This post is authored by Lalitesh Kumar, Pradeep M G and reviewed by Avinash Venkat Reddy. Also special thanks to Adam Conkle and Craig Landis for providing the "points to consider from Azure SLB perspective".

FTP may run in active or passive mode. Passive mode is extensively used to solve the issue of the client firewall blocking the FTP server data connection. Detailed information on FTP server modes here.

Setting up a Passive FTP server in Windows Azure VM involves the following steps:

  1. Deploying a Windows Azure VM
  2. Installing FTP service on Windows Azure VM
  3. Adding the FTP site to IIS Manager on Windows Azure VM
  4. Specify the data channel port for passive FTP connection on Windows Azure VM
  5. Adding ports specified in the previous step as endpoint to the VM
  6. Adding Firewall rules to allow traffic on the added endpoint
  7. Verifying that FTP server is using the port previously specified under data channel port
  8. Points to consider from Azure SLB perspective

Deploying a Windows Azure VM

  1. Log in to the Windows Azure management portal.
  2. Create a Windows Azure VM with Windows Server 2012 or Windows Server 2008 image.
  3. Fill in the appropriate details under the Create a Virtual Machine dialog tabs.
  4. Once the VM is provisioned, RDP into the VM.

Note: If you are new to using Windows Azure then here are the detailed steps to provision a Windows Server VMand RDP to it.

 

Installing FTP service on a Windows Azure VM

  1. Open Server Manger and click Add roles and features.

2. From Installation Type tab select Role based or feature-based installation and click Next.        3. From Server Selection tab select the server on which you want to enable FTP and click Next.        4. From Server Roles tab select Web Server (IIS), you will be presented with the Add Roles and Features Wizard.Click Web Server (IIS) and then click Add Features.

  1. 5.       Click Next on the Features and Web Server Role (IIS) tabs.
  2. 6.       From Role Services tab select FTP Server and FTP Service and click Next.  

 

7. From Confirmation tab click Install and wait for the installation to complete.

Adding the FTP site to IIS Manager

  1. From the Control Panel> Administrative Tools open the IIS Manager.
  2. From IIS Manager, in the Connections pane, expand the Sites node in the tree, then right click the Default Web Site.
  3. Now click Add FTP Publishing.
  4. Fill the Add FTP Site dialog box as shown in the below figures and click Finish.

Specify the data channel port for passive FTP connection on Windows Azure VM

  1. From the Control Panel open the IIS Manager.
  2. In IIS Manager, in the Connections pane, click local host.
  3. In the Home pane, double-click the FTP Firewall Support feature.
  4. In the Data Channel Port Range box specify a Port Range. In this case we have used 1035-1040. The External IP Address of Firewall is the VIP of your VM.

5. Click Apply. You will be prompted to configure the firewall to allow FTP access.

6. To make sure that FTP server has taken all the setting we added, let's stop and start the FTP service.

    Note: iisreset does not restart the FTP service as it is outside the IIS.  

Adding ports specified in the previous step as endpoint to the VM

Ports 1035 to 1040 should also be added as endpoint to the Azure VM. You can add multiple ports as endpoint to the VM using Windows Azure PowerShell. Detailed procedure here.

You can also add endpoints using the management portal. Detailed procedure here.

To confirm that the said ports are added to the VM, please check the endpoint list on portal for the said VM.

Note: You also would need add port 21 to the endpoint list which is command port for FTP connection.

Adding Firewall rules to allow traffic on the added endpoint

For ports added as endpoints in the above procedure, no configuration is done automatically to the firewall in the guest operating system. When you create an endpoint, you'll need to configure the appropriate ports in the firewall to allow the traffic you intend to route through the endpoint.

In this case I have disabled the Windows firewall for simplicity. You can referhere to modify the firewall rules to allow traffic on the ports added as end points.

We are now done setting up the passive FTP Server on a Windows Azure VM.

Verifying that FTP server is using the port previously specified under data channel port

  1. Client connects on the command port, which is usually TCP port 21.  
  2. When the connection on command port is successful, the server sends a port to the client to connect to.
    If you are using FileZilla, you will see something like this:
    Command:        PASV Response:        227 Entering Passive Mode (168,63,240,169,4,14).
    Where 168,63,240,169 is the IP address of the VM and 4,14 is the port on which the data traffic is routed (256*4+14=1038).
    This is how you determine that a port added in previous steps are actually being used to establish a passive FTP connection.

Points to consider from Azure SLB perspective

When FTP is transferring large files, the elapsed time for transfer may exceed 4 minutes, especially if the VM size is A0. Any time the file transfer exceeds 4 minutes, the Azure SLB will time out the idle TCP/21 connection, which causes issues with cleanly finishing up the FTP transfer once all the data has been transferred.

Basically, FTP uses TCP/21 to set everything up and begin the transfer of data. The transfer of data happens on another port. The TCP/21 connection goes idle for the duration of the transfer on the other port. When the transfer is complete, FTP tries to send data on the TCP/21 connection to finish up the transfer, but the SLB sends a TCP reset instead.

The way around this is to make the client to keep the TCP/21 connection from going idle. If using a 3rd party FTP client, there may be configuration knobs the user can turn in order to cause the FTP client to send a keepAlive. As an example of how you can set this in FTP client software, in FileZilla, you go to EditSettingsConnectionFTP, and check Send FTP keep-alive commands.

If the FTP client is being written in .NET, customers will need to account for this client-side keepAlive in their code. Here is a sample (the keepAlive is highlighted):

private void button1_Click(object sender, EventArgs e)

{

System.Net.ServicePointManager.SetTcpKeepAlive(true, 30000, 20000);

try

{

System.Net.WebClient oFTPDownloadWebClient = newSystem.Net.WebClient();

oFTPDownloadWebClient.Proxy = null;

oFTPDownloadWebClient.Credentials = newSystem.Net.NetworkCredential("username", "password");

oFTPDownloadWebClient.DownloadFile(newSystem.Uri("ftp://contosoFTP.cloudapp.net/LargeFile.Dat"),"C:\\Temp\\Big.dat");

return;

}

catch (System.Exception ex)

{

MessageBox.Show(ex.Message);

}

}

Load balanced endpoints are not supported in Azure Passive FTP server

You will be unable to load balance your endpoints when using a Passive FTP server in Azure since there is no session stickiness between the server’s Command Port (21) and the random data ports that get selected when there is data being transferred btw the client and the ftp server.

The client will contact the FTP server (Azure VM) through Port 21 (Server’s Command port), and establish an FTP session. Then as soon as the client tries to download or upload data, the FTP server (Azure) will send a hashed port number to the client (from the list of data ports you select when setting up your FTP service).

It will look like: 

ReplyCode: 227, Entering Passive Mode <h1,h2,h3,h4,p1,p2>

Entering Passive Mode (<ftp_svr_ip>, a, b)

The port can be calculated as:

Random Ephemeral Port = (a*256) + b

The server will select a random ephemeral port for every data session that is opened (within the port range specified when setting up the FTP service).

Let’s say you have Azure FTP Servers FTP1 and FTP2 behind the load balancer.

You place FTP1 and FTP2 in the same cloud service;

You load balance Port 21 and all the data ports across these two VM’s;

The client tries to establish an FTP session (through Port 21), and the LB first selects FTP1.

The client then chooses to download a file from FTP1.

FTP1 will respond back to the client and provide a random data port that the client will need to use to access its data channel;

The client then has to set up a new TCP session with that target data port on FTP1, and this request goes through the Load Balancer;

The LB, which is not configured with sticky sessions, and is just a Layer 3 round robin LB, will not keep track of the session previously established with FTP1 and may pick FTP2 instead.

While this can work with Active FTP (since no endpoint is required for outbound traffic, and since active FTP just uses Src Port 20 to initiate the data channel with the client).

ACTIVE FTP

PASSIVE FTP

Running concurrent traces on the client and the 2 Azure FTP servers will show this.

Conclusion

The first four steps and the fifth step are general steps which you should complete to setup a passive FTP on a Windows server however the 4th step is specific to Windows Azure. Another point to note is that currently Windows Azure only support 150 endpoint. Keep this in mind when adding endpoints. The last step is just a verification step where we trying to conclude that the FTP server is actually using the ports that we specified.

Hope this post was helpful!

摘自:http://blogs.msdn.com/b/mast/archive/2013/12/13/setting-up-a-passive-ftp-server-in-windows-azure-vm.aspx

Setting up a Passive FTP Server in Windows Azure VM(ReplyCode: 227, Entering Passive Mode )的更多相关文章

  1. Windows Azure 数据安全(清理和泄漏)

    免责声明:本文档中所述过程为 2012 年 1 月时起的情况,如有变更,恕不另行通知. 希望将应用程序部署到 Windows Azure 的企业客户(实际上是所有客户)最为关心的就是其数据的安全性.释 ...

  2. FTP连接时出现“227 Entering Passive Mode” 的解决方法

    今天从公网的服务器连接本地内网的FTP server copy文件时,系统老是提示227 Entering Passive Mode (xxx,xxx,,xxx,xxx,x),很是奇怪,于是上网找资料 ...

  3. FTP上传失败报错227 Entering Passive Model (222,111,8,111,10,40)

    昨天为了一个ftp问题折腾了一天.问题背景:原来有个接口涉及到上传文件,服务端更换了ftp服务器,我们这边需要刷新连接服务端的ip和端口配置,代码没动.联调环境和验收环境都测试通过,一到生产环境就歇菜 ...

  4. 227 Entering Passive Mode (xxx,xxx,,xxx,xxx,x)

    登录ftp时显示227 Entering Passive Mode (xxx,xxx,,xxx,xxx,x) 因为FTP有两种工作模式,PORT方式和PASV方式,中文意思为主动式和被动式 ,详细介绍 ...

  5. Dynamic CRM 2013 on Windows Azure VM

    三个A2 Size的VM,运行Windows Server 2012: AD Server,SQL Server,App Server 将AD Server的ip地址填写到Windows Azure虚 ...

  6. Windows快捷键大全(从XP到win8.1)

    常见用法 F1 显示当前程序或者windows的帮助内容. F2 当你选中一个文件的话,这意味着“重命名” F3 当你在桌面上的时候是打开“查找:所有文件” 对话框 F5 刷新 F10或ALT 激活当 ...

  7. windows azure Vm、cloud service、web application 如何选择可用的服务

    windows azure 的web应用和虚拟机都经常用.我们经常把我们的网站部署上去.一般选择web应用或者开一个虚拟机.开一个虚拟机就会按照虚拟机的使用时间进行计费. 那么我们选择web部署在哪里 ...

  8. 比较Windows Azure 网站(Web Sites), 云服务(Cloud Services)and 虚机(Virtual Machines)

    Windows Azure提供了几个部署web应用程序的方法,比如Windows Azure网站.云服务和虚拟机.你可能无法确定哪一个最适合您的需要,或者你可能清楚的概念,比如IaaS vs PaaS ...

  9. sql server相邻表记录交换(单双两两交换)

    在博客园的博问中看到了一个这样的提问:一个表中有id和name两个字段,id是连续非空不重复的,想要交换相邻表记录的name值(单双两两交换). 另外,如果最后的单独行没有对应的下一行匹配记录的话,就 ...

随机推荐

  1. [Algorithm] Write your own Math.pow function in Javascript, using Recursive approach

    /**@abstract * Write your own Math.pow(a int, b int) function * */ function pow (a, b) { let result ...

  2. hadoop2.2.0_hbase0.96_zookeeper3.4.5全分布式安装文档下载

    本文档主要内容有: 1.hadoop 2.2.0 集群安装与部署 2.HBase 0.96 集群安装与部署 3.Zookeeper 3.4.5集群安装部署 备注:安装文档可能有所遗漏,后续将持续更新. ...

  3. ACM-尼姆博弈之取(m堆)石子游戏——hdu2176

    取(m堆)石子游戏 Time Limit: 3000/1000 MS (Java/Others)    Memory Limit: 32768/32768 K (Java/Others) Total ...

  4. MSP430F5438 I2C学习笔记——AT24C02

    0.前言 对于大多数单片机来说,I2C成了一个老大难问题.从51时代开始,软件模拟I2C成了主流,甚至到ARMCortex M3大行其道的今天,软件模拟I2C依然是使用最广的方法.虽然软件模拟可以解决 ...

  5. JSP的页面连接和提交方式(web基础学习笔记六)

    一.GET请求新页面 1.1.超链接请求新页面 <!-- 超链接到page2 --> <a href="page2.jsp">链接到page2</a& ...

  6. C#.Net中操作XML方法一

    我们知道XML是一种可标记性的语言,用来标记数据.定义数据类型,是一种执行用户对自己的标记语言进行定义的源语言.由于结构好.而且easy理解,就好比一棵树,层次关系分明,因此也经常把一些数据存储到XM ...

  7. PHPCMS详细文件目录结构

    PHPCMS详细文件目录结构 根目录 |  –  api  接口文件目录 |  –  caches 缓存文件目录 |  – configs 系统配置文件目录 |  – caches_* 系统缓存目录 ...

  8. vue源码cached高阶函数解析

    1.源代码 <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <tit ...

  9. OpenERP 在context中写自己的部门ID

    使用OpenERP自定义模块开发的时候,你会发现,有一个uid(当前登录用户id)特别好用,不管是在xml的domain 条件表达式中,还是在类中,都能很方便的使用uid.有一段时间就一直在琢磨,这个 ...

  10. 按部就班——图解配置IIS5的SSL安全访问(转)

    作者:mikespook 版本:1.0 最后更新:2004-12-22 16:04 按部就班——图解配置IIS5的SSL安全访问... 1 写在前面的... 1 第一步:       准备工作... ...