|
What is FTP?
Short for File Transfer Protocol, the protocol for exchanging files over the Internet. FTP works in the same way as HTTP for transferring Web pages from a server to a user's browser and SMTP for transferring electronic mail across the Internet in that, like these technologies, FTP uses the Internet's TCP/IP protocols to enable data transfer.
FTP is most commonly used to download a file from a server using the Internet or to upload a file to a server (e.g., uploading a Web page file to a server).
FTP is a TCP based service exclusively. There is no UDP component to FTP.
There are two ways to communication with FTP and that is: active and passive.
FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.
How does Active FTP work?
In active mode FTP the client connects from a random unprivileged port (poer number > 1023) to the FTP server's command port, port 21.
Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server.
The server will then connect back to the client's specified data port from its local data port, which is port 20.
Firewall on Active FTP - what ports should be opened on server and client side?
On server port 20 and port 21 must be opened on the client (home user) ports higher than 1023 must be opened for successfull ftp connection and transfer of files.
How does Passive FTP work?
In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server.
When opening an FTP connection, the client opens two random unprivileged ports locally (port number > 1023 and port number+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command.
The result of this is that the server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client. The client then initiates the connection from port (port number+1) to port (port number) on the server to transfer data.
The passive FTP protocol is very good because a lot of connections on internet are over ADSL, cable... and clients use routers to connect to the internet. Routers usualy filter data so active ftp protocol can not be used. This problem is solved with active file transfer protocol.
Firewall on Passive FTP - what ports should be opened on server and client side?
On server port 21 and ports (port number > 1023) must be opened. On client side no change is needed.
Setting active FTP on windows IIS with windows firewall configuration
Ok. Now we know what passive and active ftp stands for and how it is working. In next steps I will show you how you can configure IIS FTP server to use both active and passive ftp connection.
First we install IIS and
FTP service. For that we fo in: Control Pannel - Add or Remove programs - Add/Remove windows components
Instalation of Internet Information Services
|
Under
"Details" we must also install "File transfer protocol (FTP) service" |
Now we are on half of our way. For ftp to work we also need to configure Windows Firewall. We find it under: Control Panel - Network connections - select "properties" on Local Area Network
Example of Local Area Connection properties
|
we select "Advanced" and add port 20 and port 21
|
example of adding (opening) port 21 in windows firewall |
And that is it - we can now use active FTP to transfer files to our machine.
Setting passive FTP on windows IIS6 and IIS7 with windows firewall
Passive FTP is a little bit more complicated. Because we have to open ports: 21 and ports higher than 1023 (port number > 1023). Now here we can tweek our windows ftp service a little bit.
We can tell IIS what ports to use fot passive ftp connection.
So we can set FTP port range for example to use only 20 ports for passive connection. So we start cmd (command prompt windows), go to folder c:\Inetpub\adminiscripts and there we have adsutil.vbs cript to help us set port range.
The command-line we use is: adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5520"
example of setting passive FTP port range fo 20 ports (5500-5520)
|
WScript windows - not working |
So we let script be registered for VBScript |
successfully registered CScript |
If CScript is not registered with VBScript then we let it register |
Now all is left for us to restart FTP service under IIS Control Panel and open ports 5500, 5501, 5502 ... 5520.
list of ports enabled in windows should look something like this |
This tutorial can be used with windows server 2003, windows server 2000, windows XP and windows XP proffessional. If you find this tutorial to be usefull please add link to it http://www.velikan.net/iis-pasive-ftp so other people will also find this tutorial page.
Updates and upgrades FTP
27.10.2009 - Thanks to Mike and his remark (we updated post):
Hi -- i found a very useful post on your site but it looks like the directions ommitted using the word 'set' in line: "The command-line we use is: adsutil.vbs /MSFTPSVC/PassivePortRange "5500-5520"it need to be: The command-line we use is: adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5520"this page is located: http://www.velikan.net/iis-passive-ftp/other than that great post. Mike
|
|