Blog Home  Home Feed your aggregator (RSS 2.0)  
kevin Mocha - Enable Passive Mode in IIS6 FTP Service.
Bookmarks collected from web.
 
Archive
<November 2008>
SunMonTueWedThuFriSat
2627282930311
2345678
9101112131415
16171819202122
23242526272829
30123456
Navigation
Home
Code format
ASP.NET Tutorial
ASP.NET Video
CSS Tutorial
Internet Memory
NPR
Users
Kevin Mocha241
Total Posts241
Comments5
Categories
 
 
 
  Design
 
  DotNet
 
 
 
 
 
 
 
 
  Life
 
  Research
 
 
 
 
 
Blogroll
Contact
Send mail to the author(s) Email Me

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

Sign In
 Friday, April 04, 2008
Enable Passive Mode in IIS6 FTP Service. by Kevin Mocha

Windows 2003 Server SP1 Firewall Modification for Passive or PASV FTP Connections

(Portions of this document are parphrased from or directly copied from Microsoft KB article 555022 by Bernard Cheah, MVP.)

Passive Mode FTP connections are normally required by clients connecting through a NAT firewall or router. The client connects on port 21 and issues a PASV command, the server responds with a port in the 1024-65535 range for the data connection. After a data connection command is issued by the client, the server connects to the client using the port immediately above the client-side port of the control connection. The Windows 2003 SP1 Firewall will prevent PASV FTP from working properly unless exceptions for the ports are created. A metabase property key named PassivePortRange can be configured to specify the port range the server will respond with. This can be used to limit the security risk for the FTP server. The property key only exists in IIS 6.0. Support for IIS 5.0 on Windows 2000 can be added, but the system administrator will need to install Service Pack 4 and add the PassivePortRange key in the system registry. Two ports must be opened for each concurrent FTP connection.

On Windows 2003 Server with IIS6

  • To Enable Direct Metabase Edit
    1. Open the IIS Microsoft Management Console (MMC).
    2. Right-click on the Local Computer node.
    3. Select Properties.
    4. Make sure the Enable Direct Metabase Edit checkbox is checked.
  • Configure PassivePortRange via ADSUTIL script
    1. Click Start, click Run, type cmd, and then click OK.
    2. Type cd Inetpub\AdminScripts and then press ENTER.
    3. Type the following command where the range is specified in "..". cscript.exe adsutil.vbs set /MSFTPSVC/PassivePortRange "5001-5201"
    4. Restart the FTP Publishing Service.
    You'll see the following output, when you configure via ADSUTIL script:
    Microsoft (R) Windows Script Host Version 5.6
    Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
    PassivePortRange : (STRING) "5001-5201"

 

It's crazy to add 201 exceptions rules. Just disable the windows firewall temporarily.

  • Add each port to the Windows Firewall
    1. Click Start, click Control Panel, open Windows Firewall, and select the Exceptions tab.
    2. Click the Add Port button.
    3. Enter a Name for the Exception and the first number in the port range.
    4. Click TCP if not already selected and click OK.
    5. Repeat for each port in the range - for large ranges see the end of the document.
    6. Enable the Windows Firewall on the General Tab.
Friday, April 04, 2008 8:28:55 PM UTC  #    Comments [0]    |  Trackback
Name
E-mail
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):
Copyright © 2008 Kevin Mocha. All rights reserved.
DasBlog 'Portal' theme by Johnny Hughes.
Pick a theme: