using extended_master_secret Handshake Message: Certificate Handshake Message: ServerKeyExchange Handshake Message: ServerHelloDone ProcessMessages(ChangeCipherSpec) ProcessMessages(Handshake) Handshake Message: Finished OnHandshakeComplete - waiting for lock OnHandshakeComplete - in lock OnHandshakeComplete - exiting lock OnHandshakeComplete - exit Synchronous handshake complete 
 Setting socket timeout=120000 TransferBuffer timeout=120000 SocketController timeout=120000 SecureSocket timeout=120000 TransferBuffer timeout=120000 SocketController timeout=120000 SecureSocket timeout=120000 Command encoding=System.Text.SBCSCodePageEncoding Setting socket buffer sizes=-1 
 220 Microsoft FTP Service ---> PBSZ 0 WaitUntilCompleted(1, EndSend) Wait begin: TransferBuffer.Read (timeout=120000) Wait end: TransferBuffer.Read 200 PBSZ command successful. ---> PROT P WaitUntilCompleted(3, EndSend) Wait begin: TransferBuffer.Read (timeout=120000) Wait end: TransferBuffer.Read 200 PROT command successful. ---> USER john.smith WaitUntilCompleted(5, EndSend) Wait begin: TransferBuffer.Read (timeout=120000) Wait end: TransferBuffer.Read 331 Password required ---> PASS ******** WaitUntilCompleted(7, EndSend) Wait begin: TransferBuffer.Read (timeout=120000) Wait end: TransferBuffer.Read 530 User cannot log in, home directory inaccessible. -------> But password & permissions are correct !! Expected reply codes = [230,202,332] (strict=False) Purging task queue Defaulting to Unix parsing OnReceive closing (socket not connected) Dispose() CloseConnection(e=null) Closed socket Notified active send result 7 Close() called when open CloseConnection(e=null) Killed control socket KeepAlive thread finished. ____________________________________________________ 
 I thought it was a problem of password or permissions, but I checked everything without result If anyone has encountered this problem, please help us to solve it 
 Thanks

LuCar Toni · Accepted Answer

Basically the problem is the passive mode. If you do not activate FTP scanning, SFOS will not enable the FTP helper. FTP helper is needed to open the high ports. PASV FTP is using the Port 21 to agree on a high port. See: https://en.wikipedia.org/wiki/File_Transfer_Protocol 
 So you can do two things, you can open up the high Ports needed for your FTP, as those ports will be open anyway and let the server close those ports, if not needed. 
 You can also disable the FTP bounce protection. See: FTP passive mode

FTPS Server on DMZ , external Users can not access !

Top Replies