We have recently moved our server onto Azure. It runs our point-of-sale system and uploads a few files via FTP to our webserver which then gets parsed and products are created.
The point of sale software developers have a bunch of batch files that run FTP.exe which unfortunately doesn't support passive file transfers(regardless of what you read - quote pasv & literal pasv don't work). So we are stuck using active transfers, unfortunately this doesn't suit Azure very well.
The server is using ports 10090 - 10100 for active connections (I have created a rule in the NSG to allow 10090-10100 in) but unfortunately this isn't working at all.
I'm in the process of trying to convince the developers to rewrite using WinSCP so that we can just use passive transfers, but otherwise I've been searching for another solution, and so far nothing has worked.
I know it's not an issue in the OS as I've turned off Windows Firewall & still no luck.
Any help or suggestions with this problem is greatly appreciated.!
The server is using ports 10090 - 10100 for active connections (I have
created a rule in the NSG to allow 10090-10100 in) but unfortunately
this isn't working at all.
This is a by design behavior, because the VM's NSG inbount rules have no entries about the random unprivileged ports.
In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
Here is the connection appears as follows:
For test, I had create 2 VMs (turn off windows firewall) in the same Vnet, and setup FTP on VM1, then use VM2 (disable use passive FTP) to access FTP, it works. Because VM1 and VM2 can connect with each other, and in the same Vnet the NSG does't work for internal network traffic.
So, in this case, active FTP isn't working because the server can't initiate a connection to the client. Maybe the most secure method is passive mode FTP.
Related
I am trying to connect to a FTP server hosted on azure VM using IIS I can connect but I keep getting the following error:
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Could you disable the firewall and try FTP to a different server?
Do you have an NSG (Network Security Group) associated with your VM ?, If yes then you'll need to open port 21/990 to access your FTP Server
Use Azure Powershell to setup the ports and check for the status.
Azure now have an FTP VM in the marketplace that fully setups FileZilla FTP Server https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/cloud-infrastructure-services.filezilla-ftp-server
Setup instructions: https://cloudinfrastructureservices.co.uk/install-filezilla-secure-ftp-server-on-azure-server-2016/
You need to add an additional port range, which the ftp server will choose from for each ftp connection.
While the Windows firewall is automatically configured with rules for the ports 21, 990 and 1024-65535, when IIS FTP server is installed, the rules are not enabled initially.
To enable or change the rules, go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules and locate three "FTP server" rules. If the rules are not enabled, click on Actions > Enable Rule.
https://winscp.net/eng/docs/guide_windows_ftps_server
Refer to the suggestion mentioned here: Cannot list directory on IIS FTP server on Azure, even after configuring Azure inbound rules and Windows firewall
Additional information: https://serverfault.com/questions/279286/how-to-resolve-ftp-error-failed-to-retrieve-directory-listing-for-administrato
If you are using passive mode the server opens a random unprivileged port above 1023. Therefore in order to work you would need to open up a range of ports in Azure. If you need this to work in passive mode your best bet is to use an FTP server where you can configure the passive mode port range, and then create the corresponding inbound port range rule in Azure (and in the OS). If you have any alternatives I wouldn't do it, since the fewer ports you expose the better.
I have a build server with Jenkins running as a Windows Service.
It runs at the local 8080 port.
I want to be able to view the jobs dashboard at any machine by typing the correspondent address in a web browser.
Something like {DNS}:8080/myView.
What I need to define in the Jenkins/Azure to make this happen?
4 moving parts here, you don't really have to do anything on Jenkins part, apart from running it:
VM should have public IP, or you should have some kind of routing to the VM on the port you are interested in.
Network Security Group should permit traffic on the port of interest (8080) (both on the Subnet and on the Network interface) Link
Firewall on the VM should allow traffic on the port of interest.
Application on the VM (Jenkins in your case) should listen to the traffic on the port of interest.
It looks like one have to add an endpoint at the Azure VM. In any case, that's what's worked for me.
I have a VM-1 on Azure with windows server 2012. I have installed FTP server in this. (FileZilla)
Another VM-2 in different cloud, where a windows service will access a FTP server in VM-1.
Both VMs are in different cloud. In FTP , while listing directories I am getting '425 Cant open data connection for dir listing'
I am using active mode in FTP.
But If I install the windows service in local machine, it is running correctly without any issue in FTP.
I'll answer though this isn't a programming question, because I can help. :)
When a virtual machine is created, a default ACL is put in place to block all incoming traffic other than for RDP and Remote PowerShell connections.
http://azure.microsoft.com/blog/2014/03/28/network-isolation-options-for-machines-in-windows-azure-virtual-networks/
You need inbound ports other than 21 for active connections, typically high ports above 1024, if you have port 21 open inbound already then you should use passive (pasv) mode to let the server open a random outbound port first to solve the issue of needing an ACL for other inbound ports.
More info on Active vs Passive and ports: http://slacksite.com/other/ftp.html
I've setup Azure point to site and I'm able to connect from my computer to an Azure VM (file share). I'm also able to ping my computer IP address from the Azure VM. However, I'm not able to connect to any resource on my local computer. When trying to access a file share on my computer from the Azure VM I get the following error:
file and print sharing resource (169.254.108.240) is online but isn't responding to connection attempts.
The remote computer isn’t responding to connections on port 445, possibly due to firewall or security policy settings, or because it might be temporarily unavailable. Windows couldn’t find any problems with the firewall on your computer.
Port 445 is enabled on my local computer:
netsh firewall set portopening TCP 445 ENABLE
As an additional test If I issue a \169.254.108.240 from my local computer point to itself it works fine. The same try from the Azure VM gives me the error above.
Thanks,
Your IP address (169.254.*) is a non-routable address. You'll need to get a valid IP (say with DHCP, or set manually) and allow connections to your machine. If you have a firewall, this means adding a NAT rule to it.
If possible, try making the connection from another computer on your LAN to isolate any other firewall/Azure issues.
I think you have to consider several concepts while implementing azure network, first try to put point to site network on a different range of IPs (like 10.4.0.0) then try to disable firewall on your computer and try again, if you have proper routing device it should go through and get the feedback form the local machine.
I can able to login the dedicated server(has Windows server 2012) from local system by Remote Desktop connection. I used IP address and admin password to login dedicated server. I ran tomcat server in dedicated server and deployed my application then I can access my application from dedicated server's browser like
localhost:8080/myapp
or
xx.xx.xx.xx:8080/myapp
It was working fine there, but when I tried to access the same app from my local system as
xx.xx.xx.xx:8080/myapp
It's not working. I ran netstat -a to see whether the tcp is running or not in dedicated server , I can see 0.0.0.0:8080 is in Listening state in dedicated server. Any idea?
Also if it's a firewall issue then rather turning the firewall you can write inbound and outbound rule for specific port. Turning your firewall on server is a dangerous compromise with security.