Configuring FTP Firewall Settings

  • Author: Robert McMurray
  • Published on January 15, 2008 by iisteam
  • Updated on March 18, 2009 by iisteam
  • Tags: FTP

Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.

This document walks you through configuring the firewall settings for the new FTP server. It contains:

Prerequisites

The following items are required to be installed to complete the procedures in this article:

  1. IIS 7 must be installed on your Windows 2008 Server, and the Internet Information Services Manager must be installed.
  2. The new FTP service. You can download and install the FTP service from the http://www.iis.net/ web site using one of the following links:
  3. You must create a root folder for FTP publishing:
    • Create a folder at "%SystemDrive%\inetpub\ftproot"
    • Set the permissions to allow anonymous access:
      • Open a command prompt.
      • Type the following command:
        CACLS "%SystemDrive%\inetpub\ftproot" /G IUSR:R /T /E
      • Close the command prompt.

Important Notes:

  • The settings listed in this walkthrough specify "%SystemDrive%\inetpub\ftproot" as the path to your FTP site. You are not required to use this path; however, if you change the location for your site you will have to change the site-related paths that are used throughout this walkthrough.
  • Once you have configured your firewall settings for the FTP service, you must configure your firewall software or hardware to allow connections through the firewall to your FTP server.
    • If you are using the built-in Windows Firewall, see the (Optional) Step 3: Configure Windows Firewall Settings section of this walkthrough.
    • If you are using a different firewall, please consult the documentation that was provided with your firewall software or hardware.

Use the FTP Site Wizard to Create an FTP Site With Anonymous Authentication

In this section you, create a new FTP site that can be opened for Read-only access by anonymous users. To do so, use the following steps:

  1. Go to the IIS 7.0 Manager. In the Connections pane, click the Sites node in the tree.
  2. Right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.

  3. When the Add FTP Site wizard appears:
    • Enter "My New FTP Site" in the FTP site name box, then navigate to the "%SystemDrive%\inetpub\ftproot" folder that you created in the Prerequisites section. Note: If you choose to type in the path to your content folder, you can use environment variables in your paths.
    • Click Next.
  4. On the next page of the wizard:
    • Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of "All Unassigned." Because you will be accessing this FTP site remotely, you want to make sure that you do not restrict access to the local server and enter the local loopback IP address for your computer by typing "127.0.0.1" in the IP Address box.
    • You would normally enter the TCP/IP port for the FTP site in the Port box. For this walk-through, you will choose to accept the default port of 21.
    • For this walkthrough, you do not use a host name, so make sure that the Virtual Host box is blank.
    • Make sure that the Certificates drop-down is set to "Not Selected" and that the Allow SSL option is selected.
    • Click Next.
  5. On the next page of the wizard:
    • Select Anonymous for the Authentication settings.
    • For the Authorization settings, choose "Anonymous users" from the Allow access to drop-down. Select Read for the Permissions option.
    • Click Finish.
  6. Go to the IIS 7.0 Manager. Click the node for the FTP site that you created. The icons for all of the FTP features display.

Summary

To recap the items that you completed in this step:

  1. You created a new FTP site named "My New FTP Site", with the site's content root at "%SystemDrive%\inetpub\ftproot".
  2. You bound the FTP site to the local loopback address for your computer on port 21, choosing not to use Secure Sockets Layer (SSL) for the FTP site.
  3. You created a default rule for the FTP site to allow anonymous users "Read" access to the files.

Step 1: Configure the Passive Port Range for the FTP Service

In this section, you configure the server-level port range for passive connections to the FTP service. Use the following steps:

  1. Go to IIS 7.0 Manager. In the Connections pane, click the server-level node in the tree.

  2. Double-click the FTP Firewall Support icon in the list of features.

  3. Enter a range of values for the Data Channel Port Range.

  4. Once you have entered the port range for your FTP service, click Apply in the Actions pane to save your configuration settings.

Notes:

  1. The valid range for ports is 1024 through 65535. (Ports from 1 through 1023 are reserved for use by system services.)
  2. You can enter a special port range of "0-0" to configure the FTP server to use the Windows TCP/IP dynamic port range.
  3. For additional information, please see the following Microsoft Knowledge Base articles:
  4. This port range will need to be added to the allowed settings for your firewall server.

Step 2: Configure the external IPv4 Address for a Specific FTP Site

In this section, you configure the external IPv4 address for the specific FTP site that you created earlier. Use the following steps:

  1. Go to IIS 7.0 Manager. In the Connections pane, click the FTP site that you created earlier in the tree, Double-click the FTP Firewall Support icon in the list of features.

  2. Enter the IPv4 address of the external-facing address of your firewall server for the External IP Address of Firewall setting.

  3. Once you have entered the external IPv4 address for your firewall server, click Apply in the Actions pane to save your configuration settings.

Summary

To recap the items that you completed in this step:

  1. You configured the passive port range for your FTP service.
  2. You configured the external IPv4 address for a specific FTP site.

(Optional) Step 3: Configure Windows Firewall Settings

Windows Server 2008 contains a built-in firewall service to help secure your server from network threats. If you choose to use the built-in Windows Firewall, you will need to configure your settings so that FTP traffic can pass through the firewall.

There are a few different configurations to consider when using the FTP service with the Windows Firewall - whether you will use active or passive FTP connections, and whether you will use unencrypted FTP or use FTP over SSL (FTPS). Each of these configurations are described below.

Note: You will need to make sure that you follow the steps in this section walkthrough while logged in as an administrator. This can be accomplished by one of the following methods:

  • Logging in to your server using the actual account named "Administrator".
  • Logging on using an account with administrator privileges and opening a command-prompt by right-clicking the Command Prompt menu item that is located in the Accessories menu for Windows programs and selecting "Run as administrator".

One of the above steps is required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating systems prevents administrator access to your firewall settings. For more information about UAC, please see the following documentation:

Note: While Windows Firewall can be configured using the Windows Firewall applet in the Windows Control Panel, that utility does not have the required features to enable all of the features for FTP. The Windows Firewall with Advanced Security utility that is located under Administrative Tools in the Windows Control Panel has all of the required features to enable the FTP features, but in the interests of simplicity this walkthrough will describe how to use the command-line Netsh.exe utility to configure the Windows Firewall.

Using Windows Firewall with non-secure FTP traffic

To configure Windows Firewall to allow non-secure FTP traffic, use the following steps:

  1. Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.
  2. To open port 21 on the firewall, type the following syntax then hit enter:
    netsh advfirewall firewall add rule name="FTP (non-SSL)" action=allow protocol=TCP dir=in localport=21
  3. To enable stateful FTP filtering that will dynamically open ports for data connections, type the following syntax then hit enter:
    netsh advfirewall set global StatefulFtp enable

Important Notes:

  • Active FTP connections would not necessarily covered by the above rules; an outbound connection from port 20 would also need to be enabled on server. In addition, the FTP client machine would need to have its own firewall exceptions setup for inbound traffic.
  • FTP over SSL (FTPS) will not be covered by these rules; the SSL negotiation will most likely fail because the Windows Firewall filter for stateful FTP inspection will not be able to parse encrypted data. (Some 3rd-party firewall filters recognize the beginning of SSL negotiation, e.g. AUTH SSL or AUTH TLS commands, and return an error to prevent SSL negotiation from starting.)

Using Windows Firewall with secure FTP over SSL (FTPS) traffic

The stateful FTP packet inspection in Windows Firewall will most likely prevent SSL from working because Windows Firewall filter for stateful FTP inspection will not be able to parse the encrypted traffic that would establish the data connection. Because of this behavior, you will need to configure your Windows Firewall settings for FTP differently if you intend to use FTP over SSL (FTPS). The easiest way to configure Windows Firewall to allow FTPS traffic is to list the FTP service on the inbound exception list. The full service name is the "Microsoft FTP Service", and the short service name is "ftpsvc". (The FTP service is hosted in a generic service process host (Svchost.exe) so it is not possible to put it on the exception list though a program exception.)

To configure Windows Firewall to allow secure FTP over SSL (FTPS) traffic, use the following steps:

  1. Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.
  2. To configure the firewall to allow the FTP service to listen on all ports that it opens, type the following syntax then hit enter:
    netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in
  3. To disable stateful FTP filtering so that Windows Firewall will not block FTP traffic, type the following syntax then hit enter:
    netsh advfirewall set global StatefulFtp disable

More Information about Working with Firewalls

It is often challenging to create firewall rules for FTP server to work correctly, and the root cause for this challenge lies in the FTP protocol architecture. Each FTP client requires two connections to be maintained between client and server:

  • FTP commands are transferred over a primary connection called the Control Channel, which is typically the well-known FTP port 21.
  • FTP data transfers, such as directory listings or file upload/download, require a secondary connection called Data Channel.

Opening port 21 in a firewall is an easy task, but this means that an FTP client will only be able to send commands, not transfer data. This means that the client will be able to use the Control Channel to successfully authenticate and create or delete directories, but the client will not be able to see directory listings or be able to upload/download files. This is because data connections for FTP server are not allowed to pass through the firewall until the Data Channel has been allowed through the firewall.

Note: This may appear confusing to an FTP client, because the client will seem to be able to successfully log in to the server, but the connection may appear to timeout or stop responding when attempting to retrieve a directory listing from the server.

The challenges of working with FTP and firewalls doesn't end with the requirement of a secondary data connection; to complicate things even more, there are actually two different ways on how to establish data connection:

  • Active Data Connections: In an active data connection, an FTP client sets up a port for data channel listening and the server initiates a connection to the port; this is typically from the server's port 20. Active data connections used to be the default way of connecting to FTP server; however, active data connections are no longer recommended because they do not work well in Internet scenarios.
  • Passive Data Connections: In a passive data connection, an FTP server sets up a port for data channel listening and the client initiates a connection to the port. Passive connections work much better in Internet scenarios and recommended by RFC 1579 (Firewall-Friendly FTP).

Note: Some FTP clients require explicit action to enable passive connections, and some clients don't even support passive connections. (One such example is command-line Ftp.exe utility that ships with Windows.) To add to the confusion, some clients attempt to intelligently alternate between the two modes when network errors happen, but unfortunately this does not always work.

Some firewalls try to remedy problems with data connections with built-in filters that scan FTP traffic and dynamically allow data connections through the firewall. These firewall filters are able to detect what ports are going to be used for data transfers and temporarily open them on firewall so that clients can open data connections. (Some firewalls may enable filtering FTP traffic by default, but it is not always the case.) This type of filtering  is known as a type of Stateful Packet Inspection (SPI) or Stateful Inspection, meaning that the firewall is capable of intelligently determine the type of traffic and dynamically choose how to respond. Many firewalls now employ these features, including the built-in Windows Firewall.

For information regarding Microsoft's Windows Firewall software, please see the following topics on Microsoft's web sites:

Related Content

Comments

bpajer

Hi I have followed your guide but I still cant get it to work. If I try the ftp site from the server that it is on it works, however the FTP site doesnt work from anywhere else on my network and nor it does from the internet. I have the router setup to forward port 21 to the server on post 21. But I think there is some other firewall issue I have setup the FTP firewall as described in your article but cant connect to it from anywhere on the network. Please help. thx

Apr 01 2008 by bpajer
boen_robot

@bpajer
Have you tried turning off the firewall on the server? Is it working everywhere then? If it does, you can add port 21 as an Exception in Windows Firewall (go to the Exception tab and click "Add Port..."), and then start the firewall.

However I too have a problem with this. I've followed it and the FTP server works from my local network, but not from the internet. I tried specifying 4000-4001 as the passive port range, and my router NATs the public port 21 to the local port 21 and the public 4000-4001 range to the local 4000-4001 range, and it still doesn't work (with or without a Firewall on). Once the FTP enters passive mode I see a response in my FTP client (FileZilla) saying "150 Opening BINARY mode data connection." after which it hangs until it gets timed out. Any ideas?

Jul 31 2008 by boen_robot
leeh4_99

I used the ISA 2006 Std. Ed. to publish Win 2003/FTP Server v6, no problem.

Same FTP Publishing rule, except now it is Win2008/FTP Server v7. I can authenticate FTP from the Internet, but it seems that ISA 2006 gets stuck with Data Connection part afterward (when I issue the dir or get commands). Internal FTP is working on both authentication and data connections.

After successful authentication, an error occurred opening a folder on the FTP Server:

200 Type set to A.
425 Cannot open data connection
200 Type set to A.
550 No connection could be made because the target machine actively refused it.

Can the FTP Stateful Inspection Filter included with ISA 2006 FTP publishing handle FTP v7?

Oct 30 2008 by leeh4_99
ComradeVVA

I'm having a similar problem as the two guys above. While playing around with it, I've managed to set up an FTP server that connects both on the ethernet and the internet. However, when I log in from an internet location on my laptop to the server, whether or not the files are listed depends on the program I use.

In Firefox, it opens fine.

In WinSCP, it gets stuck on:
"Could not retrieve directory listing, server cannot accept argument."

In the Vista "Add a network location" wizard, the message is:
200 Type set to A.
227 Entering Passive Mode (###,###,#,###,###,##)
150 Opening ASCII mode data connection
425 Cannot open data connection.

Just conceptually, why can't a WINDOWS client handle a connection to a WINDOWS server while a third-party Firefox program does it just fine?

The Vista wizard is the main reason I'm not doing Lunix/SSH because Vista will be able to stream things once it connects to a network location, so I would appreciate any pointers regarding the Vista connection (the others are there for comparison). Also, if this isn't the right place for this, I would appreciate if anyone pointed me in the direction of where I should ask my question.

Thanks!

Nov 06 2008 by ComradeVVA
redash

Hi leeh4_99, we have ISA 2006 Ent. Ed clustered with dual arm configuration publishing secure ftp / Explicit SSL on port 21. We configured the external firewall to allow data channel port range of 50000-51000 and port 21.
Our ISA server acts as a default gateway for the FTP server (windows 2008 - IIS). ( this required some planning - downtime - and rule rewriting and a persistant route - beyond scope of article) We then setup a listener on the external interface and configured a simple ISA rule creating a new protocol definition (FTPeS)to allow primary inbound connections on ports 50000-51000 and 20-21. (I added in secondary connections on ports 50000-51000 - but suspect you don't need to) - you really only need to 50 IPs. Obviously - don't use the FTP application filter in ISA as per normal FTP as the SSL traffic is encrypted so won't work. I then bound the IIS 7 FTP service to port 21 (not 990 - for implicit) & configured data channel ports 50000-51000. - (this has to be done at server level, not ftp site level which is greyed out). This does correspond to the PASV ports ??? - micrsoft should have made this clearer.

For the External IP address of firewall - I put the IP of external DNS entry of ftp site which correpsonds to firewall (not ISA listener IP).

Looking at ISA - I was seeing lots of
0x80074e21 ABORTIVE SHUTDOWN
0x0040017 TCP NOT SYN PACKET DROPPED or
0xc0040014 SPOOFING PACKET DROPPED.

From my desktop on corporate network - I could connect to the public secure ftp site - but was getting a time out doing directory listings as you described.

Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,195,96).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Connection timed out
Error: Failed to retrieve directory listing

HOWEVER - using a laptop with a broadband connection ISA correctly forwarded the traffic and I got the directory listings. We have since setup an internal DNS entry on domain controller(split DNS) to point public ftp server straight to the machine bypassing ISA. I still see the occassional errors for TCP NOT SYN and ABORTIVE SHUTDOWNS but everything still works. So - all is good with INBOUND secure ftp / explicit SSL with ISA 2006 / and IIS 7 / windows 2008.


P.S. There is a KB about the ephemeral (transitory) port for the data channel.
http://support.microsoft.com/kb/283679
You then are suppose to add the 5th and 6th octets to get the port - after some troubleshooting - I worked out that the ports the filezilla client was connecting on - did not correspond to the ones specified in IIS eg. the port was 65000 - but I had specified 50000-51000 (as per Step 1: Configure the Passive Port Range for the FTP Service - step 3) I was troubleshooting all settings in Filezilla and issuing IISRESET commands on windows 2008. I probably needed to restart the FTPSERVICE specifically for settings to kick in. a reboot solved this problem.

ComradeVVA - there's PASSIVE mode FTP setting in IE advanced options - try ticking this and see what happens.


Nov 10 2008 by redash
hnaparst

Excellent discussion. Very thorough.

Jan 28 2009 by hnaparst
SergioTorresC

I have a home setup. I use a Linksys WRT310N. To be able to access my FTP server from my LAN and from the Internet using pasive mode I had to set:

In my FTP configuration
a) Data channel port range = 0-0 (I guess you could use a smaller range)
b) External IP address of Firewall = private IP (192.168.1.nn)

In my Windows Firewall:
a) Ran the "netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in" command (from an elevated command window).

In my Router:
a) Forwarded port 21 to my FTP server
b) Forwarded port range 49152 - 65535 to my FTP server.

From inside my LAN the access is transparent.
From the internet, my FileZilla FTP client reports the server provided an unroutable IP address and that it will use the server address instead.Data is transfered without problems.

I hope this helps.

Jul 04 2009 by SergioTorresC
disco-legend-zeke

was unable to get PASV to work
so i got most of FTP 7.5 to work by opening all
outgoing ports.

still unable to use PASV command so i
finally ended up opening all incoming ports.

i am sure i need a much smaller number of ports
but NOWHERE can i find the port numbers that are needed
for the PASV command.

just to make it more complicated, you cannot enter a range
into the firewall, only individual ports, comma separated.

so just to make FTP 7.5 working i had to compromise my entire
firewall. Seems like a high price to pay in order to
get a "more secure" SSH transfer.

hopefully someone can hand me a basket of clues.

Jul 13 2009 by disco-legend-zeke
sdsmith

I have a similar problem of 3 and 4. If I specify an external IP address, data connections fail for the internal network. If I don't specify an external IP address, data connections fail for the external network.

Sep 24 2009 by sdsmith
wgeurden

my data channel port range is set as 50153-50199; my ftp client (coreftp) when connecting in passive mode gives ma 54322 port to connect to - the result of the PASV call is 227 Entering Passive Mode (xx,yy,zz,10,212,50).

this indeed calculates to IP xx.yy.zz, port 54322

What am i missing - why is the port not in the specified port range ?

Config : II 7.0, ftp 7.5 - Windows 2008 SP1

Nov 04 2009 by wgeurden

Submit a Comment

You must Log In to comment.

Microsoft Communities