Secure FTP Server/SFTP Server

18 Route 6A, Sandwich, MA 02563 USA

70 Bridle Close, Paignton, Devon, TQ4 7ST UK

FTPS is not working through my router but works fine locally

The FTP protocol was invented before IP addresses started running out and internal machines started using local addresses. When the FTP protocol was designed everyone had a real IP address on all their machines.

Certain commands in the FTP protocol send your IP address (wether this is the client or the server) to the other end of the connection. For example the PASV commmand, which is sent when the client requests a passive connection sends back the IP address of the server. If you are running behind a router with a NAT (local) IP address then the response from the server will look something like this

227 Entering Passive Mode (192,168,1,2,15,160)

This is telling the client to connect to it at on port 4000 (15 x 256 + 160). Now if the client is elsewhere on the internet this obviously isn't going to be possible. Modern routers however are quite clever. When they see this data flow from the server to the client on port 21 they modify it before it goes out. So it will become

227 Entering Passive Mode (209,213,66,58,15,160)

Some routers are even clever enough to set up a temporary port forward from their port 4000 to the internal IP address port 4000.

Now here comes the problem. When you use SSL that response from the server to the client is encrypted. Your router can't see it any more, so it can't modify it. So the client receives notification to connect to, which of course it fails to do.

Active FTP has similar problems. But here the problems come from the client end because in active FTP the server makes an outbound connection to the client. If the client is behind a router it will give the server it's internal IP address in the active command and a similar block will occur.

Is there anything that can be done about this? You can set your external IP address in FileCOPA on it's servers page. In the field marked Force IP/Name for Passive Transfers. When this is set, FileCOPA will always send this value when it sends out a response to the PASV command. This will allow passive FTPS to work through your router, but now you will not be able to connect from inside your network. There is no way to fix active FTPS as this is down to the client.