Earlier this week, I set up a new server with Windows 2008 x64 Enterprise to use with Windows SharePoint Services (WSS 3.0). In order to upload our custom solutions I had to enable FTP through IIS v6. Everything seemed straight forward. I could connect to FTP with appropriate credentials but could not list contents or upload new items.
The problem was that random ports used by FTP could not get through Windows Firewall. An article at http://support.microsoft.com/kb/832017 explains how FTP uses the default dynamic ports from #49152 to #65535.
One solution would be to manually open each and every port in the Windows Firewall exceptions. The tedium of this solution would surely lead to madness.
The solution I implemented was to limit the number of passive connections available, specify which ports are to be used, and allow those ports through the firewall.
In IIS v6 Manager, I brought up the properties for my FTP server.
I ensured that “Enable Direct Metabase Edit” is checked and clicked OK.
Next I ran a short script that designated which ports FTP Passive will use. The script also automatically added the ports to the Windows Firewall exceptions.
I pasted something like this script into a .bat file and ran it (I changed the port ranges to protect the innocent). It’s an adaptation of a script found at http://www.tino.nl/index.php/2008/12/19/passive-ftp-on-windows-server-2003-with-windows-firewall/
ECHO Udating FTP Registry Values
C:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange "42000-42199"
ECHO OPENING FIREWALL PORTS
FOR /L %%I IN (42000,1,42199) DO NETSH FIREWALL ADD PORTOPENING TCP %%I FTPPort%%I
Upon inspecting Windows Firewall, I confirmed that the ports had been correctly added and I was able to connect with an FTP client.
This process has some security benefits:
1. It allows you to designate a non-standard port for FTP if you wish
2. You can control exactly which FTP Passive ports to use, requiring fewer ports to be open through the firewall.