This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 81%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERT%3C/text%3E%3C/svg%3E)
I've set up a Windows 10 file server on a desktop wired to my local network and it's accessible over my local network, but I can only connect to it over internet with one computer, a laptop over wireless, and only when connected to my LAN at home. If I take it across town to my office, I get error message:
An error occurred opening that folder on the FTP server. Make sure you have permsission to access that folder.
Details:
200 type set to A.
227 Entering Passive Mode (10,0,0,xx,xxx,xxx)
I've turned off the firewalls and deactivated anti-virus protection on all 5 of my machines (all Win 10) for testing purposes. I've tried using CuteFTP, Filezilla, WinSCP and Windows explorer over wired and wireless devices.
The FTP clients generate a generic error message that basically says a connection could not be established and/or time out.
I'm stuck on this one laptop connecting easily at home. What does it have that the others don't? What does my home network have that my office doesn't?
Any help is appreciated.
Rip
Yes, the bindings show port 21, and the ftp service is running. I just meant the listening port is different from what your image shows. Yours says LISTENING 2728, mine shows LISTENING 2580. Forgive my elementary understanding of this, but shouldn't it be listening on port 21?
Rip
That is the Process ID number. ":21" is the port.
If you want our help, you are going to have to be specific about what you are doing. We don't know how you set up your network, or what IP addresses you have assigned or what commands you are typing in or if you have a VPN implemented somewhere. Those details are important.
So don't just say "The server itself won't connect", say "I have a PC whose IP address is xxx.xxx.xxx.xxx. I am trying to access a server whose IP is nnn.nnn.nnn.nnn. I can ping the target machine but I cannot connect to FTP port 21". Stuff like that.
Network troubleshooting is many times a process of elimination. That's why I shared canyouseeme.org. But if you don't tell me that you are trying to access the external xxx.59.xxx.xxx address, then I don't know what you are doing!!!
I appreciate your help in this. I provided as much detail as I was able to in my first post, given my very basic knowledge of networking, and I've answered all your questions.
<<you are going to have to be specific about what you are doing>>
Specifically, I am trying to connect to a ftp server that I want to be accessible from anywhere on the internet using a username and a password.
<<We don't know how you set up your network>>
I rent a modem/router from xFinity/Comcast and log in to the gateway at 10.0.0.1. I have desktops, phones, TV's etc. connected to my network LAN as is common in most households. I did set up port 21 forwarding to 10.0.0.44 thru Comcast, which is the address of the server (I believe it's called an 'internal' address), which I configured according to the site to which you referred me:
https://www.windowscentral.com/how-set-and-manage-ftp-server-windows-10
<<or what IP addresses you have assigned>>
I have assigned no IP addresses.
<<or if you have a VPN implemented somewhere>>
I have no VPN.
<<or what commands you are typing in>>
I am typing no commands except the ones you suggested, because I thought you thought they were helpful.
<<say "I have a PC whose IP address is xxx.xxx.xxx.xxx.>>
I have a PC whose IP address is 10.0.0.183. I am trying to access the ftp server whose IP is (according to whatismyipaddress.com) "xx.59.xxx.xxx". canyouseeme.org reports it can see my service on "xx.59.xxx.xxx" on port 21.
Please let me know anything else you need to know and I will happily provide it. Again, forgive my elementary understanding of this and I do appreciate any help.
Rip
Rip, I will try to help you.
If your PC has an IP of 10.0.0.183, then you should be on the same subnet as your server. Don't use the xxx.59.xxx.xxx address, use the 10.0.0.44 address. Or use the server name if that resolves.
Use the xxx.59.xxx.xxx address when the client PC is out on the internet somewhere.
If you want an explanation, I can provide that.
-Dave
I think I understand, but an explanation would be great, thank you.
On my home network, I am using the 10.0.0.44 address and the server name and they both work fine.
I've also been trying to connect over the internet while on my home network because I thought it was a good way to 'mimic' connecting from out on the internet without actually leaving home. If that's a bad way to test, please let me know.
To attempt a connection from out on the internet, I go to our office across town where all my machines are on our office LAN. Tonight I tried from 2 laptops and a desktop. On each one, I try using ftp clients (Filezilla, cuteFTP and WinSCP) with xxx.59.xxx.xxx, the username and password, and they all time out (cuteFTP offers some generic things to check, but they've not helped). Then I try using Windows file explorer address bar with ftp://xxx.59.xxx.xxx and get error messages:
On one of the laptops, I can get as far as viewing the file tree, but then there are further permission issues, which I will detail if you think it's necessary.
I hope there are some conclusions to be drawn from these error messages. Please let me know if you need anything else. Thanks again!
Rip
Let's do a few things with your FTP setup. First configure a banner message so that you know that you are connecting.
Next verify that logging is enabled and that we will have log files to look at.
Check the permissions on your root folder and see who has access. For initial testing at least give Users read access.
If you are sharing pictures of your cat, then anonymous access is ok. For anything else I would turn that off and use basic authentication.
At this point, stop and restart the FTP service to insure that any setting changes got picked up. (Or run iisreset from an admin command prompt.)
Launch FileZilla and in it's site manager define 2 sites. One for the local 10.0.0.44 address and one for the internet xxx.59.xxx.xxx address. Set them both up to log in with a user account and to also use passive mode.
Right click in the log windows and select "Show detailed log". Then try to connect. You should see the banner messages and the home folder files.
If you are at home, connect using the local site. When you are at your office, use the internet site. If you can't connect and don't see what's wrong, copy the FZ log and paste it back here. You might also want to check the FTP server logs too.
As I mentioned in my prior post, FTP is not secure. Your userid and password and all of your data is passing over the internet in clear text. Again, if it's pictures of your cat, that's not a big deal. For anything else you are putting your business at risk.
Don't do that!
IIS supports FTPS. That encrypts the connection. Open an admin Powershell prompt on the server and generate a certificate for your site. Use whatever names you wish.
New-SelfSignedCertificate -FriendlyName Test10-FTP -DnsName Test10-FTP -CertStoreLocation cert:\LocalMachine\My -NotAfter (get-date).AddYears(10)
Back on the server open the FTP SSL settings and set it to require SSL and select the certificate that you just generated.
When you connect with Filezilla, it is going to warn you about the certificate. You can select the "Always trust the server certificate" and that message won't be displayed any more.
The command line ftp.exe and the Windows Explorer will not work with FTPS. You will have to use Filezilla or one of the other client apps.
For machines attached to your home network, use file shares instead of FTP. \servername\sharename.
Hello Rip & Dave,
This is an impressively patient and respectful discussion and I feel a bit like an intruder, particularly since I want to throw things into question. Would it not be better to just allow SMB traffic from the Internet to the file server?
That only involves one port (TCP port 445), would use NTLM authentication (rather than plaintext password), would only need to be set-up once (persistent connection), could even be easily encrypted (Set-SmbShare "whatever" -EncryptData $True) and is easy to use.
The implications of very weak security (plain text password across the Internet) could be bad, even if you just want to share pictures of your cat - bad actors (if they discover the username/password) could use your server as a drop-off/exchange point for illegal material, for example.
Gary
My concern with SMB is that somehow "-EncryptData $False" gets set and no one notices.
If he didn't already have FTP set up and FZ/WinSCP installed, then I would recommend public/private key authentication over SFTP using the OpenSSH feature of Windows. He would only have to forward port 22.
A VPN would be needed if he wants to share more than one machine. (Exchange, Small Business Server, etc.)
Hello Dave,
If it was "my" small business, I would probably use a VPN. Even assuming that the "server" is a Windows 10 client, it is easy to set-up a PPTP VPN server on that client (and possible to set up the other VPN protocols); it is even possible that the home router itself supports a VPN.
The Windows 10 VPN server only supports 1 "concurrent" user, so use of the VPN connection might need to be coordinated with Rip's wife (close VPN when not needed).
Advantages include no need for third party products/tools and flexibility (e.g. perhaps sending documents to the printer in the office).
Gary
<<then I would recommend public/private key authentication over SFTP using the OpenSSH feature of Windows. He would only have to forward port 22.>>
<<If it was "my" small business, I would probably use a VPN. Even assuming that the "server" is a Windows 10 client, it is easy to set-up a PPTP VPN server on that client (and possible to set up the other VPN protocols); it is even possible that the home router itself supports a VPN.>>
I am interested in either/both of these if they will accomplish my objective. If either of you can provide some links so I can learn more about it myself, I'd be grateful.
Thanks to you both for the help!
I will defer to Gary's expertise on setting up a VPN.
For SFTP, forward port 22 just you did with 21 on your router. Install the OpenSSH feature on the server.
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
Edit the config file "C:\ProgramData\ssh\sshd_config" and enable password authentication, and define your user account and it's root folder.
# Authentication:
Allowusers testuser
PasswordAuthentication yes
Match user testuser
ChrootDirectory c:/temp
There are 2 OpenSSH services. Set them to auto start, and start them.
That should get you going using password authentication to start testing. To switch to keys, just Google for instructions.
https://phoenixnap.com/kb/generate-ssh-key-windows-10
You have to generate the pub+priv keys for a user and put the public key in a file on the server in the users ssh directory like I did for my admin user.
Hello Rip,
The first thing to do is to check whether the device(s) that connect your office to the Internet include VPN functionality (mine does: https://www.swisscom.ch/en/residential/help/internet/vpn-server.html). If the functionality is provided then it would be easiest to use it.
If not, one could start the "Network Connections" Control Panel applet (ncpa.cpl) and click on the "New Incoming Connection..." menu entry in the "File" menu. This will start a simple dialogue where you can choose who will be allowed to connect via this method. You will also be offered the opportunity to enable IPv6 support (probably not interesting for your set-up).
For the simplest use of a VPN connection (only access the VPN server), then the other setting defaults are probably OK. Windows will ensure that Windows Firewall rules are correctly enabled to allow VPN connections.
One will have to set up port forwarding for TCP port 1723.
For more functionality (e.g. access to more than one computer in the office, in case you have them) then some of the default settings will need to be modified.
This should allow you to access file share and remote desktop on the server, once you have configured a matching VPN client profile on the potential clients.
Gary