14 May 2008
Limiting Passive FTP Port Range on IIS 7.0 / IIS 6.0 / IIS 5.0
Passive FTP uses a range of ports to transfer data. This can be a problem because the port range that IIS uses has to be opened up at the Firewall. Many administrators would like to limit the port range between specific values so that they can have a better control on the ports that need to be opened on the Firewall. IIS can be configured to limit the port range but with multiple versions of IIS the configuration has changed a bit. So here is how you configure the port range (say 4000-4025) on IIS 5.0 / IIS 6.0 / IIS 7.0
IIS 5.0
=======
- On IIS 5.0 the Passive FTP Port range is controlled via a registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\ParametersPassivePortRange REG_SZ 4000-4025
IIS 6.0
=======
- On IIS 6.0 the Passive FTP port range is controlled via a metabase key
/MSFTPSVC/PassivePortRange
adsutil.vbs set /MSFTPSVC/PassivePortRange "4000-4025"
IIS 7.0
=======
- IIS 7.0 has two FTP services available
1. Classic FTP Service
-------------------------------------
- The classic FTP service is similar to IIS 6.0 and requires IIS 6.0 Metabase compatibility to be installed
- Here the Passive FTP port range is controlled via the metabase key
/MSFTPSVC/PassivePortRange
- Similar to IIS 6.0
2. FTP7 Module
--------------------------
- This is an OutOfBand Module that is shipped as an addon
- FTP7 module is used when SSL over FTP is required
- Here the Passive FTP port range is controlled via an entry in applicationHost.config
- You can also set this using the IIS Manager UI
Global Level (Server name) > FTP Firewall Support > Data Channel Port Range
Comment Notification
If you would like to receive an email when updates are made to this post, please register here
Subscribe to this post's comments using
Comment Policy: No HTML allowed. URIs and line breaks are converted automatically. Your e–mail address will not show up on any public page.
