Database Search

match allmatch any Look in all areasLook in current areas Check all datesPrevious dayPrevious 3 daysPrevious weekPrevious fortnightPrevious monthPrevious 2 monthsPrevious 3 monthsPrevious half-yearPrevious year

TechHome

• 500 Error on ftpQuote more
• 500 Error on ftpQuote
• 999 Error on FTPOpen
• Display Status Screen while FTP-ing
• FTP 999 Operation Aborted
• FTP and PcAnyWhere
• FTP and Using Chmod to Change Permissions
• FTP Directory List
• FTPFirewall and Nonstandard Port
• FtpPut with Local File Name that Changes
• How to FTP a File and Rename it with Todays Date
• How to Pass Variables to FTP Script
• Multi-Function FTP script
• Retrieving Multiple files with FTP
• Sample FTP Push Script
• WinXp SP2 and FTP

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

WinXp SP2 and FTP

---

Question:

Testing XP SP2 more thoroughly. I have an app that runs, gathers inventory and FTPs the CSV file to a server. The Firewall is popping up a warning about the app and it has to be added to the "trusted" list in the firewall. I'm using the standard FTPOPEN, FTPPUT, FTPCLOSE. Checking the firewall log, it seems to pop up when there's an OPEN-INBOUND TCP to the random ftp data transfer port. Ugh... any programatic way around this? (It's a software inventory tool that the user's don't necessarily know is running so I don't want them to have to add it...).... might have to start doing a filecopy or http put...

Answer:

Passive mode FTP was created to reduce issues associated with using FTP through a firewall. Traditionally, the FTP client opens a command channel to the FTP server on a fixed TCP port #, and then data transfers happen over a TCP port that is dynamically allocated on the client side. The tricky part is that the FTP server initiates the data transfer connection back towards the client side using the TCP port # that the client specified over the command session. Passive mode FTP reverses the data transfer connection direction so that the client side initiates the data transfer connection towards the server end.

There are two connection channels involved with establishing FTP.

The first is referred to as the 'Control Channel' and it occurs from the client on a random TCP port number (above 1024) to the server on TCP port 21.

The second is referred to as the 'Data Channel' and depending upon which type of FTP (Normal or Passive) the client selects, this will determine the direction (who initiates it) of connection.

If the client is configured to use Normal FTP then the client informs the server over the already existing 'Control Channel' what TCP port the server should connect to. When the server receives this information the server will establish the 'Data Channel' connection from its TCP port 20 to the client on the TCP port it was told.

If the client is configured to use Passive FTP then it simply informs the server of such over the already existing 'Control Channel'. The server responds with a port number for the client to use and then the client will connect from a TCP port above 1024 to the port number it has been told on the server.

In summary:

With Normal FTP there's one inbound connection and one outbound connection from the perspective of the firewall protecting the FTP server.

With Passive FTP there's two inbound connections from the perspective of the firewall protecting the FTP server.

See if you can put the ftpFirewall() function into use and specify the firewall type 16 ["PASV"] to enable passive mode FTP transfers in your script.

User Reply:

I'd have to try again, but I'm 99% sure that we couldn't get PASV to work... it's a SNAP! server... maybe with the last OS upgrade they added support for it though..

Answer:

That is a concern... the FTP server must support pasive mode as well as the client.

However based upon your statement:

"Checking the firewall log, it seems to pop up when there's an OPEN-INBOUND TCP to the random ftp data transfer port."

It sounds your firewall does not allow for PASV FTP. This begs the question of whether the firewall being used is capable of reading packets to know that the 'Data Channel' connection it is detecting is the result of the client's request to use Passive FTP. Some firewalls (simple packet filtering types) may not have the logic to understand this.

If it is the XP SP2 Firewall than I can attest that it will (by default) prevent the inbound Data Channel used with PASV FTP.

What the OP will probably have to do is either disable the SP2 Firewall or add an exclusion for C:\WINDOWS\system32\inetsrv\inetinfo.exe

More:

I should have also added that regardless of whether the WinXP SP2 Windows Firewall is involved or not, having firewalls at both ends and one or more points in between can complicate things quite a bit. Assume that the FTP server sits behind a firewall on the corporate end of the connection. A user on a Cable or DSL connection is probably sitting behind some sort of network appliance that provides NAT and firewall functionality. If the user is on a WinXP SP2 system, then it is highly likely that the Windows Firewall is also involved. Regardless of whether FTP is set up to use normal or passive mode file transfers, all of the firewalls involved need to be allowing the data connection to be established. It is the dynamic port selection that throws many of the firewalls for a loop, if they don't inspect the FTP command session to to detect the transfer mode and the TCP port # to be used for the data connection.

---

Article ID:   W16383

File Created: 2005:02:18:12:20:10

Last Updated: 2005:02:18:12:20:10