An edtFTPj/PRO user reported a problem transferring files with implicit FTPS. Inspection of the logs showed that passive-mode data-channel connection attempts were failing.
I'm posting my response here in case it's useful for other people:
This looks like a typical firewall problem. It's hard to solve this kind of problem without understanding the way FTP uses sockets. Forgive me if you already know all this stuff, but I'd like to make sure of the foundations before tackling the problem.
FTP uses a single socket for the control channel. The control channel is used purely for sending commands and receiving replies to those commands; no data is sent on the command channel. Directory listings and file transfers are done on data channels. A new data channel is used for each directory listing and for each file transfer.
Control channels are always initiated by the client, i.e. the client connects to the server. In your case the server has opened port 990 for incoming connections, so it's a simply matter of specifying the IP and port number and then connecting.
Data channels may be initiated in either of two ways. The client may connect to the server, which is called passive mode, or the server may connect to the client, which is called active mode. Since you are using passive mode, I will focus on that. Passive mode connections are not made to a single fixed port.
Instead the server listens on a new port for every listing or transfer. The way it works is this: the client says "I want to upload a file", the server replies "OK, I've opened port XYZ and am waiting for you to connect.". The client then connects to port XYZ and starts uploading the file. This procedure is also used for directory listings and downloads.
A problem arises when the server is behind a firewall. In that case the server has opened port XYZ, but the client cannot connect to it because the firewall is not forwarding the connection request. In other words, while the firewall knows that it should forward port 990 connection requests to the given server, it does not know what to do when the connection to port XYZ arrives.
Many firewall routers know how to solve this problem for plain FTP (i.e. unencrypted) because they actually spy on the traffic on the command channel and therefore know which port the server has asked the client to connect to. This is not possible in FTPS because the traffic on the control channel is encrypted and therefore cannot be spied on.
It looks to me like this is your problem.
The solution is to configure the server-side firewall router to always forward a given set of ports to the FTP server. The server should then be configured to always only listen on ports in that range when the client wants to make a connection.
- Hans (EnterpriseDT)
