How do I set the active or passive modes for IIS FTP?

Configure passive mode in Win 2003

Passive mode FTP connection Is sometimes referred to as "Server Management", because the server end port used as a data connection with one of the transient ports server responds to the client PASV Command ,. After the data connection command is issued, the server connects to the client and uses the port to control the client port.
The response is randomly selected from the default passive-iis ftp mode in the port range of 1024-65535. To further limit the range of these huge ports, the system administrator can configure the name Passiveportrange Metadatabase attribute keyword. This attribute keyword only exists in IIS 6.0, and for IIS 5.0 is in Windows 2000. The system administrator needs to install Service Pack 4 in the system registry. 

Passiveportrange .
Change Passiveportrange For IIS, the execution process is described in the following section.
For Windows Server 2003
To enable direct edit of metadatabase)
1. Open the Microsoft IIS Console (MMC ).
2. Right-click the Local Computer node.
3. Select Attribute .
4. Make sure that Enable direct edit metadatabase Check box.
Configure passiveportrange B using the adsutil script)
1. Click Start , Run , Type cmd, and then OK .
2. Type CD Inetpub \ adminscripts and press Enter.
3. type the following command from the command prompt.
Cscript.exe c: \ Inetpub \ adminscripts \ adsutil. vbs set/msftpsvc/passiveportrange "5500-5515"
4. Restart the FTP service.
You can see the following output When configuring through the adsutil script:
Microsoft (r) Windows Script Host version 5.6
Copyright (c) Microsoft Corporation 1996-2001. All rights reserved ..
Passiveportrange (String )" 5500-5515 ":
Note: If the built-in firewall is enabled, you must add the above ports in the exception.

What is active, what is passive, and why is passive preferred?

FTP is divided into two types:
Active FTP (Port FTP), that is, the ordinary FTP slave Passive FTP (Port FTP)

Active FTP

The active FTP is like this: the client connects to the command port of the FTP server from an arbitrary non-privileged port n (n> 1024), that is, port 21. Then the client starts port n + 1 and sends the FTP command "port n + 1" to the FTP server. The server then connects to the data port (n + 1) specified by the client from its own data port (20 ).

For the firewall before the FTP server, you must allow the following communication to support active FTP:

1. Port 21 from any port to the FTP server (client-initiated connection S <-C)
2. Port 21 of the FTP server to a port greater than 1024 (the server responds to the control port S-> C of the client)
3. Port 20 of the FTP server to port greater than 1024 (the data port S-> C of the server to initialize data connection to the client)
4. Port 20 from Port 1024 to the FTP server (the client sends an ACK response to the server's data port S <-C)
The main problem with active FTP is the client. The FTP client does not actually establish a connection to the data port of the server. It simply tells the server the port number of the ***, and the server returns to connect to the specified port of the client. For the client's firewall, This is a connection established from the external system to the internal client, which is usually blocked.

Firewall setting example
Build an FTP server under the firewall and use the active FTP (Port FTP) mode: Default FTP port: 21 and FTP data port: 20
Execute the following two lines of commands, only port 21 and Port 20 are allowed to be enabled, and other commands are disabled.
Iptables-A input-p tcp-M multiport-dport 21,20-J accept
Iptables-A input-p tcp-J reject-with TCP-Reset

FTP software settings

Take vsftp as an example. Modify/etc/vsftpd. conf
Add the following two lines
Listen_port = 21
Ftp_data_port = 20

If an error is set
You cannot select passive mode for the online mode of the FTP client (such as CuteFTP). Otherwise, you cannot establish online data. That is, the reader can connect to the FTP server, but it cannot run when executing commands such as LS and get.

Passive FTP

To solve the problem that the server initiates a connection to the customer, we developed a different FTP connection method. This is the so-called passive mode or PASV, Which is enabled only when the client notifies the server that it is in passive mode.

In the Passive ftp mode, both the command connection and data connection are performed by the client, so that the firewall can filter out the inbound connections from the server to the client's data port. When an FTP connection is enabled, the client opens two arbitrary non-privileged local ports (n> 1024 and n + 1 ). The first port connects to port 21 of the server, but unlike the active FTP, the client does not submit the PORT command and allows the server to connect to its data port back and forth. Instead, it submits the PASV command. The result is that the server opens any non-privileged port (P> 1024) and sends the port p command to the client. Then the client initiates a connection from the local port n + 1 to the port P on the server to transmit data.

For the server-side firewall, the following communication must be allowed to support Passive FTP:

1. From any port to port 21 on the server (client-initiated connection S <-C)
2. Port 21 of the server to any port greater than 1024 (the server responds to the connection s-> C from the control port of the client)
3. Port 1024 or more from any port to the server (inbound; the client initializes the data to connect to any port specified by the server S <-C)
4. Port 1024 or greater on the server to the remote port 1024 or greater (outbound; the server sends ack response and data to the client's data port S-> C)

Firewall setting example
Build an FTP server under the firewall and use Passive FTP (Port FTP) mode: ftp port: 21 and FTP data port from 9981 to 9986.
Execute the following two lines of commands, only port 21 and port 9981-9990 are allowed to be enabled, and other commands are disabled.
Iptables-A input-p tcp-M multiport-dport 21,9981, 9982,9983, 9984,9985, 9986,9987, 9988,9989, 9990-J accept
Iptables-A input-p tcp-J reject-with TCP-Reset

FTP software settings
Take vsftp as an example. Modify/etc/vsftpd. conf
Add the following four lines
Listen_port = 21
Pasv_enable = Yes
Pasv_min_port = 9981
Pasvanderbilt max_port = 9986

If an error is set
In this example, You must select passive mode for the FTP client (such as CuteFTP) online mode. Otherwise, you cannot establish online data. That is, the reader can connect to the FTP server, but it cannot run when executing commands such as LS and get. 

iis ftp active mode

Alibaba Cloud Hot Products
Elastic Compute Service (ECS)	Dedicated Host (DDH)	ApsaraDB RDS for MySQL (RDS)	ApsaraDB for PolarDB(PolarDB)	AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL)	Data Transmission Service (DTS)	Server Load Balancer (SLB)	Global Accelerator (GA)	Cloud Enterprise Network (CEN)
Object Storage Service (OSS)	Content Delivery Network (CDN)	Short Message Service (SMS)	Container Service for Kubernetes (ACK)	Data Lake Analytics (DLA)
ApsaraDB for Redis (Redis)	ApsaraDB for MongoDB (MongoDB)	NAT Gateway	VPN Gateway	Cloud Firewall
Anti-DDoS	Web Application Firewall (WAF)	Log Service	DataWorks	MaxCompute
Elastic MapReduce (EMR)	Elasticsearch