I ran into a problem today where a Server 2008 R2 FTP Server was working fine internally, but when you tried to access it from the internet it would not work. I checked the firewall rules, in this case a Sonicwall NSA, and the NAT and firewall rules were created properly, and they were passing traffic, but the connection was still failing.
The problem appears to be on the windows firewall, for some reasons the traffic is not making it through the windows firewall. Here is how we resolved the problem:
- Create a new Firewall in the Windows Firewall
- Allow a Program through the firewall, c:\windows\system32\svchost.exe
- Allow this rule for all traffic types, Public, Domain, Private
- Give the rule a name and click Finish.
- Now test again externally and you should be able to access the FTP site.
Your rule opens up everything that uses SVCHOST and is a HUGE SECURITY EXPOSURE.
Thank You for the reply,
I do understand the risks associated with this firewall rule, and you are correct, this does open up all ports that may be associated with svchost, which is very insecure. However I’m under the assumption that your edge router is only allowing the ports for FTP, which should reduce your risk, at least from the external internet. As for the firewall rule, at this point we’ve not discovered another way to get the server to work without this rule, if you come across a solution that works which in more secure, please do share it with me.
Thank you,
Sean