FTP has 2 modes Active and Passive. Most people know this but what does it actually mean, well when you connect to an FTP server you use port 21 this is the control port but it needs at least another port open to transfer data. This port with Active FTP is port 20 with Passive FTP if it hasnt been configured it uses random ports between 1024 and 5000. Now obviously these ports need to be open for the data to be transfered with Active FTP thats fine as it is only one port but with Passive TP obviously opening up that many ports is unsexcure and not an option. So we will have to force the FTP server to use a smaller number of ports and allow these through Windows Firewall.
Using IIS FTP we can do such a thing using the Admin scripts that come with IIS. The script we will be using is adsutil.vbs which on a default installation of IIS can be found in C:\Inetpub\AdminScripts\.
Open up a command Prompt and navigate to the AdminScripts Folder:
cd \
cd Inetpub\AdminScripts
and now make the FTP use certain ports, the advice Microsoft give is open double the amount of concurrent connections. For example if 2 peopl will be downloading at the same time open up 4 ports. I usually open about 25 ports, for IIS 6.0 you must use ports over 5000 so the first one is 5001. If ou gett his bit wrong the ftp service will not start.
cscript adsutil.vbs SET /MSFTPSVC/PassivePortRange “5001-5025″
Now we will need to open up the ports in Windows Firewall, to do this we need to loop through and add each port to the firewall. To do this we again use command prompt and the FOR program:
FOR /L %%G IN (5001,1,5025) DO NETSH FIREWALL ADD PORTOPENING TCP %%G FTPPort%%G
This loops through 5001 to 5025 and then using the NETSH command adds an open port to Windows Firewall.
You need to reset IIS now for the changes to take affect, if the FTP service doesnt start properly make sure you have specified th ports properly. You can do that by replacing SET with GET in the adsutil command.
You can also put all of this into a bacth file so it is all done automatically, just copy and paste the below:
CD \ CD intpub\Adminscripts cscript adsutil.vbs SET /MSFTPSVC/PassivePortRange "5001-5025" FOR /L %%G IN (5001,1,5025) DO NETSH FIREWALL ADD PORTOPENING TCP %%G FTPPort%%G iisreset
The post How to Passive FTP in Server 2003, Windows Firewall appeared first on Tom's Blog.