Setting up FTPS server for VCSA backup

I followed the steps in Backing up vCSA 6.5 natively using FTPS but wasn’t able to create a backup succesfully.

It seemed that I could login to the ftps server with FileZilla client, but it wasn’t able to list the directories on the FTPS server. Didn’t really noticed the warnings in FileZilla, since the directories were empty 🙂

However FileZilla complained:

Status: Connecting to 1.2.3.4:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (1,2,3,4,208,227).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out
Error: Failed to retrieve directory listing
Status: Disconnected from server

Grant Curell blogged about this error (look for Fixing Problem #2 on the blog) the issue was with the internal Windows firewall in Windows 2012 R2.

Also Using the buildin (Predefined) FTP Server rules didn’t work:

Not working Build-In Predefined FTP Server rule

I’ve created two firewall rules, allowing ports 20,21,990, 55000-56000 in both UDP and TCP.

Two of these Port rules, One for TCP one for UDP.

I set the Data Channel Port Range from 55000 to 56000. This setting is done on the IIS node, not on the FTP site.

Data Channel Port Range setting (entire IIS server, not just the FTP site)

After a restart of the FTP server service, I could now connect. And the backup now finishes succesfully.

Status: Connecting to 1.2.3.4:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful