Two key items need to be completed for this:
- Configure FTP to use a specific range of passive ports so only a short range need be allowed through Windows Firewall.
- Setup the passive FTP port range to work through Windows Firewall.
Configure FTP to use a restricted range of passive FTP ports
By default passive FTP under IIS 6 will use a port in the range 1024 – 65535.
When setting your own range of ports the range must be within 5001 – 65535.
Enable Direct Metabase Edit in IIS
1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select Properties.
4. Make sure the Enable Direct Metabase Edit checkbox is checked.
Configure PassivePortRange via ADSUTIL script
1. Click Start, click Run, type cmd, and then click OK.
2. Set the directory to Inetpub\AdminScripts. Depending on your system configuration this can either be achieved by entering cd Inetpub\AdminScripts and then pressing ENTER or cd C:\Inetpub\AdminScripts and pressing ENTER or locate the path for your system.
3. Type the following command and press ENTER (replace the range 5500-5700 with the port range you wish to use): adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5700"
4. Restart the FTP service.
BEWARE the port range must be separated by a – and not a comma, must be enclosed by double quotes and must not overlap with a range in use by any other application. Failing to comply with any of these restrictions will mean the FTP service will not start, if you attempt to restart IIS none of the IIS services will start until you have resolved the issue. Should this happen go back to the command prompt mentioned above, browse to the AdminScripts folder, enter adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5700" and press ENTER, the FTP service will now start while you work out what went wrong.
Configure Windows Firewall
You will need to add your range of ports as exceptions in Windows Firewall.
1. Click Start, click Run, type cmd and then click OK.
2. Type in the following and hit ENTER (replace the port numbers with the range you are using): FOR /L %I IN (5500,1,5700) DO netsh firewall add portopening TCP %I "Passive FTP"%I
3. Each port will be added with an OK confirmation.
Final steps for firewall configuration:
1. Manually add an exception for TCP port 21.
2. Make sure that the FTP server option IS NOT ticked under Network Connection Settings in Windows Firewall, if it is then your passive FTP port range will be ignored – strange but true! The network connection settings can be found by opening Windows Firewall in Control Panel, select the Advanced tab, select each connection in turn, click Settings, ensure the box next to “FTP Server” is not ticked.
Thanks to John.Geek.NZ for the heads up on the last Windows Firewall gotcha.