Allowing External Access to your Server

NOTE: The following applies to the FTP protocol only. SSH SFTP and HTTP/S are very different protocols and work differently.

Depending upon your connection to the Internet, you may need to configure your router or firewall before users outside of your local network can see your FTP server. Communication with an FTP server is done through two connections, a control connection, and a data connection. Ensuring these connections can be established are the two areas where special attention is usually needed.

The control connection

The control connection is always the first connection established with an FTP server. The control connection’s purpose is to allow clients to connect and to send commands to the server (and receive server responses). Port 21 is considered the default control connection port, and this is the default port that Cerberus FTP Server will configure your IP interfaces to listen on for new connections. Using the default port is not mandatory – the administrator is free to change the listener to use any free port on the system as the listening port. However, if the administrator is running a software-based firewall, the administrator must be certain that [incoming] connections are not blocked on the port chosen for the control connection. If the port that Cerberus is listening on is blocked, no one will be able to see or connect to the FTP server.

The data connection

The second type of connection is called the data connection. This is the connection that an FTP server uses to exchange file listings and transfer files on. When an FTP client uses the control connection to instruct Cerberus FTP Server to send a file listing or transfer a file, the actual data exchange takes place on the data connection. The data connection is usually where most of the confusion and problems arise for FTP server administrators.

There are two different ways a data connection can be established between an FTP client and an FTP server. The first is commonly called active mode FTP. In this mode, an FTP client sends the IP address and port that the client is currently listening for data connections on to the FTP server. The client accomplishes this by sending the server a PORT command over the control connection. Using the address and port from the PORT command, the FTP Server then connects to the client and sends the file or file listing. When using active FTP mode, the administrator has to make sure that port 20 on the machine that Cerberus FTP Server is running on is open for outgoing connections. The reason for this is because when using active FTP, the server always establishes connections from port 20. Most firewalls allow outgoing connections automatically, so manually opening up port 20 for outgoing connections is usually not necessary.

The other way to establish a data connection between client and server is to use passive FTP mode. Passive mode was introduced to get around common problems with client firewalls. Instead of the FTP server connecting to the FTP client, the client connects to the FTP server using a port previously communicated using the PASV command. When a client issues the PASV command, the FTP server responds with a port that the server is currently listening on for data communication. Problems occur with passive FTP when a firewall between the server Cerberus FTP Server is running on and the client is blocking the selected ports. To get around this problem, the administrator is required to open up the range of ports that Cerberus has reserved for passive FTP connections. You can configure what range of ports Cerberus FTP Sever uses for passive FTP mode by looking under the Advanced page of the Server Manager.

Failures during LIST, NLST, MLST, RETR, or STOR operations can usually be attributed to problems with the data connection.

Common Network Configurations

A PC running Cerberus FTP Server with access to the Internet often fits into one of two configurations:

Configuration 1: Your computer is connected directly to the Internet

This is the simplest network configuration you can have and usually requires little or no configuration to Cerberus FTP Server to allow full access. This configuration is most common with dial-up, DSL, cable modem, and other broadband users. However, machines connected to the Internet directly often employ a software firewall to provide some protection against unwanted intrusion attempts. While some firewall software can automatically detect an FTP server and properly configure itself, the administrator usually has to manually configure the firewall. See the explanation above about the control and data connection for common ports that have to be allowed through a firewall.

Configuration 2: Your computer is connected to a router, and the router is connected to the Internet

Routers usually act as firewalls, so the same problems that can occur in Configuration 1 can occur here. Follow the advice in Configuration 1 to resolve firewall problems.

In addition to the firewall problems that can occur in this network configuration, there is now the problem that the IP address you are using on your machine is not the IP address that the Internet sees for your machine. Other users on the Internet usually see your router’s IP address instead of your PC’s private address. Routers are devices on your network, just like your PC, and they have their own IP address, and that is the IP address the router tells other computers is your address when you go out on the Internet. When a user attempts to connect to the FTP server, they need to use the Internet-facing IP address of the router (the router is where the connection is really happening), not the private address of the computer Cerberus FTP Server is running on. When the router receives the connection attempt it is then able to forwarded the connection to your computer.

The first thing to check in this configuration is that your router is sending all of the FTP traffic to the computer Cerberus FTP Server is running on. Most routers have a web-based configuration utility that you can use to configure Port Forwarding. Specifically, you will want to make sure you forward the control and possible data connection ports to the computer running Cerberus FTP Server.

There is one more problem that crops up in this network configuration. To properly allow passive transfer mode, the administrator will have to make sure Cerberus is giving out the router address in response to PASV requests. You can automatically enable this by making sure “WAN IP Autodetection” is enabled in the ‘General’ tab of the Server Manager. Alternately, you can enter the IP address of the router manually for each interface in the “Use different IP for PASV mode” IP box under the Server manager’s ‘Interfaces’ tab.
While more complicated network configurations are possible, most users will fall into one of the above configurations.