cannot reach site on port 50021

Discussion in 'Internet, Connectivity and Communications' started by Boycie, Mar 6, 2011.

  1. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    looking at a problem where the customer needs to connect to an ftp site on port 50021 (FTPS), although unable to do so.

    I can't check from any other site because the remote site locks the access down to the ip of authorised clients.

    nothing in the firewall rules blocking anything outbound. does anyone know if it's a port that may be blocked by the ISP?

    ta
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  2. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,721
    549
    364
    Anything in the firewall logs?

    Its been a while but the last time I tried to make FTP listen on a different port I had major problems...
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  3. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Why FTPS? It's a major PITA to configure through firewalls in the best of circumstances - and it's inifintely better to use SFTP (FTP via SSH). If you have no option, then I would guess it's because of a firewall misconfiguration somewhere - though good luck figuring out how to fix it!

    The problem is that FTP opens a second channel for actual data transfer (the main port connection made initially is only for control of the session). In FTP it's trivial to configure a firewall to allow this second channel directly, but with FTPS, since that initial channel is encrypted, the firewall can't then be configured to detect the port that the secondary (data transfer) channel is running over - and will block the connection.

    I'd imagine the firewall the connection is travelling through will have something documented somewhere about restricting port ranges for the second connection to a particular range of ephemeral high ports - check your firewall documentation for the specifics.
     
    Certifications: A few
    WIP: None - f*** 'em
  4. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    hey sparks,

    nothing in the logs mate. its a really old watchguard and i can't see any outbound rules. the wierd thing is, it does work from one server, but nothing else. they add the clients ip to their authenticated list, and i can hit it from all pc's on ports 21 and 80, but not on 50021 (well from only one server anyway).

    cheers!
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  5. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    hey zeb,

    just noticed this after replying to sparks.
    no idea why mate - i just received the guide and have been asked to get it working. thanks for the explanation on the second connection mate. ive been looking everywhere on the firewall for something, although baffled as to why it works on one server and nothing else!

    ta
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.