Configure the Data Channel Port Range
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
When you use a firewall in your network you can limit the range of dynamic ports (also known as ephemeral ports) that can be used for passive connections in FTP. When a client issues a PASV command, the FTP server responds with a dynamic port to be used as the server-side port of the data connection. The default port range is configured in Windows TCP/IP settings.
Note
The dynamic port range in earlier versions of Windows was 1025-5000. This was changed in Windows Vista® and Windows Server® 2008 to comply with Internet Assigned Numbers Authority (IANA) recommendations about using ports. If you deploy Windows Vista or Windows Server 2008 in your network, and you use firewalls to restrict traffic on your internal network, you must update those firewalls with the new port range. For more information, see "The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008" on the Microsoft Help and Support site.
You should configure your firewall to accept traffic over a smaller range of ports. Then configure the Data Channel Port Range for the FTP server so only that range of ports is used for passive connections.
To configure the data channel port range
Open IIS Manager.
In the Connections pane, select the server node.
In Features View, double-click FTP Firewall Support.
In the Data Channel Port Range box, type a range of port numbers (separated by a hyphen). For example, type 5000-6000. Or type 0-0 to use the default port range specified in Windows TCP/IP settings.
Note
Do not use ports 0-1024 because these are reserved ports.
- In the Actions pane, click Apply.