Hybrid Cloud Hosting Blog

Configure your IIS Firewall for passive FTP connections

Oct 14

Posted October 15, 2014 by  Chris Lewis


There are two types of data transfer commands. PORT (active) is used to have the server connect to the client, and PASV (passive) is used to have the client connect to the server – common when the client is behind a firewall that cannot be configured to forward ports to it.

When an FTP server is also placed behind a firewall, passive FTP connections can be severely disrupted unless you configure your firewall and FTP server appropriately. Otherwise, when a port needs to be accessed the FTP server will randomly choose one and tell the client to connect. The firewall then prevents this happening and the client ‘times out’.

The firewall needs to be configured to allow FTP server access through certain ports and the server must be configured for it to know the passive port range available.

Eventually, all devices conducting network address translation will have built-in capability for handling FTP sessions so PORT (Active) can be used, and all firewalls will have built-in capability for handling FTP sessions so PASV can be used as well. Meanwhile you have to do a bit of DIY.

Download our ebook, 5 More Advantages of Private Cloud, to discover other ways  it can benefit your business

How do you go about this?

After setting the passive ports by following the steps given by Microsoft for Configuring FTP Firewall Settings in IIS 7, you will still need to enable passive connections.

Follow this procedure to make sure that when PASV requests a port, it gets one from the right range:

First, check the current ports using this command in the command prompt:

netsh int ipv4 show dynamicport tcp

Ports 49152:65534 are the most common, however any are acceptable if configured correctly.

To set a range of, say, 5000-6000 the command would be:

netsh int ipv4 set dynamicport tcp start=5000 num=1000

Finally, run the first command again to show the configured ports and make sure the process has been successful.


IIS = Internet Information Services, an extensible web server created by Microsoft for use with Windows NT family. IIS supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP.

FTP = File Transfer Protocol. The protocol was first standardized in the early 1970s, long before networks were protected by strict firewalls.

PASV (Passive) FTP connection = this is where the client connects to the server rather than the other way around. It is required to transfer a file or data via FTP where the client is protected by a firewall and is unable to forward the correct ports to his machine.

DOWNLOAD YOUR FREE SUPPLIER CHECKLIST Find the perfect cloud hosting provider  for you with this free supplier qualification checklist. Get yours now

Topics: Data Security