Peter, thanks for the response. Our firewall is by Symantec. According to the firewall folks, they cannot set up a separate set of rules to allow ftps traffic through 21/20 from certain ip addresses. It's either all or nothing. If they allow ftps traffic through, they won't be able to do deep inspection on those ports enterprise-wide. I find that remarkable.
Sorry if this is a duplicate response, it didn't appear my first response reached the list. Joel On Mon, 11 Jul 2005 08:28:04 -0400, Peter Vander Woude <[EMAIL PROTECTED]> wrote: >Joel, > > I would suspect that the issue you're running into is that your firewall is doing "stateful inspection". The problem is not that the firewall doesn't recognize AUTH TLS, but that it's having a problem during the TLS negotiation. It is something that we ran into when first starting with FTP-TLS transfers. > > BTW, is your firewall CheckPoint FW-1? If you're running FW-1 NG, or higher, it is relatively easy for them to setup a separate "service" definition and turn off the stateful inspection. > > You have to do it for both the control port and the data ports. If you don't get your firewall folks to turn the stateful inspection off, the transfers won't work. You can see the failure by turning on DEBUG SEC. > > We do not use port 990. Due to it's use being deprecated by IETF and not in the proposed standard, I try to steer away from it. All connections we do are port 21. Now, if you're running your own FTP Server, you can choose to use a different port for the control connection, as one the companies we transmit to (via ftp client on our side) does. But for 99% of the cases we have, the servers are using port 21. > > > > > >Peter I. Vander Woude >Sr. Mainframe Engineer > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
