IIS 7.5 FTPS external access - 534 Policy requires SSL
Solution 1
You're correct that FileZilla or WinSCP are needed. Basically those FTP settings say that anyone trying to use the normal method over port 21 should be denied, and it doesn't attempt to reestablish a different type of connection. Thus IE and the command line options won't work.
A good test is to install FileZilla locally on the FTP server, or on another server that doesn't have a firewall in-between. Get it working there to prove that it works, and then start looking at your firewall policy to allow it through. Most likely you're running again a firewall rule that blocks the dynamic ports necessary for FTPS.
In FileZilla, use "explicit FTP over TLS" and test using active and passive mode. Active and passive require different firewall ports.
Solution 2
To confirm: You need a client that supports FTPS. WinInet in Internet Explorer, and Windows' command-line FTP.EXE do not.
Solution 3
I suspect that you have a similar problem that I experienced in the past in that our border security device was being a little too helpful with FTP connections. In short, if you have a modern enterprise UTM device, try binding TCP/990 to your FTP site and allowing it through the firewall if you're using FTPS. The "FTP helper" service on the UTM may be getting in the way because it expects to see unencrypted traffic traversing TCP/21.
I wrote a blog entry describing the issue and solutions: http://www.lewisroberts.com/2010/08/06/scripting-ftpes-explicit-tlsssl-with-curl/
You should also configure your passive FTP port range within IIS and open those ports in your firewall. In IIS, clickthe top level node (server name), then click FTP Firewall Support. In there, define a range of ports that you must then open in your firewall and forward to the FTP server.
You can likely ignore the parts about cURL but hey, you might find it useful in the future!
HTH
-Lewis
Related videos on Youtube
Admin
Updated on September 18, 2022Comments
-
Admin over 1 year
I have setup a FTP site that requires SSL but when I try connect to it externally I get the error:
220 Microsoft FTP Service 534 Policy requires SSL.
I know - I set it so! Why doesnt it fetch the SSL cert from the site and allow me to logon?!
(Incidentally beware of all the tutorials that Allow but do not Require SSL - while that will solve the problem it will be because SSL is not being used!).
I suspect it may be I need a client that supports FTPS (FTP over SSL) and Windows explorer just uses IE which does not. But trying FileZilla and WinSCP I get a little further but then it hangs on TLS/SSL negotiation expecting a response from the server....
UPDATE: I have tried (from: http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/):
- Configure the Passive Port Range for the FTP Service.
- Configure the external IPv4 Address for a Specific FTP Site.
- Configure the firewall to allow the FTP service to listen on all ports that it opens.
- Disabling stateful FTP filtering so that Windows Firewall will not block FTP traffic.
And still I get (in FileZilla trying both Active and Passive):
Status: Connecting to 203.x.x.x:21... Status: Connection established, waiting for welcome message... Response: 220 Microsoft FTP Service Command: AUTH TLS Response: 234 AUTH command ok. Expecting TLS Negotiation. Status: Initializing TLS... Error: Connection timed out Error: Could not connect to server
The Windows firewall logs unhelpfully have nothing to say..
UPDATE2: Turning the firewall off does not resolve the problem.
I cannot believe how difficult it is to get something so simple to work and even once following the documentation it does not work.
UPDATE3: Running FileZilla locally connecting through the loopback works in Active mode, in Passive mode I get up to:
Command: LIST Response: 150 Opening BINARY mode data connection. Error: GnuTLS error -53: Error in the push function.
Turning the firewall off at both ends I can still not connect the client and get the same error as above.
-
Admin almost 13 yearsDo you have a firewall? technet.microsoft.com/en-us/library/dd421710(WS.10).aspx may be related ...
-
Admin almost 13 yearsyes but configured as it should be - see update
-
Admin almost 13 yearsWinSCP and FileZilla do though and they get halfway to establishing a connection but then hang waiting for a response from the server..
-
Admin almost 13 yearsStill no luck, I do not have a UTM device.
-
Scott Forsyth almost 13 yearsIt does sound like a firewall issue, based on the status message. Other misconfigurations would likely show up as access denied. Have you tried installing FileZilla locally on the server to completely rule out firewall issues. Active mode (and some of passive mode) depend on firewall rules on the client side. See this for a good overview: slacksite.com/other/ftp.html. If you can get it working locally, then you'll know for sure that it's a firewall issue and you can keep spending time there. If it doesn't work locally then there's no use spending time on the firewall aspect.
-
Ken almost 13 yearssee update3 above...
-
Scott Forsyth almost 13 yearsHi Mrk. I'll reply with a new post with some ideas of things to try.