Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs
Resources for IT Professionals >
Input Endpoint and Firewall

Answered Input Endpoint and Firewall

  • Monday, March 07, 2011 9:33 PM
     
      Has Code
    Sign In to Vote
    0

    Hi Folks,

    I'm currently working to get an SFTP server up and running using startup tasks and worker roles in Azure. It installs just fine and is sitting there listening on port 22. My endpoint configuration looks like this:

     

     

     

    <Endpoints>
 <InputEndpoint port="22" localPort="22" protocol="tcp" name="SFTP" ignoreRoleInstanceStatus="true" />
</Endpoints>

     

    When I try to connect using an SFTP client on the worker role itself (via RDP) it connects just fine. When I try to connect from outside of Azure it fails. If I disable the 'public' profile bit of firewall on the worker role it succeeds from outside Azure.

    Any ideas what might be causing this issue? I'm happy to run without the firewall while I'm testing, but its highly unlikely that I'd want to run it like that in production!

    Edit: I should note that the firewall does have rules for TCP 22 allowed in it, but they don't seem to be much use. pfirewall.log doesn't ever contain anything useful either!

    Thanks & Regards,

    Dean Ward

     

All Replies

  • Monday, March 07, 2011 11:10 PM
     
     
    Sign In to Vote
    0

    Could it be that the SFTP installation sets up its own firewall rules that somehow interfere or overwrite the rules that the service runtime sets up when you declare an input endpoint?

    Perhaps you could troubleshoot this by temporarily disabling the start up task and redeploying. Then, use RDP to connect to your role instance and export the current firewall rules. You can do this by opening the firewall console (Advanced) and then selecting Export List to write the rules to a file. Next, run the SFTP server installation manually and then export the rules again to a new file. By comparing the rules in each file, you might might be able to draw some conclusions.

     
  • Monday, March 07, 2011 11:12 PM
     
     
    Sign In to Vote
    0

    Dean,

    I believe FTP requires a range of ports (for instance, ports 21 and 22).  You may need to allow more than just port 22. 

    I found a blog posting at http://microsoft.realdolmenblogs.com/post/Using-FTP-to-access-Windows-Azure-Blob-Storage.aspx that might have some helpful information for you.

     

     

    Thanks,

    Michael S. Collier

     
  • Monday, March 07, 2011 11:45 PM
     
     
    Sign In to Vote
    0

    Hi Fernando,

    I've just deployed the role without the startup script and compared before and after versions of the firewall rules but, unfortunately, there's no difference. I don't believe this particular installation is smart enough to open the firewall ports for itself.

    I'm starting to suspect that the rule placed in there by Azure is wrong in some fundamental way - if I add my own rule it works just fine. For now I can run with the firewall if I add my own rule, but it would be nice to know what Azure has done wrong in the rules it generated!

    Cheers,

    Dean

     
  • Monday, March 07, 2011 11:46 PM
     
     
    Sign In to Vote
    0

    Hi Michael,

    Thanks for the info, but it's no help here; I'm using SFTP (Secure FTP - SSH derived) so it doesn't need a separate control and data port.

    Cheers,

    Dean

     
  • Tuesday, March 08, 2011 2:43 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Dean,

    The firewall rule is created by Role Endpoints settings. Did you compare the difference between your created rule and azure automatic created rule?

    Mog Liang
    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
     
  • Tuesday, March 08, 2011 2:44 AM
     
     
    Sign In to Vote
    0

    Hi Dean,

    Sorry that didn't help. One more question. Rereading your original post, there's something that I don't quite understand. What do you mean by "If I disable the 'public' profile bit of firewall on the worker role it succeeds from outside Azure." Are you changing the network location to private or disabling the rule for port 22 in the public profile? Either way, it doesn't seem like that should help at all.

    Also, "...if I add my own rule it works just fine". What settings are you using for that rule?

     
  • Thursday, March 10, 2011 10:25 PM
     
      Has Code
    Sign In to Vote
    0

    Hi Fernando,

    Basically I just disabled the firewall for the public profile (i.e. left the machine totally open). Not the best option, but it proved that the service was reachable!

    The rule that works was created with this command: 

    netsh advfirewall firewall add rule name="SFTP" dir=in protocol=TCP localport=22 action=allow profile=public

    That works just fine at that moment (even with the Azure created rules in place).

    Thanks,

    Dean

     
  • Thursday, March 10, 2011 10:27 PM
     
     
    Sign In to Vote
    0

    Hi Mog,

    The rule I added used the following command:

    netsh advfirewall firewall add rule name="SFTP" dir=in protocol=TCP localport=22 action=allow profile=public

    When comparing the rule added by Azure with this one I can see no noticeable difference between the two! I really can't determine why the Azure created rule doesn't work, it really looks like it should!

    Thanks,

    Dean

     
  • Friday, March 11, 2011 4:13 AM
     
     
    Sign In to Vote
    0

    Odd. You may have already done this, but you could try dumping both rules, the Azure created one and your own rule, using netsh to see if that shows any differences. Make sure to add the verbose switch to get all the properties.

      netsh advfirewall firewall show rule name=<RULENAME> profile=public verbose

    What is the value shown for the Program property in the Azure created rule?

     
  • Saturday, March 12, 2011 1:30 PM
     
     Answered
    Sign In to Vote
    0

    Aha, this appears to have gotten to the bottom of it... Azure has created 4 rules each identical to the rule I added, but with different Program / Service attributes:

    Program: System
    Service: CIS:8a75a75b-543d-4623-a0bd-131ace7ab735
    Service: NetTcpActivator
    Service: NetTcpPortSharing

    So this appears to be restricting use of the port to either the system or a specific set of services. Not much use if the port is listened to by an external application! As a sidenote I also have an internal endpoint that suffers this issue as well.

    So MS - what's the recommended approach here - I'm guessing I should be adding firewall exceptions to allow my services to communicate with the outside world? Or is this a bug that will be fixed at some point?

    Cheers,

    Dean

    EDIT: I should clarify what I mean by 'bug' - this could be in documentation or with the rule setup. My thought when adding the endpoint to the service definition was that that port would be opened for everything, not just a few programs / services. If this isn't the case then it should either be explicitly called out in the documentation or work in the way that I presume most would expect :)!

     
  • Monday, March 14, 2011 2:55 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Dean,

    Glad that you find the cause. An approach to this issue, is using startup task to config the vm's firewall, open a port for your app.

    Not sure if and when msdn doc would be updated, at least, this thread may help others who encountered same issue to locate the cause.

    Thanks,

    Mog Liang
    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
     
  • Monday, March 14, 2011 2:57 PM
     
     
    Sign In to Vote
    0

    Thanks Mog, I'm using startup tasks so I've opened up the necessary ports from there.

    I guess most people would be listening to a TCP endpoint within their worker role as opposed to installing a service in a startup task, so my scenario might be fairly edge-case anyway.

    Cheers,

    Dean

     
  • Thursday, April 14, 2011 3:42 AM
     
     
    Sign In to Vote
    0

    Hi,

    I am working for a client where they have SFTP (SSH FTP) server (unix system). We are trying to migrate an application on cloud. The requirement is that the client will push the file from on-premises to Azure. We have to write the SFTP server code which runs as worker role.

    Do we have any code sample that I can use to write server component? Looks like Dean has already implememnted the server component on Azure cloud. Any 3rd party vendors who provides such service?

    Thanks,

    Jack

     

     

       

     


     
  • Thursday, April 14, 2011 3:53 AM
    Answerer
     
     
    Sign In to Vote
    0

    Maarten Bailliauw has a post on developing an FTP server on Azure. It may well be worth reading to see th issues he ran into and his solution for them.

     
  • Thursday, April 14, 2011 6:27 AM
     
     
    Sign In to Vote
    0

    Hi Neil,

    I went through the blog of Maarten (this post). But it is for FTP not SFTP. I'm looking for SFTP server implementation on cloud.

    Any idea?

    Thanks,

    Jack

     

     

     

     
  • Thursday, April 14, 2011 11:30 PM
     
     
    Sign In to Vote
    0

    To get around this you should install the service as manual and start it from within your worker role.

    http://michaelwasham.com/2011/04/11/internal-endpoints-and-firewall-rules-with-windows-azure/

    http://michaelwasham.com/2011/04/14/starting-a-service-from-an-azure-worker-role/

     
  • Monday, April 30, 2012 4:45 PM
     
     
    Sign In to Vote
    0

    Hi Dean,

    Which SFTP server are you using?

    Thanks

    John

    John H. Smith