Active FTP on Azure virtual machine

This previous response is incorrect. https://stackoverflow.com/a/20132312/5347085

I know this because I worked with Azure support extensively. The issue has nothing to do with the server not being able to connect to the client, and my testing method eliminated client side issues as a possibility.

After working with Azure support for 2 weeks, their assessment of the problem was essentially that “Active Mode FTP uses a series of random ports from a large range for the data channel from the client to the server. You can only add 150 endpoints to an Azure VM so you couldn’t possibly add all those ports and get Active FTP working 100%. In order to do this you would need to use “Instance level public IP” and essentially bypass the endpoint mechanism all together and put your VM directly on the internet and rely entirely on the native OS firewall for protection.

If you HAVE to use Active Mode FTP on Azure and are ok with putting your VM on a public IP, he provided this link:

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-instance-level-public-ip/

UPDATE: Official response from Azure Support:

Josh,

First of all thanks with your patience on this. As I mentioned in my last email I was working with our Technical Advisors which are Support Escalation Engineers on reproducing this environment in Azure. Our tests were configured using WS_FTP 7.7 (Your version 7.1) and WS_FTP 12 client as well as the Windows FTP client. The results of our testing were the same as you are experiencing. We were able to log in to the server, but we get the same Command Port/List failures.

As we discussed previously Active FTP uses a random port for the data plane on the client side. The server connects via 21 and 20, but the incoming port is a random ephemeral port. In Passive FTP, this can be defined and therefore endpoints can be created for each port you use for part of the data plane.

Based on our extensive testing yesterday I would not expect any other Active FTP solution to work. The escalation Engineer that assisted yesterday also discussed this with other members of his team and they have not seen any successful Active FTP deployments in Azure.

In conclusion, my initial thoughts have been confirmed with our testing and Active FTP will not work in the Azure environment at this time. We are always striving to improve Azure’s offering so this may be something that will work in the future as we continue to grow.

You will need to move to a passive FTP setup if you are going to host this FTP server in Azure.

When using active ftp, the client initiates the connection to port 21 on the FTP server. This is the command or control channel and this connection usually succeeds. However, the FTP server then attempts to open port 20 on the client. This is the data channel. This channel is used for all data transfers, including directory listings.

So, in your case, active FTP isn't working because the server can't initiate a connection to the client. This is either a problem on the server (outbound firewall rule) or on the client itself. This is usually a good thing because you don't want internet-based servers to be able to open connections on client machines.

In passive mode there is a clear client/server distinction where the client initiates connections to the server. Passive mode is recommended so if you got that working I'd stick with that.