端口 990 隐式模式下 IIS10 上的 FTP 服务器仅在域防火墙关闭时有效

端口 990 隐式模式下 IIS10 上的 FTP 服务器仅在域防火墙关闭时有效

我在 Windows Server 2019 上配置了 FTP 服务器,一切运行正常,但当启用 Windows Defender 防火墙“域网络”防火墙时,它将无法工作。“专用网络”和“来宾或公共网络”防火墙已启用,只要禁用“域网络”防火墙,一切工作正常。

请注意,此问题仅在使用端口 990 时发生。在标准或 AUTH SSL-Explicit 模式下使用端口 21 时,可以启用“域网络”防火墙。由于我们不想让端口 21 保持打开状态,因此目前,我们将在服务器上禁用 Windows Defender 防火墙“域网络”防火墙,作为临时解决方案。

那么问题是,为什么启用“域网络”防火墙会导致 FTP 服务仅在使用端口 990 时停止工作?安装了有效证书,并且一切工作正常,直到仅启用“域网络”防火墙状态。以下是通过 CuteFTP 客户端会话登录时来自服务器的 FTP 消息列表。第一个列表是启用“域网络”防火墙时。第二个列表是禁用“域网络”防火墙时。

Firewall ENABLED:

STATUS:>    [2/1/2021 3:24:06 PM] Getting listing ""...
STATUS:>    [2/1/2021 3:24:06 PM] Resolving host name ftp.xxxx.com...
STATUS:>    [2/1/2021 3:24:08 PM] Host name ftp.edenusa.com resolved: ip = 12.xx.xx.88.
STATUS:>    [2/1/2021 3:24:08 PM] Connecting to FTP server... ftp.xxxx.com:990 (ip = 12.xx.xx.88)...
ERROR:>     [2/1/2021 3:24:30 PM] The connection failed due to an error or timeout.

1) Verify that the destination IP address is correct.
2) Increase the connection timeout threshold under Global Settings | Connection.
3) Switch to the opposite data connection type (PASV or PORT) under Site Settings | Type tab.
4) Verify that the problem is not local by trying to connect to an alternate server.
5) If a server name was used, verify it resolves to the correct address.
6) If using a local server table for server name resolution, check to see that it doesn't resolve to an obsolete address.
7) Try pinging the address.
8) If you are using a router, verify the router is up and running (check by pinging it and then ping an address outside of the router).
9) Do a traceroute to the destination to verify all routers along the connection path are operational.
10) Verify that your subnet mask is setup properly.
11) Verify that your local software or hardware firewall is not blocking outbound connections originating from CuteFTP.
12) Verify that your anti-virus software is not at fault (try disabling it).
STATUS:> [2/1/2021 3:24:30 PM] Waiting 30 seconds...
(Continues retry and loop over and over, with same errors)


FIREWALL DISABLED:

STATUS:> [1/31/2021 4:37:25 PM] Getting listing ""...
STATUS:> [1/31/2021 4:37:25 PM] Resolving host name ftp.xxxx.com...
STATUS:> [1/31/2021 4:37:25 PM] Host name ftp.xxxx.com resolved: ip = 12.xx.x.88.
STATUS:> [1/31/2021 4:37:25 PM] Connecting to FTP server... ftp.xxxx.com:990 (ip = 12.xx.x.88)...
STATUS:> [1/31/2021 4:37:25 PM] Socket connected. Waiting for welcome message...
STATUS:> [1/31/2021 4:37:25 PM] Connected. Exchanging encryption keys...
STATUS:> [1/31/2021 4:37:25 PM] Applying certificate chain verification using MS Trusted Root Certification Authority store.
STATUS:> [1/31/2021 4:37:25 PM] This certificate is OK. Session Cipher: 0 bit 
STATUS:> [1/31/2021 4:37:25 PM] SSL Connect time: 97 ms.
STATUS:> [1/31/2021 4:37:25 PM] SSL encrypted session established.
        [1/31/2021 4:37:25 PM] 220 Microsoft FTP Service
STATUS:> [1/31/2021 4:37:25 PM] Connected. Authenticating...
COMMAND:> [1/31/2021 4:37:25 PM] USER xxxxx
        [1/31/2021 4:37:25 PM] 331 Password required
COMMAND:> [1/31/2021 4:37:25 PM] PASS *****
        [1/31/2021 4:37:25 PM] 230 User logged in.
STATUS:> [1/31/2021 4:37:25 PM] Login successful.
COMMAND:> [1/31/2021 4:37:25 PM] SYST
        [1/31/2021 4:37:25 PM] 215 Windows_NT
STATUS:> [1/31/2021 4:37:25 PM] Host type detected: Windows NT.
COMMAND:> [1/31/2021 4:37:25 PM] PWD
        [1/31/2021 4:37:25 PM] 257 "/" is current directory.
STATUS:>  [1/31/2021 4:37:25 PM] Home directory: /
COMMAND:> [1/31/2021 4:37:25 PM] FEAT
        [1/31/2021 4:37:25 PM] Informational Message Only:
        211-Extended features supported:
         LANG EN*
         UTF8
         AUTH TLS;TLS-C;SSL;TLS-P;
         PBSZ
         PROT C;P;
         CCC
         HOST
         SIZE
         MDTM
         REST STREAM
        211 END
STATUS:> [1/31/2021 4:37:25 PM] This site supports features.
STATUS:> [1/31/2021 4:37:25 PM] This site supports SIZE.
STATUS:> [1/31/2021 4:37:25 PM] This site supports UTF-8.
STATUS:> [1/31/2021 4:37:25 PM] This site supports LANG.
STATUS:> [1/31/2021 4:37:25 PM] Setting up character encoding.
COMMAND:> [1/31/2021 4:37:25 PM] LANG
        [1/31/2021 4:37:25 PM] 200 Language is now English, UTF-8 encoding.
COMMAND:> [1/31/2021 4:37:25 PM] OPTS UTF8 on
        [1/31/2021 4:37:25 PM] 200 OPTS UTF8 command successful - UTF8 encoding now ON.
STATUS:> [1/31/2021 4:37:25 PM] Using UTF-8.
STATUS:> [1/31/2021 4:37:25 PM] This site can resume broken downloads.
COMMAND:> [1/31/2021 4:37:25 PM] REST 0
        [1/31/2021 4:37:25 PM] 350 Restarting at 0.
COMMAND:> [1/31/2021 4:37:25 PM] PBSZ 0
        [1/31/2021 4:37:25 PM] 200 PBSZ command successful.
COMMAND:> [1/31/2021 4:37:25 PM] PROT P
        [1/31/2021 4:37:25 PM] 200 PROT command successful.
COMMAND:> [1/31/2021 4:37:25 PM] PASV
        [1/31/2021 4:37:25 PM] 227 Entering Passive Mode (10,1,252,250,156,68).
STATUS:> [1/31/2021 4:37:25 PM] Substituting received PASV address 10.1.252.250 to server address 12.xx.x.88.
COMMAND:> [1/31/2021 4:37:25 PM] LIST
STATUS:> [1/31/2021 4:37:25 PM] Connecting FTP data socket... 12.xx.x.88:40004...
        [1/31/2021 4:37:25 PM] 150 Opening ASCII mode data connection.
STATUS:> [1/31/2021 4:37:25 PM] Connected. Exchanging encryption keys...
STATUS:> [1/31/2021 4:37:25 PM] Applying certificate chain verification using MS Trusted Root Certification Authority store.
STATUS:> [1/31/2021 4:37:25 PM] This certificate is OK.
        Session Cipher: 0 bit 
STATUS:> [1/31/2021 4:37:25 PM] SSL Connect time: 108 ms.
STATUS:> [1/31/2021 4:37:25 PM] SSL encrypted session established.
        [1/31/2021 4:37:25 PM] 226 Transfer complete.
STATUS:> [1/31/2021 4:37:26 PM] Directory listing completed.

答案1

我发现问题出在“常规”选项卡下的“操作”选项上,其中包含以下三个单选按钮选项:

() 允许连接 () 如果连接安全则允许连接 () 阻止连接

通过反复试验,并查看另一台 Windows Server 2019 服务器,我发现 Microsoft DEFAULT 值是第一个单选按钮。在此服务器上,出于未知原因选择了第二个单选按钮。此选项在“自定义”按钮下还有更多选项,默认为“如果连接经过身份验证和完整性保护,则允许连接”,信息如下:“仅允许使用 IPSec 进行身份验证和完整性保护的连接。与 Windows Vista 及更高版本兼容。”

需要进一步研究 IPsec 不起作用的原因,但目前,可以启用域网络防火墙,并且我们能够通过端口 990 和 SSL 连接到 FTP 服务器。

相关内容