In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Richard Pinion) wrote:
> I think (I'm network impaired) he put in some sort of a firewall rule that > allowed the response from that particular host to come back over a different > port than 21. Ahhhh ..... this is ringing a bell now. FTP and firewalls don't play nice, and it gets even more confuzzled when you throw TLS into the mix. There are 2 kinds of FTP connections, "active" and "passive". In active mode, the server listens on port 21. Your client connects to the server's port 21 to establish the control connection. Then the client starts listening to a port >1024, sends a message to the server via the control session telling it what port it's listening to. The server then connects to the client on that port to start the data session. So if your client is behind a firewall, the firewall has to allow incoming connections to ports > 1024. "Passive" mode eliminates the need for incoming connections to your client, so it eliminates problems caused by a client firewall. Instead, the server opens up a port >1024, and tells the client to connect on that port. But now there's a problem if the server is behind a firewall; the firewall needs to allow incoming connections to the server on ports > 1024. Many firewalls are smart enough to allow for FTP traffic without the need to leave all high ports wide open. They monitor the FTP control traffic on port 21. And when they see messages travelling between client and server saying which data port to use, they dynamically open that port for the duration of that session. Very slick. Then along comes TLS, and encrypts the control session traffic. Now the smart firewalls can no longer eavesdrop and open up ports dynamically, because they can't read what's going through them. So you're sort of hosed. The scenario you describe sounds like it could be this type of firewall issue. The client/server start talking on port 21, but then can't move their conversation to the data connection on the high port. If unencrypted FTP is working, but FTP/TLS is failing, it's possible that there's a smart firewall on at least one end that was dynamically opening data ports, and is no longer able to do so because the encryption prevents it from seeing which port it needs to open. If there's only a firewall on one end, you can probably circumvent the problem by switching from active to passive mode, or vice versa. If the firewall is on the client, you want passive. If it's on the server, you want active. This can be toggled via a parameter on the client; syntax depends on which client you're using. If you have firewalls at both ends, you're going to have to open up some ports on at least one end. -- Matt Simpson -- z/OS Support 219 McVey Hall -- (859) 257-2900 x300 University Of Kentucky, Lexington, KY 40506 http://jms.cc.uky.edu/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
