Troubleshooting FTP with Dome9 Agent

In this topic:

    Linux

    Stateful Passive FTP is enabled by default with Dome9 Agent for Linux. This means that manual configuration of port ranges are usually not needed.

    In case passive FTP connections do not work please follow the below steps and make sure you had done all:

    1) Verify "agent.conf"

    /etc/dome9/agent.conf should have the following line:

    enable_ftp = 1

    If it does not exist add it or change the value from 0 to 1, restart dome9 agent with:

    dome9d stop; dome9d start

    2) Verify "conntrack_ftp" stateful kernel module is loaded. As root run:

    lsmod | grep ftp

    and make sure you have the following entry:

    nf_conntrack_ftp

     or

    ip_conntrack_ftp

    If you do not, run:

    modprobe nf_conntrack_ftp

    or

    modprobe ip_conntrack_ftp

    and verify that lsmod | grep ftp returns the proper name module name

    To make sure this module is loaded on boot edit /etc/rc.local and add the proper modprobe statement

    3) Configure your Dome9 central policy to allow FTP and enable it

    set the FTP service (TCP port 21) in Dome9 Central to Always Open or acquire a lease.

    *** If you use a FTP on a port other than 21, please follow the instructions here:  http://ubuntuforums.org/showthread.php?t=1878252

    Windows

    FTP and firewalls can be sometimes tricky. 

    If just defining FTP service doesn't work for you, please try these suggestions.

    Option 1. Try to get the Windows Firewall to work with 'Stateful FTP':
    Stateful FTP means the the Windows firewall will open data ports dynamically by examining the incoming traffic on the main control port (21).
    The problem is that it does not always work, but still, worth a try (Windows 2008 only):

    1. Define FTP service (tcp 21) on your Dome9 security group
    2. On a command line type the following: netsh advfirewall set global StatefulFtp enable
    3. Test your connection now

    Option 2. Manually configure the  passive port range:

    1. Define FTP service (tcp 21) on your Dome9 security group
    2. Locate the passive port range definition of your FTP server program.
      IIS FTP: http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings-in-iis-7/
      Filezilla FTP Server:
      http://wiki.filezilla-project.org/Network_Configuration
    3. Define a port range (range of 10 ports should usually be enough)
    4. Add a new service to your Dome9 security group - 'FTP Passive Port Range'. Use the same ports as defined on your FTP server program!
      Configure the service as 'Always Open'. Since Dome9 protects the FTP control port - non authorized people will not be able to connect.
    5. Test your connection

    If you encounter any issues, please contact Support.