Fileset-ftp to the Cloud

[Brian Sweetland]

First question: Should I be doing FTP using the fileset-ftp protocol, or using TCL? Looking for a solution to my next question I see some posts that suggest using TCL.

 

Second: I have two systems configured identically.

System 1 is a local network in our lab with CL v20.1 on one server and FTP configured on a separate windows 2020 server.

System 2 is my own laptop running CL 20.1 and trying to FTP to a windows 2020 server in the Cloud.

I have configured my threads and the FTP in IIS manager the exact same way on both systems (IIS FTP site is setup for basic authentication).

 

System 1 works fine. I can send text, docs, PDF, etc.

System 2 does not send. I get the error below. On this system (my laptop), I can open the command prompt and FTP a file to the cloud server, so I know the connection works. Because I can use the command prompt, I have to believe my FTP server is fine and its not network related and the issue is on the CL side. But because this configuration is working on the local network, I’m confused what I am missing, or need to add.

 

On my threads for Fileset Options (outbound), I keep it simple, only updated these.

File: test.txt

Style: single

CRNL Convert: None.

 

For FTP Options tab;

Login: Admin

Password: <the PW>

Response Timeout: 10

Close connection after write: checked

Retries: 0

Dir List Command: nlst

Delay connection until needed: checked

Data Type: image/Binary

Active Mode: NOT checked

Secure Option: <blank>

Host: Cloud IP

Port: ftp

 

This is the error.

Thanks.

 

[pd  :pdtd:INFO/0:    ftp_cloud:07/13/2023 12:12:17] [0.0.212] Writing message to Protocol Driver fileset-ftp

[fset:init:DBUG/0:    ftp_cloud:07/13/2023 12:12:17] fcDoNetworkStuff:  mode=5

[pd  :pdtd:INFO/1:    ftp_cloud:07/13/2023 12:12:17] Set driver status to PD_STATUS_UP

* Uses proxy env variable no_proxy == ‘login.microsoftonline.com’

*   Trying 111.99.150.95:21…

* Connected to 111.99.150.95 (111.99.150.95) port 21 (#0)

< 220 Microsoft FTP Service

> USER Admin

< 331 Password required

> PASS **********

< 230 User logged in.

> PWD

< 257 “/” is current directory.

* Entry path is ‘/’

* Request has same path as previous transfer

> EPSV

* Connect data stream passively

* ftp_perform ends with SECONDARY: 0

< 229 Entering Extended Passive Mode (|||50424|)

*   Trying 3.15.150.9[fset:wrte:ERR /0:    ftp_cloud:07/13/2023 12:13:00] Error while trying to write test.txt.

[fset:wrte:ERR /0:    ftp_cloud:–/–/—- –:–:–]                                   Detailed error:Failed to connect to 111.99.150.95 port 21: Timed out

[fset:wrte:ERR /0:    ftp_cloud:–/–/—- –:–:–]                                   Curl errCode:28 Curl error: Timeout was reached

[pd  :pdtd:INFO/1:    ftp_cloud:07/13/2023 12:13:00] Set driver status to PD_STATUS_OPENING

[pd  :pdtd:INFO/1:    ftp_cloud:07/13/2023 12:13:02] Set driver status to PD_STATUS_ERROR

[pd  :pdtd:INFO/1:    ftp_cloud:07/13/2023 12:13:02] [0.0.212] Writing message failed

 

Topic

[David Barr]

Question #1 is why are you using FTP without TLS? It’s insecure.

It looks like an issue with passive mode ftp. You’re probably not seeing this in your command line test because you not setting the connection to passive mode.

You would need to figure out which ports your FTP server uses for passive mode and open those ports on your Cloud server firewall. This article may help:

https://learn.microsoft.com/en-us/iis/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7

You could also try active mode by setting that in your Cloverleaf config. I’m not sure if active or passive would be better, but I would suspect neither are good.

[Peter Heggie]

I am curious if you have specified a binding address and if it is your laptop address. Is your laptop using DHCP or do have a fixed IP address?

Peter Heggie

[Brian Sweetland]

Sorry for the late follow up on this. I posted this and then got pulled into a different project. Now back on this one.

The issues was that the Cloud Firewall was blocking the “Data Channel Port Range”. We added ports 1024-65k? and then it worked.

So apparently, CL can make the connection on port 21 and the log shows as established, but the “handshake” was being blocked when using the port 50424.

< 229 Entering Extended Passive Mode (|||50424|)

 

What I need to figure out now is how is this handshake port determined, and can it be limited to a smaller range.

The Cloud person says he doesn’t want to open such a wide port range.

 

This test was not using any security just to test connectivity.

I’m also working on using SSL for the FTP connection. I have created my own Certificates but this is not working.

I’ve created the certificates using OpenSSL on the CL server in the PEM format, and then imported them to my FTP server using windows Cert manager.

Everything looks to be correct, but it’s not liking the “subject name’.

CCG is the certificate name/friendly name on the remote server in the personal certificates.

 

*  subject: C=US; ST=MA; O=GEHC; OU=HL7; CN=CCG; myemail@myemail.com

*  start date: Aug  10 [fset:wrte:ERR /0:       ftp_ob:08/10/2023 13:45:32] Error while trying to write TestSSL.txt.

[fset:wrte:ERR /0:       ftp_ob:–/–/—- –:–:–]                                     Detailed error:SSL: certificate subject name ‘CCG’ does not match target host name ‘192.32.43.165’

[fset:wrte:ERR /0:       ftp_ob:–/–/—- –:–:–]                                     Curl errCode:60 Curl error: SSL peer certificate or SSH remote key was not OK

 

[Author]

Replies