none
How can I enable FTP passthrough on a standalone domain controller that provides internet access to the domain?

    Question

  • I upgraded our server from 2008 to 2012 a few weeks ago, and all of the settings seemed to have remained unchanged.  However, the FTP protocol appears to be blocked or non-functional from all client computers now (it functioned fine previous to the upgrade)  The only mention of this as a problem that I have found is that it converts FTP traffic to HTTP traffic and may only allow for a one-way connection, yet as I say, it wasn't a problem in our previous server environment.  Is there a setting I'm missing somewhere?

    I've added FTP ports 20 and 21 both internally and externally to the allow list on Windows Firewall.  Also, when accessing FTP from the server, it works well.

    Thanks for your help!


    • Edited by JustCause80 Friday, November 01, 2013 3:55 PM
    Friday, November 01, 2013 3:46 PM

Answers

  • Hope you do not mind my adding my own opinion to your dialog here. John added his 2 cents and said he would not mention it again, but I think it is very much worth mentioning.

    Trying to increase security on your WiFi by dual homing your DC and directly exposing it is, in my opinion, a bit like reinforcing one wall of the fort by using materials removed from the opposite wall.

    Very close attention needs to be paid to the design, planning and implementation of a network, its services and components.

    I would also caution against the difference between consumer grade devices and business grade devices, especially when it comes to security (firewalls and wireless) and mission critical functionality.

    Also, just because you didn't know that is was broken, doesn't mean that it wasn't broken.

    Best wishes

    Ed Gallagher, IT Pro MVP

    Sunday, November 03, 2013 3:24 AM

All replies

  • How is internet sharing configured?   This is not a configuration I have seen before, particularly on a DC...
    Friday, November 01, 2013 6:31 PM
  • It is shared through a local network-attached NIC.  The server has one NIC attached to the main switch, the DC then acts as the router for the network, and gets its internet connection through a second NIC which is connected to the modem and outside/public wireless router.  That is how we run both a public wireless option and a private internal network.
    Friday, November 01, 2013 7:06 PM
  • so the internal clients use the DC's internal nic as their default gateway, and the DC's other nic is connected directly to an outside/public wifi network?

    what error are you getting when you try to connect to something via ftp? you might want to install some free packet sniffing software to see what's happening to the telnet requests.

    Friday, November 01, 2013 7:13 PM
  • Yes, that is correct John.

    The error I receive from an internal client is simply that it couldn't connect to the remote FTP server, and to remedy that problem I should check server name and proxy settings or that the server is available.  Meanwhile, on the DC itself, or from directly outside the DC on the public access side of our network, FTP works as it should.

    Thanks for the recommendation on the packet sniffing software; I'll give that a try and see what I can figure out.

    Saturday, November 02, 2013 6:54 PM
  • On the internal nic, what is the default gateway set to?

    See rule 3 here:  http://www.ni.com/white-paper/12558/en/

    • Proposed as answer by John_Curtiss Saturday, November 02, 2013 9:30 PM
    Saturday, November 02, 2013 7:39 PM
  • Thanks Tom - in answer, the internal gateway is blank on the DC, and the DC's DHCP server hands out scope and server options for the router, time server, DNS servers, and WINS/NBNS servers to all internal network computers.

    The computer I am currently using I went ahead and manually set up each of those items, including IP address.  The gateway on this computer is set to the local IP address of the DC.  I also set up two security policies on the DC that should allow all traffic to and from this computer, both outbound and inbound, and I still can't get it to connect.

    Also, I got Wireshark 1.10.3 installed, and I can see the packets from this computer, and to a port on a remote server, but I am not seeing any reply from the remote server.

    Saturday, November 02, 2013 8:08 PM
  • Use netsh to add a static persistent route into the routing table:

    http://xomrlvxo.blogspot.com/2012/09/adding-static-route-using-netsh-and.html

    Saturday, November 02, 2013 8:17 PM
  • Could you be a little more specific for me, Tom?  Due to how the DC is set up, there is already a route for IP's 0.0.0.0, Netmasks 0.0.0.0 to go through the external gateway address.  Are you suggesting I add a persistent route to the remote FTP server?
    Saturday, November 02, 2013 8:41 PM
  • can you ping the ftp server from your internal machine?

    Saturday, November 02, 2013 9:03 PM
  • No, not to the ftp server.  From the internal nic to the external nic, and one from the external nic to the internal.

    Saturday, November 02, 2013 9:05 PM
  • from the domain controller, are you able to

    telnet [ftp server address] 21

    Saturday, November 02, 2013 9:10 PM
  • Yes, ping replies well, and I just found that if I turn off the firewall on the DC, it allows me to fully connect with the FTP client.  So...now I have to figure out how to enable it in the Server 2012 firewall...which I would swear I had done by enabling all connections inbound and outbound to this computer.  Any input on that?

    Saturday, November 02, 2013 9:10 PM
  • do you need in/out firewall rules in place on both NICs on the DC?
    • Edited by John_Curtiss Saturday, November 02, 2013 9:12 PM
    Saturday, November 02, 2013 9:11 PM
  • Thanks Tom, but that is handled by the DHCP server role.  I went ahead and added it to be sure, since it doesn't show it on a route print, but it gave this error: "The route addition failed: The parameter is incorrect."
    Saturday, November 02, 2013 9:14 PM
  • (just my two cents and I won't mention it again: there has got to be a better solution for this than using a DC as a gateway router. )

    with the firewall on, can you telnet to the ftp server from the dc?

    if not you probably need a rule or rules on the outside DC nic.

    if you can, but can't telnet to the ftp server from the inside workstation, you probably need a rule or rules on the inside DC nic.

    Saturday, November 02, 2013 9:18 PM
  • I would presume so, and on each rule you can set which NIC for it to use.  The default for each rule is that it covers all network interfaces

    • Proposed as answer by John_Curtiss Saturday, November 02, 2013 9:30 PM
    Saturday, November 02, 2013 9:22 PM
  • Yes, I can telnet from the DC.

    I agree with your two cents, by the way - I just don't know how to implement a better method that would give us a secure LAN while providing an unsecure/public wireless connection from the same internet connection.

    Saturday, November 02, 2013 9:25 PM
  • Top of my head, connecta wifi  linksys router to the Internet connection. Connect the wan port on a second  wired linksys router to the lan  port on the wireless linksys router. Give the internal router a gateway of the external router's lan ip address.   Put your internal network, including the domain controller, on the lan  side of the internal router, using that router as their gateway. 
    • Edited by John_Curtiss Saturday, November 02, 2013 9:36 PM
    Saturday, November 02, 2013 9:35 PM
  • In fact don't most wireless routers  lately have a feature that separates wireless traffic from wired? 
    Saturday, November 02, 2013 9:50 PM
  • Most do have a guest network and secure network, yep.  My personal one at home does both, and in fact does the same with wireless simultaneously.  However, the one at the office is a rather involved, and yet limited in ultra-modern standards, Cisco router that my boss doesn't want to replace just yet.  I think I'm about to change her mind on that, though.
    Saturday, November 02, 2013 9:57 PM
  • You can keep your existing router, and just put another one behind it. So the wireless network is between your lan and the Internet. Just like now, except the new router will perform the routing duties instead of a domain controller performing them. 
    Saturday, November 02, 2013 10:01 PM
  • Yeah, I may well suggest that option.  I think the current setup is still in place simply because it's been that way and wasn't broken.  That said, the Windows Firewall in Server 2012 is far better than what you can get in most routers.
    Saturday, November 02, 2013 10:03 PM
  • Hope you do not mind my adding my own opinion to your dialog here. John added his 2 cents and said he would not mention it again, but I think it is very much worth mentioning.

    Trying to increase security on your WiFi by dual homing your DC and directly exposing it is, in my opinion, a bit like reinforcing one wall of the fort by using materials removed from the opposite wall.

    Very close attention needs to be paid to the design, planning and implementation of a network, its services and components.

    I would also caution against the difference between consumer grade devices and business grade devices, especially when it comes to security (firewalls and wireless) and mission critical functionality.

    Also, just because you didn't know that is was broken, doesn't mean that it wasn't broken.

    Best wishes

    Ed Gallagher, IT Pro MVP

    Sunday, November 03, 2013 3:24 AM
  • I upgraded our server from 2008 to 2012 a few weeks ago, and all of the settings seemed to have remained unchanged.  However, the FTP protocol appears to be blocked or non-functional from all client computers now (it functioned fine previous to the upgrade)  The only mention of this as a problem that I have found is that it converts FTP traffic to HTTP traffic and may only allow for a one-way connection, yet as I say, it wasn't a problem in our previous server environment.  Is there a setting I'm missing somewhere?

    I've added FTP ports 20 and 21 both internally and externally to the allow list on Windows Firewall.  Also, when accessing FTP from the server, it works well.

    Thanks for your help!


    Besides opening the ports on your router, you need to create a FTP account in IIS to have FTP services.

    I can help configure IIS if you are not familiar with running a web host


    Corsair Carbide 300R with window
    Corsair TX850V2 12V1 70A
    Asus M5A99FX PRO R2.0 CFX/SLI
    AMD Phenom II 965 C3 Black Edition @ 4.0 GHz
    G.SKILL RipjawsX DDR3-2133 8 GB
    EVGA GTX 660 Ti FTW Signature
    Asus PA238QR IPS LED HDMI DP 1080p
    ST2000DM001 & Windows 8.1 x64 Professional
    LG WH14NS40 14X Blu-Ray Writer BDXL 128GB
    Microsoft Wireless Desktop 2000
    Wacom Bamboo CHT470M

    Monday, November 04, 2013 8:20 PM
  • he is trying to get to an external FTP server that lives out on the internet somewhere. in this scenario his domain controller is just serving as a router/firewall for his internal computers to get to the internet. he is not trying to enable an ftp server 'role' on his domain controller.

    Monday, November 04, 2013 8:24 PM
  • he is trying to get to an external FTP server that lives out on the internet somewhere. in this scenario his domain controller is just serving as a router/firewall for his internal computers to get to the internet. he is not trying to enable an ftp server 'role' on his domain controller.

    whatever the actual FTP server, it has to be configured too

    you cannot just add one in AD and hope for the best


    Corsair Carbide 300R with window
    Corsair TX850V2 12V1 70A
    Asus M5A99FX PRO R2.0 CFX/SLI
    AMD Phenom II 965 C3 Black Edition @ 4.0 GHz
    G.SKILL RipjawsX DDR3-2133 8 GB
    EVGA GTX 660 Ti FTW Signature
    Asus PA238QR IPS LED HDMI DP 1080p
    ST2000DM001 & Windows 8.1 x64 Professional
    LG WH14NS40 14X Blu-Ray Writer BDXL 128GB
    Microsoft Wireless Desktop 2000
    Wacom Bamboo CHT470M

    Monday, November 04, 2013 8:35 PM