We have clients running win 7/8 and 2012 DA,
everything is working beside we cannot FTP to our unix server,
It allows us to log in, but no other command works, even "lS" gives this error:
502 illegal eprt command 425 can't build data connection
If we use our normal VPN, it works just fine.
Unfortunately FTP uses direct IPv4 communication when talking to its server, and as far as I know it will not work over DirectAccess. As you probably know, all client-side traffic from the laptops is always IPv6 on a DA connection. so if a program is using communication with direct IPv4 addresses, this traffic never makes it over the DA IPsec tunnels.
I understand the IP V4 limitation here, but I don't believe statement "FTP uses direct IPv4 communication when talking to its server" is true.
I have other FTP's which are working just not to this unix server.
Jordan, is there a way for eg: wireshark, how can I confirm this?
Thanks in Advance.
Try these :
- Be sure that you could access to your ftp server by name registered on your DNS
- Look if your DA Gateway could access to your ftp : indeed if the FTP ports are blocked between the DA Gateway and your FTP server it will not work for your DA clients
- Edited by Lionel LEPERLIERMVP Tuesday, July 16, 2013 8:08 AM Typo
I am able to access FTP with DNS name.
I logged into FTP on DA server, when I hit LS.. it says command successful ..but don't show any dir
I have done cd /dirname ..its said 250cwd command successful
There is no firewall between DA and this unix Server (Win firewall on DA is running)
There is firewall for any connection coming from outside to our domain.
If DirectAccess is working to other resources, then your DA IPsec tunnels are flowing through to the DirectAccess server properly and any external firewall is not stopping your traffic.
If you can hit the FTP service from the DirectAccess server, then there is not a firewall in between on the internal network (as you said) stopping the traffic, and a successful connection here shows that you have the correct route in your DirectAccess server's table for the packets to arrive. If packets can arrive from the DA server, they can arrive from the DA clients.
If there was a firewall on the Unix server, that could potentially disrupt this, but typically not because in most DA installs the packets from the DA clients show up as coming from the internal IP address of the DA server, so the Unix server (if it had a firewall) would generally allow it anyway.
I have always heard that FTP is a bugger with DirectAccess, because of the way it transmits packets. I'm actually a little surprised to hear you have it working to other FTP servers, because I didn't think that would work. Can you confirm that you are able to FTP over DirectAccess, ensuring that it is communicating over an IPv6 DA tunnel, and that it isn't somehow using an internet IPv4 connection directly? I could certainly be wrong about this, it's just what I've heard. I do DirectAccess all the time but honestly I don't see many folks using FTP in the wild anymore so I don't really run into it regularly.