Thursday, 29 January 2009

Enabling Passive FTP on Windows 2003 with Windows Firewall

After much searching I have finally (!) located the best way of enabling passive FTP through Windows Firewall.

On Windows 2003 Server with IIS6
To Enable Direct Metabase Edit

  • Open the IIS Microsoft Management Console (MMC).

  • Right-click on the Local Computer node.

  • Select Properties.

  • Make sure the Enable Direct Metabase Edit checkbox is checked.

Configure PassivePortRange via ADSUTIL script

  • Click Start, click Run, type cmd, and then click OK.

  • Type cd Inetpub\AdminScripts and then press ENTER.

  • Type the following command where the range is specified in "..". cscript.exe adsutil.vbs set /MSFTPSVC/PassivePortRange "5001-5201"

  • Restart the FTP Publishing Service.
    You'll see the following output, when you configure via ADSUTIL script:
    Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
    PassivePortRange : (STRING) "5001-5201"

Add each port to the Windows Firewall

  • Click Start, click Control Panel, open Windows Firewall, and select the Exceptions tab.

  • Click the Add Port button.

  • Enter a Name for the Exception and the first number in the port range.

  • Click TCP if not already selected and click OK.

  • Repeat for each port in the range - for large ranges see the end of the document.

  • Enable the Windows Firewall on the General Tab.

On Windows 2000 Server with IIS5 Configure PassivePortRange via Registry Editor

  • Start Registry Editor (Regedt32.exe).

  • Locate the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\

  • Add a value named "PassivePortRange" (without the quotation marks) of type REG_SZ.

  • Close Registry Editor.

  • Restart the FTP Publishing Service.
    Note: The range that FTP will validate is from 5001 to 65535.

Thank you to for the heads up.

No comments: