FTP Thru IPsec

[Lester R. Saucer]

Can someone tell what I need to do in order for FTP work with an IPsec
Policy. I tried enable both ports 20/21 but it did not work. Any help would
be appreciated.

Thanks Lester

 

[Roger Abell [MVP]]

It must be in _how_ you tried to enable those ports (you did mean
to say Tcp ports, right? Tcp 21 should cover you for most purposes).

 

[Lester R. Saucer]

From my understanding you need both port 20 and 21. I think that I have the
right configuration now, after testing I will know.

Thanks Lester

 

[Steve Riley [MSFT]]

Remember that FTP data mode -- what's used when a server delivers a file to
a client -- runs in reverse. This makes FTP connections more difficult. The
sequence:

1. Client connects from client-ip:random-port-1 to server on
server-ip:21/tcp
2. Client authenticates if necessary
3. Client requests a file
a. Client establishes a listener on itself -- on client-ip:random-port-2
b. Client informs servers of this listening port
4. Server sends file to client
a. Server connects from server-ip:20/tcp to client-ip:random-port-2
b. Server downloads content
c. Server and client close connection

Your IPsec policies must account for the data mode connection that comes
from the server on the server's port 20/tcp to the client on the client's
random-port-2.

Steve Riley
(e-mail address removed)