Failed to retrieve directory listing IIS FTP when used with external (outside firewall) address

Question

I'm trying to configure an FTP site with IIS on Windows 10. Active connections made to the server's internal (behind the firewall) address work properly (e.g. 10.0.1.4), but any type of connection (active or passive) to the external IP for the server fails. Passive connections (using these is my goal) fail giving a "Failed to retrieve directory listing" error as follows:

Status: Connecting to XX.XXX.XX.XX:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is current directory.
Command:    TYPE I
Response:   200 Type set to I.
Command:    PASV
Response:   227 Entering Passive Mode (XX,XXX,XX,XX,4,2).
Command:    LIST
Response:   150 Opening BINARY mode data connection.
Error:  The data connection could not be established: ECONNREFUSED - 
Connection refused by server

What I've tried:

1. Tried both passive and active connections
2. Checked the firewall (hardware SonicWall) to ensure that ports 20, 21, and 1025-1048 are all open
3. Disabled the Windows firewall on the source and target machines; no other software firewalls are in place. The cable modem's firewall is similarly disabled.

IIS's FTP: Firewall Support is set to 1025-1048 for the Data Channel Port Range, and the External Address of the Firewall is set to the network address of the Sonicwall)

4. Have tried opening up all ports to the affected server as a test to eliminate port issues

5. Have checked the IIS FTP log. The log shows the PASV command being processed successfully (code 227), followed by the LIST command failing with a 550 and the control channel closing. No other information of note.

Really stuck here. Any ideas?

Thanks,

-Pete

UPDATE:

Fixed a problem with a virtual directory (a drive letter had changed) in the main tree of the FTP site, and suddenly active connections began to work from both inside and outside the firewall.

Unfortunately, passive connections still fail as follows:

Status: Resolving address of mysite.com
Status: Connecting to xx.xxx.xx.xx:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is current directory.
Command:    TYPE I
Response:   200 Type set to I.
Command:    PASV
Error:  Disconnected from server: ECONNABORTED - Connection aborted
Error:  Failed to retrieve directory listing
Status: Disconnected from server

Answer 1

Your FTP passive connection is well established, and the problem is only on the LIST command.

I would think that the problem is one of permissions on the / directory, whichever it is.

Check if the account IIS_IUSRS has the permission "List folder contents" on that folder.

If this doesn't solve the problem, please post a screenshot of Properties > Security for the folder, after clicking on IIS_IUSRS.

Answer 2

Man, this was a tough one, but with some clues from the folks here, a ton of googling, and spending quality time with the SonicWall Packet Monitor, I found the solution to my--as it turns out--problemS:

(Trying to be as complete as possible in the instructions to fix a similar issue for anyone discovering this article while facing a similar problem.)

1. The initial LIST was failing (giving a deceptive "Connection Refused" error) due not to a permissions issue, but because it contained a virtual directory reference (the site definition was from a server being moved) to a hard drive letter that was different on the new server. Going to IIS, selecting the virtual directory in the site tree listing, then clicking "Basic Settings" on the directory and changing the Physical Path to its proper path on the new server fixed that problem.
2. The really tricky part was solving why the LIST command would then work on Active connections, but not Passive ones. In the end, the packet monitor showed that the SonicWall was dropping the packet confirming the switch to passive mode--from the internal IP address of the server--despite all traffic from internal to external specifically being allowed in the firewall rules.

In the end, the problem was traced back to a conflict between IIS's FTP Firewall Support settings and the SonicWall's own attempts to automatically open and remap its own TCP ports for passive firewalls (Found in SonicWall's Firewall Settings > Advanced > Dynamic Ports > "Enable FTP Transformations for TCP port(s) in Service Object [FTP v]" setting. Basically, IIS was allocating a port (in my case 50100-51100 range), SonicWall was remapping it to another range (a random number which fell in a different port range--14389, for instance). And then the Sonicwall was treating this packet as invalid and dropping it. (It's related to, but identical to another hidden feature in the Sonicwall to prevent FTP bounce attacks).

There appears to be no way to switch off the firewall treatments in either IIS or SonicWall [setting the data channel port range to 0-0 in IIS's FTP Firewall Support setting was ineffective], but by choosing an unused service object for the SonicWall's "Enable TCP Transformations for TCP port(s) in Service Object: [I chose the Tivo UDP beacon--basically anything but FTP works]" -- suddenly everything fell into place and the passive connections worked.

One final note: In IIS's FTP Firewall Support, the correct "External IP Address of Firewall" isn't necessarily the external address of the SonicWall's WAN port--it's the external address of the server hosting the FTP site (if those are different).