Ken Robertson's Blog

Ramblings of a .NET developer

FTP server and Windows 2003 firewall

Does anyone know how to setup the firewall on Windows Server 2003 (Administrative Tool | Routing and Remote Access) to allow an FTP server to be run on a port other than 21 and to still support passive FTP?

I can't use active FTP, since at home I am behind a cable router.  Using passive FTP only works as long as I have the FTP server running on port 21.  If I change the server to run on another port and allow that port through on the firewall, I can connect, but no passive transfer work.  The default "FTP Server" entry in the firewall services list is fixed to port 21.  So it seems it knows when to open ports for an FTP server, but I cannot find a way to get it to do that if the FTP server is on another port.

Anyone know how to change this?

Posted: Feb 17 2005, 02:57 PM by qgyen | with 15 comment(s)
Filed under:

Comments

denny said:

what do you mean by "I am behind a cable router" ??

a NAT box? a Linksys/Dlink/ firewall box??

also are you saying that you need for a remote user to transfer files to/from your server??

and who is your ISP/cable co. ??

are they blocking ports at the headend??

what about a VPN?

are you on a dynamic IP ??

depending on some of the answeres there are several ways to get what you need.

if you want to take this off you blog then email me denny at my domain name
PS: my web server is down right now but I am figuerres.com
# February 17, 2005 7:43 PM

Paul D. Murphy said:


FTP uses port 21 for connections and port 20 for negotiation. Depending on the configuration it will also often negotiate a high port for transfers. You really need a 'real' firewall to properly expose FTP.
# February 18, 2005 12:32 AM

Ken Robertson said:

> what do you mean by "I am behind a cable router" ??
> a NAT box? a Linksys/Dlink/ firewall box??

Yes, just a basic "cable/DSL router". Mine is Linksys.

> also are you saying that you need for a remote user to transfer files to/from your server??

I'm the remote user and I want to be able to FTP files up to my server.

> and who is your ISP/cable co. ??
> are they blocking ports at the headend??

That doesn't matter. Active FTP simply won't work because the little router wouldn't know who the connection is supposed to go to, since there are multiple computers behind it.

> what about a VPN?

Don't want to have to open a VPN connection. Then all my net traffic starts to route through the server and some open connections (like IM) close out/reconnect and then alert me because multiple users are logged in (since the old one wouldn't timeout by then). Always a hassle for simple stuff.

> are you on a dynamic IP ??

No.


The question is pretty simple... how can you tell the Windows firewall/routing stuff that FTP is going to be on a port other than 21 so it'll know how to handle passive connections? This is primarily so I can connect to my colocated server without having the standard FTP port open for people to probe. Not worth buying another firewall app. I have ISA server (since the server is running SBS2003), but it is way overkill for my needs. Exchange for just me is already overkill.
# February 18, 2005 1:21 AM

Richard Tallent said:

Why not just configure the router for static port forwarding and then run active FTP? This is what I do for FTP, HTTP, and RDP on my machine, and all I have is a cheap Linsys router.
# February 20, 2005 4:44 PM

Ahmed Mahdy said:

Try Windows Server 2003 Service Pack 1 RC2. It has a built in firewall (like the one in the Windows XP Service Pack 2) which doen't confilct with other applications.
# February 25, 2005 7:56 AM

Kay Ess said:

If you're having that trouble with VPN it's because you haven't turned off the 'Use default gateway' on the VPN connection's TCP/IP properties (you need to go to the Advanced tab).

With that turned off then only traffic for the subnet on the end of the VPN connection will be routed there and you will use the gateway specified on your main TCP/IP connection for other traffic.
# March 10, 2005 10:13 AM

TrackBack said:

^_^,Pretty Good!
# April 10, 2005 8:11 AM

peter said:

How to configure a firewall for ftp server, see www.raidenftpd.com/.../howto-configure-firewall.html

# November 1, 2007 12:57 PM

miagale said:

well written, It helped me a lot.

# July 19, 2010 7:07 AM

weblogs.asp.net said:

375680.. He-he-he :)

# May 11, 2011 2:43 AM

weblogs.asp.net said:

375680.. Reposted it :)

# June 25, 2011 1:29 AM

WFiskum said:

In order to allow the Windows Server to act as an FTP server, there are actually two things that need to occur on the firewall settings:

1) With the Firewall on, click on the Exceptions tab and then click "Add Port" name the port FTP and put 20 in the port number.  Then click "Ok".  Click "Add Port" again and name the second exception FTP2 and put 21 in the port number, then click "Ok".

2) Windows Firewall will still not allow FTP connections until you do this: On the Advanced tab of Windows Firewall, in the "Network Settings" box, click on "Local Area Connection" then the Settings button.  On the Services tab, check the box next to "FTP Server" and click "Ok", then "Ok" again to exit Windows Firewall and Viola, the Windows server will allow FTP connections.

# February 22, 2012 4:00 PM

virus removal said:

Thanks,i have the same doubt and your post solved the issue. Thanks for the useful answers.

# June 18, 2012 6:20 AM

Mike Vincent said:

It’s actually a cool and helpful piece of info. I’m glad that you shared this useful info with us.

Please keep us up to date like this.

Thanks for sharing.

# February 7, 2013 2:32 PM

Scott Byer said:

I understand

Thanks for proving information about Saving Money & Investing Money. Good to read this article :)

Thank you

# February 28, 2013 2:06 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)