SolarWinds | Serv-U
Contact Support: 866-530-8040 | Contact Sales: 855-498-4154 or email | Show Flags | Login
Serv-U FTP Server Home Page
The Best for Less
Secure file transfer & share files
from anywhere - affordably

FREE for 14 Days
Full featured trial with secure
FTP, file sharing & web transfer


Using FTP Voyager with a NAT Enabled Router  -  KB Article #1447

Related Articles -- 1138, 1289, 1025

When connecting with FTP using SSL through a NAT router there are three options that can be used. These options include PASV, CCC Command, and Active Port. Below is descriptions for connecting with each one.

NAT - Network Address Translation

NAT (Network Address Translation) is a popular feature supported by virtually every router sold on the market today. In essence, NAT is the method by which your router allows the computers on your network that possess only a private IP address to transparently access the Internet as if they had their own public IP address. This includes forwarding requests to the WAN, waiting for any responses to the request (if necessary), and forwarding the responses from the WAN to the original requesting machine on the LAN.

In the case of FTP, NAT can be an extremely useful operation for your router to support. Most NAT routers are capable of "following along" with an FTP transaction on the traditional port of 21. When the router sees a LAN computer issue a PORT command to start a data transfer, it will substitute its public IP address in to the PORT command in place of the private IP address that your FTP client will use. It can then wait for the server to connect to it on the port specified in the PORT command and forward the connection on to your FTP client within the LAN. This is all done transparent from the client machine and makes FTP operations on your LAN much easier.

Not all NAT enabled routers will perform the above operations if the FTP transaction is taking place on a non-standard port (a port other than 21). Even worse, when the FTP transaction is secured using SSL, the command channel is encrypted and the router is unable to read any of the command traffic and cannot perform any NAT functionality. The following discussion assumes that you're attempting to connect to an FTP server that requires an SSL secured connection.

PASV Data Transfers

In most cases, you can easily get around relying on NAT for your FTP connections by configuring FTP Voyager to use PASV mode data transfers. To configure this option, open FTP Voyager, click the "View" menu, and select "Options". Select the "Connection" window. Check the box labeled "Use PASV for all sites". This will tell FTP Voyager to always use PASV mode data transfers. You can configure this on a per site basis by clicking on the "Advanced" button for a profile in the Site Profile Manager.

PASV mode places the burden of listening for a data connection on the server whereas the client is responsible for listening for the data connection when using active mode (PORT) data transfers. An excellent description of the differences between active and passive mode data transfers can be found in Knowledge Base article KB Article #1138

Unfortunately, not all FTP servers are properly configured to handle passive mode data transfers. They may be behind a firewall as well and are unable to open the additional ports required for data transfers to occur. If your data transfers (including directory listings) still hang while in PASV mode, you'll need to change back to using active mode by undoing the above steps. In order to make data transfers work in cases like this, we need to find ways to allow NAT to work with the encrypted FTP connection.

Using the CCC Command

One way to allow the NAT operations of your router to continue to function when using an SSL secured FTP connection is by using the CCC command. CCC stands for Clear Command Channel. It is a command issued by the FTP client to the FTP server that indicates that the command channel should be unencrypted. Data transfers remain encrypted after issuing this command, so all files transfers and directory listings remain secure. However, with an unencrypted command channel, your router can still follow the FTP transaction and perform its NAT operations to assist with data transfers.

In order for CCC to work, the FTP server you're connecting to must support this command. Both FTP Voyager and Serv-U support this command. To tell FTP Voyager to issue this command to the server, from the Site Profile Manager, select the site that requires the CCC command, then click the "Advanced" button. Select the "Security" window. Check the box labeled "After login use Clear Command Channel". FTP Voyager will issue the CCC command *after logging in* to the server. Your login information remains SSL encrypted.

Specifying Active Port Ranges

If passive mode data transfers aren't supported by the FTP server and the server also doesn't support the CCC command, there is one final way that FTP Voyager can get data transfers working over an SSL encrypted FTP connection on your LAN. The problem with using a PORT command on a computer without a public IP address is twofold.

The first problem is that the LAN machine does not know what the public IP address of its network is. Without a public IP address, the FTP server cannot connect back to FTP Voyager to start a data transfer. To get around this, you can explicitly specify an IP address for FTP Voyager to use in its PORT commands. To do this, open the "View" menu and select "Options". Under the "Connection" options menu, select the "Port Range / Public IP" window.

In the box labeled "Public IP address or name for PORT command", you can specify your public IP address (if it's known). You can also use a domain name that FTP Voyager will resolve to get the IP address it should use. On a network with a dynamic IP address, this allows you to use a dynamic DNS service, such as DNS4Me, so that you always know the IP address FTP Voyager is using is correct.

The second problem is that by default, your router will have all ports closed and will not allow an FTP server to connect to the port specified in FTP Voyager's PORT command. This can easily be remedied by opening the ports and forwarding them to the machine running FTP Voyager. However, the port is usually randomly provided by the operating system. FTP Voyager can be restricted to use a set range of ports when issuing a PORT command. This allows you to open a range of ports in your router so that FTP data transfers work.

From the same window as above, check the box labeled "When issuing the PORT command, use the following ports". In the boxes labeled "Starting Port" through "Ending Port", enter a range of ports for FTP Voyager to use. Due to operating system restrictions, a minimum range of 100 ports is required. Once you've selected a range (such as 50,000 to 50,100), you will also need to forward these ports in your router. An example of how this is done with a LinkSys router can be found in Knowledge Base article #1289