How to add PassivePortRange in IIS and firewall exception fot Microsoft FTP service (MSFTPSVC) in windows server ?
Applicable to : Windows 2000 Server with IIS5
Windows 2003 Server with IIS6
Windows 2008 Server with IIS7
We have to do two things
A) Add Passive port range in IIS
B) Add firewall exception in windows firewall
For Windows 2000 Server
A) Add Passive port range in IIS
Configure PassivePortRange via Registry Editor
1. Start Registry Editor (Regedt32.exe).
2. Locate the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\
3. Add a value named “PassivePortRange” (without the quotation marks) of type REG_SZ.
4. Close Registry Editor.
5. Restart the FTP service.
Note: The range that FTP will validate is from 5001 to 65535.
For Windows 2003 Server
A) Add Passive port range in IIS
a) To Enable Direct Metabase Edit
1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select Properties.
4. Make sure the Enable Direct Metabase Edit checkbox is checked.
b) Configure PassivePortRange via ADSUTIL script
1. Click Start, click Run, type cmd, and then click OK.
2. Type cd Inetpub\AdminScripts and then press ENTER.
3. Type the following command from a command prompt.
adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5700″
4. Restart the FTP service.
You’ll see the following output, when you configure via ADSUTIL script:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
PassivePortRange : (STRING) “5500-5700″
For Windows 2008 Server
A) Add Passive port range in IIS
1. Go to IIS 7.0 Manager. In the Connections pane, click the server-level node in the tree.
2. Double-click the FTP Firewall Support icon in the list of features.
3. Enter a range of values for the Data Channel Port Range.
4. Once you have entered the port range for your FTP service, click Apply in the Actions pane to save your configuration settings.
Notes:
1. The valid range for ports is 1024 through 65535. (Ports from 1 through 1023 are reserved for use by system services.)
2. You can enter a special port range of “0-0″ to configure the FTP server to use the Windows TCP/IP dynamic port range.
3. For additional information, please see the following Microsoft Knowledge Base articles:
* 929851 – http://support.microsoft.com/kb/929851/
4. This port range will need to be added to the allowed settings for your firewall server.
To configure the external IPv4 Address for a Specific FTP Site
1. Go to IIS 7.0 Manager. In the Connections pane, click the FTP site that you created earlier in the tree, Double-click the FTP Firewall Support icon in the list of features.
2. Enter the IPv4 address of the external-facing address of your firewall server for the External IP Address of Firewall setting.
3. Once you have entered the external IPv4 address for your firewall server, click Apply in the Actions pane to save your configuration settings.
B) Add firewall exception in windows firewall
To add a range of ports to Windows Firewall from the Command Line
1. Click Start, click Run, type cmd, and then click OK.
2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.
FOR /L %I IN (5500,1,5701) DO netsh firewall add portopening TCP %I “Passive FTP”%I
3. Each port in the range will be added with an “OK” confirmation.
Or you can manually add the port exception as follows.
1. Click Start >> Run >> firewall.cpl ( Hit enter) , and select the Exceptions tab.
2. Click the Add Port button.
3. Enter a Name for the Exception and the first number in the port range.
4. Click TCP if not already selected and click OK.
5. Repeat for each port in the range – for large ranges see the end of the document.
6. Enable the Windows Firewall on the General Tab.
Reference : http://support.microsoft.com/kb/555022
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
