Configuring FTP Firewall Support
Updated: October 5, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Use the FTP Firewall Support feature to configure the following settings that enable the FTP server to accept passive data connections from a firewall:
Data Channel Port Range: Specify a range of ports for passive data connections. You must also open that same range of ports on your firewall.
External IP Address of Firewall: Specify the external IPv4 address of your firewall so that clients know which IP address to use when they communicate with the FTP server through the firewall.
FTP requires two connections (also named channels) per session: a control channel and a data channel. The control channel is a persistent connection over which commands are sent and short responses are received. The data channel is a connection that is typically reestablished for each data transfer, such as a directory listing, or a file upload or download.
By default, TCP port 21 is used on the server for the control connection, but the port for data connection is determined by the method that the client uses to connect to the server. These methods are active and passive:
Active is sometimes referred to as "client-managed" because the client sends a PORT command to the server over the control connection. This command requests that the server establish a data connection from TCP port 20 on the server to the client, by using the TCP port that is specified in the PORT command.
Passive is sometimes referred to as "server-managed" because after the client issues a PASV command, the server responds with one of its dynamic ports that is used as the server-side port of the data connection. After a data connection command is issued by the client, the server connects to the client that is using the port number immediately above the client-side port number of the control connection.
This task includes the following procedures: