WebTopics : Limiting Passive FTP Port Range on IIS 7.0 / IIS 6.0 / IIS 5.0

News

All posts are provided "AS IS" with no warranties, and confer no rights. All the expressions expressed herein are entirely the bloggers own and not necessarily those of Microsoft. In addition, thoughts and opinions often change. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.

Archives

Limiting Passive FTP Port Range on IIS 7.0 / IIS 6.0 / IIS 5.0

Passive FTP uses a range of ports to transfer data. This can be a problem because the port range that IIS uses has to be opened up at the Firewall. Many administrators would like to limit the port range between specific values so that they can have a better control on the ports that need to be opened on the Firewall. IIS can be configured to limit the port range but with multiple versions of IIS the configuration has changed a bit. So here is how you configure the port range (say 5500-5525) on IIS 5.0 / IIS 6.0 / IIS 7.0

IIS 5.0
=======
- On IIS 5.0 the Passive FTP Port range is controlled via a registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\ParametersPassivePortRange REG_SZ 5500-5525

IIS 6.0
=======
- On IIS 6.0 the Passive FTP port range is controlled via a metabase key

/MSFTPSVC/PassivePortRange

adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5525"

IIS 7.0
=======
- IIS 7.0 has two FTP services available

1. Classic FTP Service
-------------------------------------
- The classic FTP service is similar to IIS 6.0 and requires IIS 6.0 Metabase compatibility to be installed
- Here the Passive FTP port range is controlled via the metabase key

/MSFTPSVC/PassivePortRange

- Similar to IIS 6.0

2. FTP7 Module
--------------------------
- This is an OutOfBand Module that is shipped as an addon
- FTP7 module is used when SSL over FTP is required
- Here the Passive FTP port range is controlled via an entry in applicationHost.config
- You can also set this using the IIS Manager UI

Global Level (Server name) > FTP Firewall Support > Data Channel Port Range

Cross posted from Vijay's Blog

Posted: Wednesday, May 14, 2008 1:16 AM by vijaysk

Filed under: IIS, FTP

Comments

Bernard Cheah said:

Great stuff, but my understanding is that passive port range is valid from 5000 to 65535.

# May 14, 2008 4:33 AM

Server: Microsoft-IIS/7.0\r\n said:

Years ago, I wrote the KB on passive port range at MSKB site - How To Configure PassivePortRange In IIS

# May 14, 2008 4:39 AM

NameIsNotRequired said:

For so many years you guys have kept this miserable FTP service, and you cannot even provide a correct passive port range...

# October 22, 2008 2:34 PM

Mike Laing said:

Thanks for pointing this out, Bernard. I spoke with the author (Vijay) and he's going to update the article.

# October 22, 2008 3:20 PM

Eric said:

I've been experimenting, and it seems like the latest version of the FTP7 module under Server 2008 is not honoring any of the port range settings above, and is instead using any windows-allocated dynamic port (a la http://support.microsoft.com/kb/929851/). I looked it up in the applicationHost.config file (this is the first I've heard of it) and it looks correct. The IIS UI lets me configure the PASV ports on the site defaults, but is greyed out on the site details. (I've checked that the IP address setting DOES work correctly.)

# April 23, 2009 2:32 AM

WebTopics

Recent Posts

Tags