Ok, I'll keep this short and to the point. I have an ftp server setup that needs to be accessed internally from within the domain and externally for clients to connect to. DNS appears to be functioning as nslookup and ping both resolve correctly (internal hostname has internal IP, external hostname has external IP). I can connect to the ftp server if i specify the internal hostname or ip, but when i try to connect via the external name or ip i get a connection refused. I can telnet to the internal ip/port but not external. Our "network person" says the traffic inbound for the external server IP is properly routed to the internal address. If that's the case, what can possibly be dropping the connection? Let me know if more clarification is needed. Server is 2008, the client i've been testing connection with is Windows 7 x64 FTP server is WS_FTP, ftp client used during testing is FileZilla. Thanks! TimTim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

Could it be a firewall issue? Enabling an FTP service will usually automatically create a firewall exception allowing connections from the local network/subnet but not remote or external networks.Rob Williams

Hi Rob, I've been trying to make sure that's not the problem, i've created firewall exceptions for all profiles for the ftp ports in use, but the behavior doesn't change. This one has me stumped.Tim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

Ok, so are there one or two NICs in the FTP box? You make it sound like one, but I want to be sure. If there are two NICs, are you creating these firewall rules for the correct network profile? If you look in Control Panel\Network and Internet\Network and Sharing Center you'll see the connections. It should also show you the network location for each (home, work, or public). AFAIK, the firewall profiles (domain, private, and public) correspond to these network locations. So, are you setting the rules for the correct profile? In wf.msc on inbound rules you should see a Profile column. Either make sure you have the correct profile set for your rules, or set it to all profiles (I'd probably set it to "all" until you figure out the problem). Also, make sure you don't have any deny rules on the firewall...heck, for troubleshooting purposes can you just disable the firewall for all profiles so we know whether that's even the problem?

there are 2 nics, actually 3 now that i think about it, however only 1 is being used. The router is nat'ing traffic destined for the external ip to the internal ip of the ftp server (sounds messed up, i know). I've set the exceptions to all profiles just to make sure I'm getting the right one, I've even tried disabling the firewall and doesn't seem to change anything. I suggested we enable a second nic and assign the IP of the external address, but other people seemed to think that wouldn't work, since they are on the same subnet??? Networking is not one of my strongest points but in my opinion, setting one nic to an external address and one nic to an internal ip shouldn't have any effect on whether or not they're on the same subnet...someone feel free to explain this to me. GPO dictates the majority of the firewall settings, since this is my area, i can guarantee there have been no deny rules set. I'll verify I'm working with the correct profile when I get in tomorrow and let you know of any changes. Meanwhile, can someone verify setting the 2 nics to 2 different IP (internal/external) will have no negative impact? just an example of the 2 ip's in question... internal: 10.110.80.xxx external 65.116.44.xxx thanks for all your help! tim Tim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

You would only enable a second IP if it were to have a public IP and be exposed directly to the Internet which in itself is risky, and complicates matters. There is nothing wrong with the configuration of Modem => NAT Router =>private IP on FTP server, that should work, assuming: router has port 21 forwarded to the private IP of the FTP server all outgoing router traffic is allowed. Generally it is by default, but if not there are FTP ports to open to allow replies to external clients you do not have a modem that is also a combined modem and router. If so port forwarding on it has to be enable to forward port 21 to the router software firewalls, such as the Windows firewall, is configured or disabled on the FTP server Your ISP allows hosting an FTP server. Some ISP's block ports 21, 25, and 80 to prevent hosting FTP, Mail, and web servers Is RRAS enabled by any chance on the server? If so, that may not be a problem, but why? And if so is NAT enabled within RRAS? Rob Williams

Hi Rob, I can't get in to the router to 110% verify that port 21 is open through the router, however, with a dozen calls to our network guy he swears up and down it's open, i'll believe him for now. As far as I know, there is no policy restricting outbound communication the modem/router thing I'll have to ask about, we've made a LOT of network hardware changes here in the past 2 weeks. I'll continue to tweak the firewall to eliminate that as a possibility We had an FTP server up and running but unfortunately it died, which brings us to this point, but our ISP (Qwest) has never mentioned anything about an FTP, this is a business connection, no residential setup or anything like that. RRAS role is not installed on the server. Tim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

I doubt it's worth messing with the firewall much if you'd disabled it and port 21 still isn't getting through. When you say you disabled it, did you disable the service or did you turn off each profile using wf.msc (or the group policy)? I ask because it's not supported to disable the service in 2008+. It will cause problems if you do. The correct way to disable the firewall is to do it locally with wf.msc or with the group policy editor. Go through each profile and set it to Firewall State: Off. If traffic still isn't getting through, then it isn't the Windows firewall. Any endpoint protection software installed? What AV program are you running? I'm focusing on the Windows aspect here, but I think Rob Williams covered everything from a network perspective. Thanks!

let me throw a curveball at you, today, external clients are able to connect to the server using the external hostname or ip. Our dns records seem to be appropriately configured: domain.local ftp server 10.110.80.xxx domain.com ftp server 65.116.44.xxx Here's the odd part, again external clients can connect no problem, internal employees can connect to the internal address, but if we (internal people) try to connect to the external name or IP of the ftp server, we see a bunch of connections in CLOSE_WAIT status and eventually they'll pile up to the point where the server stops responding to everything and we have to reboot it. Now I'm completely at a loss as to what's causing this. It might be worth adding that we have a Riverbed device in place and personally, I think that's doing something to the IP stack, like an ACK isn't being sent or something. Ideas? Thanks! Tim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

Hey Sean, looks like we posted at the same time... I turned off the profiles, I did not disable the service. I've read about problems this can cause as well. Even as a test measure, I made a new rule for all profiles to allow all ports and all programs, still no dice. So the firewall is practically eliminated from the equation. what about the riverbed thing? I know this isn't a riverbed forum, so I'll keep those questions to a minimum. thanks again!Tim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

>>" but if we (internal people) try to connect to the external name or IP " Many routers, I might even dare to say most routers, will not support this. It is called "hair-pinning". The router cannot route internal packets to the external interface.Rob Williams

yeah, i think that's what we're up against, since essentially we have split dns set up, and i think the router is refusing to let internal clients route to the external (back to internal) addresses. I'm going to test this by setting external domain dns records to internal ip addresses and see if that resolves it. Thanks Rob and Sean for all your help! TimTim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

Just to provide some supporting evidence to this, the previous equipment we had was an Adtran modem/router, now we've disabled the routing part for it so it's strictly acting as a modem, which then goes into a Cisco Catalyst 2800 Series router, I'm quite certain now this is what's causing the issue. Tim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

The hair-pinning issue is a routing limitation, not DNS, so I am doubtful it can be resolved. If split DNS is properly set up on your DNS server, an internal request for the public DNS record should return the internal FTP server's IP and thus not involve the router at all.Rob Williams

On our dns server we had an A record for our webmail interface which was using a .com (external) ip address, after changing the ip of the record to the internal ip of the mail server, we were able to pull up the webmail interface again. The common behvior here is that all the services that were assigned an external dns record are no longer available, however switching the record to the internal address seems to restore connectivity. I think we're on to something, I just have to do a little more testing. With the example for the mail server, pinging the mail server responds with the internal address, and nslookup is getting an authoritative answer from our internal dns server. Tim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

Yes if you have split-DNS set up, a zone with the public domain name on your internal DNS server, and you add a host record ftp.YourDomain.com pointing to 10.110.80 it should resolve the name internally for the LAN clients and eliminate any external routing or DNS. It becomes seamless to internal and external users.Rob Williams

Yep, we have 1 zone for domain.local and 1 zone for domain.com adding the record in domain.com for the 10.110.80 address does resolve correctly. I'm assuming this is a good thing?Tim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

Yes, that is ideal.Rob Williams

Awesome. I have one more question not trying to stray too far off the subject. We have one more external site, again that we cannot resolve internally, however it has a different domain name that any of our others, and therefore has no dns zone since there would only be 1 entry. How can I get internal clients to resolve to the internal IP of the server it's hosted on? Thanks again for all your help! Tim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

You can create a new zone and host record. To do so in the DNS management console of the server right click on "Forward Lookup Zone" and select "new zone", accept all defaults and when asked for zone name enter NewZoneName.abc and complete the wizard. Then within that zone, in the right hand window choose new Host (A) record enter the prefix such as servername and complete that wizard. Good idea when prompted to allow creating of the matching PTR record.Rob Williams

Ok, I added the new zone and the single record for the site in question, assigned it the internal IP of the hosting server and it's working quite well. I can't thank you enough! TimTim Magnuson | Microsoft Community Contributor Award 2011 | Ok, so I changed my name...you can still call me Tom if you like. It's a...jump...to conclusions...mat. My Blog Site: http://tmagnuson.wordpress.com

Glad to hear. Thanks Tim. Cheers!Rob Williams