Configuring Serv-U Behind a Router or Firewall
The intent of this newsletter is to give you some pointers on our products. This newsletter discusses common router and firewall issues when using Serv-U.
Configuring Serv-U Behind A Router Or Firewall
The most common Serv-U issue we come across in technical support is router configuration issues when Serv-U is running on a computer behind a router or firewall. In this type of environment, Serv-U needs to have a PASV port range configured in it. This PASV port range will also need to be forwarded from your router to Serv-U. In addition, if a firewall is running on the computer, Serv-U needs to be configured as an approved application in order to allow it to access your network. If any of these steps are not taken, it's possible that some of your clients may not be able to reach your FTP server and transfer data.
The biggest tell-tale sign of this issue is the client software hanging while trying to log on to the server. When the client log shows that the last command issued was a PASV command or directory listing command (i.e. MLST, MLSD, or LIST) it usually means the PASV port range is incorrectly configured somewhere on the network. Most commonly, either the router or firewall on the network is not forwarding the PASV port range or the PASV port range is not configured in Serv-U. A "Host unreachable" error may indicate that the main FTP port specified in your Serv-U domain is also not being forwarded.
One of the simplest ways to correct this problem is to enable UPnP (Universal Plug-and-Play) on your router and in Serv-U. UPnP allows Serv-U to tell the router which ports are in use by the software so that they are always open and correctly forwarded whenever Serv-U is running. Enabling UPnP in Serv-U is very easy to do. If UPnP is already enabled on your network device, the Serv-U installer will detect it and ask if you want to enable UPnP support in Serv-U. Refer to your hardware documentation to ensure your device supports UPnP as well as for instructions on how to enable it.
Manually Enabling UPnP in Serv-U
Configuring The Passive Port Range
If UPnP is not available on your network device, you will have to manually configure Serv-U and your device to work with a known passive port range. When configuring a router on the network, the correct port ranges must be forwarded through the router to the computer that Serv-U is installed on. By default, Serv-U uses the standard FTP port number of 21, but any port can be specified as long as it port is not in use by another application on the computer. Additionally, the PASV port range (typically 50000-50004) must be forwarded to the server. With these ports being forwarded in your router, and any firewalls configured to allow FTP traffic through, clients will be able to connect to the server and transfer data.
Our Online Knowledge Base contains many articles targeted at ensuring Serv-U is properly configured in this environment. Below are links to some popular articles that assist in configuring typical home routers. The principles used in these articles can be applied to assist in configuring some of the more complex corporate level routers. Additional articles explain how to configure the PASV port range in Serv-U and how to add Serv-U as an approved application in the Windows Firewall.
Configuring a PASV port range with Serv-U:
Configuring the Windows Firewall:
SSL And NAT Related Issues
When using SSL encryption, issues can arise when using NAT (Network Address Translation) enabled devices. NAT enabled devices try to interpret FTP commands and responses by anticipating and forwarding expected incoming connections to the appropriate computer on your LAN. When enabling Serv-U to use SSL, the NAT enabled device doesn't know how to decrypt the SSL command connection, which causes the FTP connection to "hang" on data transfers. Getting around this can be achieved by using instructing your FTP client, such as FTP Voyager Secure, to use the CCC (Clear Command Channel) command.
CCC (Clear Command Channel) Information:
FTP Voyager and Routers, SSL, PASV, and PORT:
FREE SUPPORT OPTIONS
If you need technical or sales support, please use one of the following URLs. Our support turn-around time is very fast during normal working hours Central Time U.S.:
ON-LINE CUSTOMER SERVICE
If you need to change any of your customer information, you can make changes on-line. The RhinoSoft.com On-line Customer Service page allows you to resend your registration ID, receipt, invoice, and change your information in our database. To use visit:
Happy Holidays and thanks for reading!
JoRey Stephens - Technical Support Engineer
Voice: +1(262) 560-9627
FAX: +1(262) 560-9628