IIS and ASP.NET Information and Tips from Microsoft Developer Support

Limiting Passive FTP Port Range on IIS 7.0 / IIS 6.0 / IIS 5.0

Limiting Passive FTP Port Range on IIS 7.0 / IIS 6.0 / IIS 5.0

  • Comments 6
Passive FTP uses a range of ports to transfer data. This can be a problem because the port range that IIS uses has to be opened up at the Firewall. Many administrators would like to limit the port range between specific values so that they can have a better control on the ports that need to be opened on the Firewall. IIS can be configured to limit the port range but with multiple versions of IIS the configuration has changed a bit. So here is how you configure the port range (say 5500-5525) on IIS 5.0 / IIS 6.0 / IIS 7.0 

IIS 5.0

- On IIS 5.0 the Passive FTP Port range is controlled via a registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\ParametersPassivePortRange        REG_SZ          5500-5525

IIS 6.0

- On IIS 6.0 the Passive FTP port range is controlled via a metabase key


adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5525"

IIS 7.0
- IIS 7.0 has two FTP services available

1. Classic FTP Service
- The classic FTP service is similar to IIS 6.0 and requires IIS 6.0 Metabase compatibility to be installed
- Here the Passive FTP port range is controlled via the  metabase key


- Similar to IIS 6.0

2. FTP7 Module
- This is an OutOfBand Module that is shipped as an addon
- FTP7 module is used when SSL over FTP is required
- Here the Passive FTP port range is controlled via an entry in applicationHost.config
- You can also set this using the IIS Manager UI

Global Level (Server name) > FTP Firewall Support > Data Channel Port Range

Cross posted from Vijay's Blog

Leave a Comment
  • Please add 1 and 6 and type the answer here:
  • Post
  • Great stuff, but my understanding is that passive port range is valid from 5000 to 65535.

  • Years ago, I wrote the KB on passive port range at MSKB site - How To Configure PassivePortRange In IIS

  • For so many years you guys have kept this miserable FTP service, and you cannot even provide a correct passive port range...

  • Thanks for pointing this out, Bernard.  I spoke with the author (Vijay) and he's going to update the article.  

  • I've been experimenting, and it seems like the latest version of the FTP7 module under Server 2008 is not honoring any of the port range settings above, and is instead using any windows-allocated dynamic port (a la http://support.microsoft.com/kb/929851/). I looked it up in the applicationHost.config file (this is the first I've heard of it) and it looks correct. The IIS UI lets me configure the PASV ports on the site defaults, but is greyed out on the site details. (I've checked that the IP address setting DOES work correctly.)

  • Following up on Eric's post, I found the following worked on my IIS7 farm which updates the applicationHost.config file programmatically from a batch script.

    %windir%\system32\inetsrv\appcmd.exe set config -section:system.ftpServer/firewallSupport /lowDataChannelPort:"5001" /commit:apphost

    %windir%\system32\inetsrv\appcmd.exe set config -section:system.ftpServer/firewallSupport /highDataChannelPort:"5200" /commit:apphost

Page 1 of 1 (6 items)