Over the past few years, I have written many applications that are stand-alone executables (Win Forms) that manage all of the business’ information locally and then sync up with a web server (real time or periodically). These applications (inventory, eBay-related, apartment finders, photography studios, etc.) will sync information through secure web services but often need to FTP files (PDFs, images, etc.). To do so, I have a C# FTP class I wrote awhile ago and have modified over the years.
Recently, I changed hosting providers. I had a dedicated server with Verio (San Jose Data Center) for about 5 years and just moved over to Interland (Georgia Data Center) about 6 months ago. My old servers had Windows 2000 Server and I was running ISS Black Ice firewall. It worked great and I had planned to use it on my new servers…unfortunately, Black Ice doesn’t support Windows 2003 Server (at least not officially). Well that’s not something I can hope works.
So what firewall do I go with? I spoke with some colleagues who run data centers and of course, they wanted me to go with a hardware solution (i.e. Cisco PIX). Interland wants $200 setup + $200 per month…a little pricey. As for software solutions, Microsoft’s ISA (Internet Security and Accelerator) Server 2004 lead the reviews, but also costs $1,500. According to my colleagues, ISA should run on its own box…running with SQL Server, IIS 6.0, Email, etc. might be a bit too much for the servers. Another option is the firewall built into Windows Server 2003. It’s a very basic firewall that either opens a port or does not open a port. In that sense, it’s great if you have very basic rules…but it’s meant for single servers only.
Since this was my case, I decided to go with the Windows Server 2003 built-in firewall. Almost immediately, I found out my applications could not FTP images to the server…it could login, change directories and create directories, but could not “put” files on the server. So quickly I learned about Active vs Passive FTP.
Basically, Active FTP connects to the FTP server’s command port (21) and transfers data to the FTP server’s data port (20). Well that’s what I thought I was doing, but with both ports open it still didn’t work. Then I reviewed my code and realized I was issuing the “PASV” command which puts the code into Passive mode. Passive FTP also connects to FTP server’s command port (21), but transfers data to a randomly negotiated port (> 1024) on the FTP server. The problem here is that all of these ports are closed by the firewall so it can;t work.
So how do I solve this problem? a) I could add code to use Active FTP, but I don’t have the time…plus it appears to be very difficult as very few people have done it. b) Purchase a third-party component (Rebex seems to be best) for about $250…eh. c) Figure out a way to get the data through the firewall with the current software.
Obviously, choice “c” is preferable, so I started to look around. After searching all over, I finally found a post where someone figured it out…here’s what you do:
1. Open the Control Panel and activate the Windows Firewall control.
2. Click on the Advanced tab, select the network interface that the FTP is bound to and make sure that this option is checked to enable the firewall for this interface.
3. Click on the “Settings…” button.
4. Click on the Services tab and CLEAR the check box for the “FTP Server” option. I know this makes no sense, but neither does the conflict between server and firewall!
5. Click on the “OK” button to close the Advanced Settings dialog.
6. Click on the Exceptions tab, then click on the “Add Program” button.
7. Browse to “C:\WINDOWS\SYSTEM32\INETSRV\inetinfo.exe” and double click on this file to select it.
8. You may want to use the “Change Scope…” button to narrow the range of IP addresses that can contact the FTP server.
9. Click on the “OK” button to close the Add a Program dialog.
10. Click on the “OK” button to close the Windows Firewall control.
11. You may need to reboot for the changes to take effect since “inetinfo.exe” runs as a service. I just restarted IIS
I recently could not figure out why I was having these problems on a Windows 2003 Server that I manage. This post came in very useful and helped solve the problem I had on this server running Windows 2003.