Firewall or Proxy Server Issues when using Internet
Download by FTP within Hurrevac2000
Symptom of Problem -
You have a direct Internet connection (not a dial-up connection). When you access the File
| Internet Download... option within HURREVAC2000, and attempt the Log On option to
connect with the hurrevac.com FTP server site, no response occurs for a minute or more.
You may be behind a 'firewall' or FTP Proxy Server.
Some Possible Solutions -
1. First try getting in to the hurrevac.com FTP site with the 'I am behind a firewall'
option in File|Setup..General Setup | Internet OFF ( not checked -the default setting)
just to make sure that you have a problem getting in the normal way.
2. Then, check to make sure you are indeed hooked up to the Internet by bringing up your
Internet Browser and assuring yourself that it is working and getting fresh data from the
Internet.
3. If you are indeed hooked up to the Internet, and the
Internet Download feature in Hurrevac2000 does not access the hurrevac.com FTP site...with
the normal configuration ('I am behind a firewall' NOT checked) you are likely behind some
kind of firewall or FTP Proxy Server at your office (or perhaps even elsewhere if on a
county network).
4. There is a setup feature in Hurrevac2000 that allows for a firewall or proxy
server. It is located under File |Program Setup... General Setup |Internet | Firewall...
menu items in the program. The procedure is that you enter the firewall or FTP Proxy
Server setting into the box provided, click on ' I am behind a firewall' button and save
the setup. If you don't know the IP or other Address of your FTP Proxy Server.... take the
following steps to find this address....
5. Bring up your Internet Browser and check the setup or options settings for FTP Proxy
Server. Depending on the version of your browser, these settings may be located in various
places, but here is where they are in Netscape 3.0 and Internet Explorer 4.0, two of the
most popular browsers:
a. Internet Explorer 4.0 and up- Try the following menu path... Edit |
Options... | Connection | Proxy Server | Settings and look for the IP address of the
FTP Proxy Server. If there are no numbers in the FTP Proxy Server box, but there are some
in the HTTP Proxy box, then use those. Usually the numbers in the
Port boxes are not needed.
b. Netscape 3.0 and up- Try the following menu path... Options | Network
Preferences | Proxies | Manual Proxy Config | and look for the IP address of the FTP Proxy
Server. If there are no numbers in the FTP Proxy Server box, but there are some in the
HTTP Proxy box, then use those. Usually the numbers in the Port boxes are not needed.
6. If you cannot find the number (your browser may be different than described above)
contact your Network Administrator and ask for the IP or name address of your FTP Proxy
Server.
7. Write the number (or name) down and enter in Hurrevac2000 Program Setup as described in
step 3 above. Click on the 'I am behind a firewall' option and save the setup.
8. Try Internet Download option again. If this still does not work, ask your Network
Administrator for advice in this matter. Your machine either may not have permission to
access FTP through the proxy server, or there could be some mixup about the correct IP
address for the FTP Proxy Server....or there may be other reasons (see below). Print out
this page and give this information to your Network Administrator.
Network Administrator Issues -
Open your Internet browser and put the following in the URL address box
ftp://72.3.133.97/hurrevac.com/ (hit your browser's refresh button if you don't initially see a list of folders)
If you cannot reach our hurrevac.com FTP
site with your browser, then it indicates that your system is not allowing FTP even
to our Anonymous FTP site. Your firewall or proxy server must be set up to
allow FTP before the download in Hurrevac can work.
If you are able to reach the above site
in your browser, then continue with FTP setup in Hurrevac described below....
Always first try the 'I am behind a firewall' option NOT
checked (default) in File|Setup General Setup | Internet. It is possible that even though
you have a proxy server or firewall, the system is friendly enough to ftp through as is...
Try the General Setup | Internet Firewall settings in Hurrevac2000…using your
firewall IP address and selecting the 'Behind a firewall' option.
If your particular firewall or proxy server requires a
unique logon (the standard 'anonymous@hurrevac.com'
wont do) then you may have to fill in the special logon id in the block provided and try
again... (try first without this option)
Problems with Anti-Virus programs (McAfee, etc)
hindering FTP
Check out this technical note about McAfee Anti-Virus
Using Novell Border Manager (which is notoriously
finicky with FTP)?
Check out our special web page
on this subject
If none of the above is a problem then the
following may help...
EDIT (carefully! using Notepad or other ASCII text
editor) the file called FTPCFG2.dat
located in your \Hurrevac2000 directory. Change one line, the line which
reads
Host: hurrevac.com
to..... Host: 72.3.133.97
Note that there MUST be a space between
Host: and hurrevac.com or 72.3.133.97
Doing this may enable your system to resolve the address
when hurrevac.com does not.
What the Hurrevac2000 FTP module does to
connect...
When 'NOT behind a firewall' is set in General Setup | Internet, the
Hurrevac2000 FTP module simply logs on to the hurrevac.com FTP server as anonymous and
with the user's email address as password. (if no email address is specified in General
Setup| Internet a substitute, user@hurrevac.com, is supplied by the software when logging
on to hurrevac.com).
When 'Behind a firewall' is set in General Setup | Internet, and the IP
or name address of same is specified in the box provided, then the FTP software uses the
RFC1579 specification and attempts the recommended passive connection using the following
standard method ...
a. Instead of logging on to the hurrevac.com ftp server, it logs on to
the firewall or proxy server at its specified IP address.
b. The logon name in used in this case is anonymous@hurrevac.com for the main site at
hurrevac.com , and anonymous@hurrevac2.com
for the alternate site at hurrevac2.com. If the special Logon User
ID box is filled out then that logon to the firewall or proxy server is used instead of
anonymous@hurrevac.com.
c. The logon name (anonymous@hurrevac.com) is understood to specify
that the client wants to initiate an anonymous ftp session with hurrevac.com (IP address
72.3.133.97), or anonymous@hurrevac2.com
is used to do the same thing if the alternate site at
hurrevac2.com (IP address 70.166.75.144)..
d. The password used is your email address if specified in Hurrevac2000
General Setup or if none specified then user@hurrevac.com
e. The connection is passive, indicating that the remote server,
not the client, specifies the port for data transfers. All connections are established on
standard port 21, but the data transfers are on a port selected by the hurrevac.com
server, which must handle upwards of 1000 data transfers at roughly the same time,
the time of issuance of advisories which occurs within a few minutes of 5am, 11am, 5pm and
11pm EDT. Some FTP servers allow the client to pick the port but then allow
only a few FTP clients on at a time. We cannot do that because of the narrow
time frame in which all the users must retrieve information.
f. If your FTP proxy server will not allow the hurrevac.com server to
pick the port…or limits the port numbers for data transfers, the program will hang up
after the first CWD (Change Working Directory) command transmitted to hurrevac.com by the
FTP client. After this command comes a request for a directory listing to be sent to the
user. This directory listing is sent on a separate data port picked by the hurrevac.com
server.
g. One solution is for a permissions file for the FTP
Proxy Server to be set in such a way as to allow passive (remote server picks data port)
FTP connections between the user's computer and two specific sites… hurrevac.com
(IP 72.3.133.97) and hurrevac2.com (IP
70.166.75.144) which are the
main and alternate sites to get hurrevac data.
Some additional info on FTP -
An FTP transfer always requires two sockets, the control socket and the data socket.
Basically, the server listens for incoming clients on port 21. When a client connects, the
server transfers info back on port 20 and a control socket is established to allow the
client and server to send commands back and forth.
Further, when the commands issued indicates that data is to be transferred (such as a
directory listing, a file transfer, etc.) a separate, data socket is established by the
remote server and used to transfer the data (this allows for optimum throughput because
commands can be issued in parallel to the data transfer). Because the hurrevac.com server
is high capacity and is often asked to transmit FTP data for over 1000 clients at a time
(the advisories are issued each 6 hours and everyone wants the data at the same time) the
remote server must be allowed to pick the data port.
The data socket always occurs on some port greater than port 1023 but less than 64K. The
client and server must negotiate this socket prior to each transfer and there are two
types of data socket transfers -- passive and active.
The Hurrevac2000 FTP module uses 'PASSIVE' connections which lets the server pick
the port (because over 1000 connections can be going on at the same time, the time of
issuance of hurricane advisories). Some proxy servers or firewalls may be set up for only
'ACTIVE' transfers which means the client defines the data socket. If your proxy server or
firewall is set up for only active transfers (client picks the port)...then see if your
firewall or proxy setup can allow for
passive connections. In some cases, it can be set up for either active or passive
connections.
Regardless which side defines the data port to use, your access control filter for the
firewall or proxy server needs to allow incoming connections on port 21, outgoing
connections on port 20, and then since here we are using passive connections for the data
socket, the server side needs to be able to establish connections on ports 1024 through
64K (the possible range for data ports).
Security concerns could possibly be eliminated by allowing this FTP passive connection
only between the client and hurrevac.com (72.3.133.97) and hurrevac2.com (IP
70.166.75.144)…if the particular FTP Proxy server allows such stipulations in a
permissions file.
This will be necessary for any FTP client to connect (using passive connection). When
investigating this problem, you might try WS_FTP (a shareware FTP Client program available
on the Internet) and use its firewall settings to attempt to get through...use its Log
Window to make note of the actions and reponses that result. Keep in mind that some
FTP programs use 'active' connections and can get through easily that way when the
traffic is not high on the remote server, while we must use 'passive' to allow the server
to serve all the users at roughly the same time (time of issuance of advisories).
|
