IIS 5.0 ======= - On IIS 5.0 the Passive FTP Port range is controlled via a registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\ParametersPassivePortRange REG_SZ 5500-5525
IIS 6.0 ======= - On IIS 6.0 the Passive FTP port range is controlled via a metabase key
adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5525"
IIS 7.0 ======= - IIS 7.0 has two FTP services available
1. Classic FTP Service ------------------------------------- - The classic FTP service is similar to IIS 6.0 and requires IIS 6.0 Metabase compatibility to be installed - Here the Passive FTP port range is controlled via the metabase key
- Similar to IIS 6.0
2. FTP7 Module -------------------------- - This is an OutOfBand Module that is shipped as an addon - FTP7 module is used when SSL over FTP is required - Here the Passive FTP port range is controlled via an entry in applicationHost.config - You can also set this using the IIS Manager UI
Global Level (Server name) > FTP Firewall Support > Data Channel Port Range
Cross posted from Vijay's Blog
Great stuff, but my understanding is that passive port range is valid from 5000 to 65535.
Years ago, I wrote the KB on passive port range at MSKB site - How To Configure PassivePortRange In IIS
For so many years you guys have kept this miserable FTP service, and you cannot even provide a correct passive port range...
Thanks for pointing this out, Bernard. I spoke with the author (Vijay) and he's going to update the article.
I've been experimenting, and it seems like the latest version of the FTP7 module under Server 2008 is not honoring any of the port range settings above, and is instead using any windows-allocated dynamic port (a la http://support.microsoft.com/kb/929851/). I looked it up in the applicationHost.config file (this is the first I've heard of it) and it looks correct. The IIS UI lets me configure the PASV ports on the site defaults, but is greyed out on the site details. (I've checked that the IP address setting DOES work correctly.)
Following up on Eric's post, I found the following worked on my IIS7 farm which updates the applicationHost.config file programmatically from a batch script.
%windir%\system32\inetsrv\appcmd.exe set config -section:system.ftpServer/firewallSupport /lowDataChannelPort:"5001" /commit:apphost
%windir%\system32\inetsrv\appcmd.exe set config -section:system.ftpServer/firewallSupport /highDataChannelPort:"5200" /commit:apphost