Troy,
We
had the same problem. Part of it was our WS_FTP Server and client settings
the other was the firewall. This was quite some time ago but I believe the
firewall needed to have a firmware update (so it would pass encrypted
commands) and maybe "command filtering" was turned off as well, and also a
few ports opened up, I think we opened 6 or so. We are using WS_FTP Server
5.04 and WS_FTP clients 8.03.
WS_FTP
Server settings;
The
SSL FTP site has to have an IP address - no
virtual
The
FTP site IP address and the ports that were opened up in the firewall need
to be entered in WS_FTP Servers' "Firewall Settings" for that
site.
WS_FTP
client settings;
Server
type: FTP/SSL (AUTH SSL)
Host type: WS_FTP
Server
Firewall:
NONE (though we have one on each end)
Most
important - set "Use Passive mode for data connections" (Site options,
Advanced)
We
also chose to force SSL and force SSL on data channel (in SSL menu for site
in Server)
Here
is a snippet from some of the support we
received...
"..Also, you
stated
that you
only have ports 20,21, and 990 open.
For Explicit SSL FTP
connections
(AUTH SSL - which is what WS_FTP Server supports), you will
need
to have
port 21 open for the command channel and a range of ports 1024+
open
for data
connections. For PASV
connections, this will need to be outboud
for the
client and inbound for the server."
Hope
this is of help to you,
Casey
-----Original
Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Troy D. Hilton
Sent: Friday, February 03, 2006 7:11
AM
To:
[email protected]
Subject: [WS_FTP Forum] Connection
timeout error when making SSL connection
Hello
All,
I realize my last
email wasn't quite clear in accurately describing my problem. Let's see if I
can explain it better.
This firewall is
protecting 1 server, which is running FTP with SSL enabled. This server also
has a couple test websites, but that's it.
Changing the
firewall was actually relatively easy once I understood the User Interface.
I'm not as familiar with the SonicWall appliances. I first tried the
configuration using a test laptop to mimic the server.
For
the test, FTP
worked like a charm. The difference between the laptop config and production
server are these:
1. The production
server and
regional firewall
were configured in transparent mode, instead of NAT. Why? The original owner
wanted it that way.
2. The production
server is running WS_FTP Server ver. 4.0 with a private SSL Cert. The laptop
is running IIS 5 with FTP services and no SSL.
So, I decided to
change the
configuration from
transparent mode to NAT mode since the original owner is gone and I have
greater liberty. I configured the new firewall for One-to-One NAT and gave
the server all new private IP addresses and a private gateway which matched
the private IP of
the firewall. The
public side of the firewall has the original public IP from the previous
firewall. I made sure that all of my route tables are correct. I then
reconfigured WS_FTP Server to use the new private IP
address. And rebooted the server. The result? I am able to communicate from
the server to the internet and can access the test websites on the server
from the internet, which means inbound and permitted outbound traffic is
fine.
This is where I
have my problem. When I attempt an FTP connection it makes the initial Helo
and will authenticate my username and password. I'm then prompted regarding
the SSL Certificate and am able to accept it. After a long pause (I
have my WS_FTP Pro client set for a 2 minute wait) I get an error that the
connection timed out, but I also get the "horn" that means the connection
was successful. In fact I even have the active button to disconnect from the
session. From what I figure, I'm actually logged in but not retrieving the
directory listing.
As for the NIC, it
has two ports but I'm not using both ports at the same time so there is no
conflict of subnets and routes. I did switch ports on the card thinking that
perhaps there was a potential failure of that port.
I hope this helps
to clarify my situation. I My feeling is that's something simple that's not
set or that I'm overlooking. Darned if I know what it is
though.
Troy
D. Hilton
Serveon,
Inc.
[EMAIL PROTECTED]
302-529-8640
