How To Configure PassivePortRange In IIS ?


How to add PassivePortRange in IIS and firewall exception fot Microsoft FTP service (MSFTPSVC) in windows server ?

Applicable to : Windows 2000 Server with IIS5
Windows 2003 Server with IIS6
Windows 2008 Server with IIS7

To work FTP passive connection properly we have to do two things

A) Add Passive port range in IIS
B) Add firewall exception in windows firewall

For Windows 2000 Server

A) Add Passive port range in IIS

Configure PassivePortRange via Registry Editor
1. Start Registry Editor (Regedt32.exe).
2. Locate the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\
3. Add a value named “PassivePortRange” (without the quotation marks) of type REG_SZ.
4. Close Registry Editor.
5. Restart the FTP service.

Note: The range that FTP will validate is from 5001 to 65535.

B) Add firewall exception in windows firewall

To add a range of ports to Windows Firewall from the Command Line

1. Click Start, click Run, type cmd, and then click OK.
2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.
FOR /L %I IN (5500,1,5701) DO netsh firewall add portopening TCP %I “Passive FTP”%I
3. Each port in the range will be added with an “OK” confirmation.

Or you can manually add the port exception as follows.

1. Click Start >> Run >> firewall.cpl ( Hit enter) , and select the Exceptions tab.
2. Click the Add Port button.
3. Enter a Name for the Exception and the first number in the port range.
4. Click TCP if not already selected and click OK.
5. Repeat for each port in the range – for large ranges see the end of the document.
6. Enable the Windows Firewall on the General Tab.

For Windows 2003 Server

A) Add Passive port range in IIS

a) To Enable Direct Metabase Edit
1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select Properties.
4. Make sure the Enable Direct Metabase Edit checkbox is checked.

b) Configure PassivePortRange via ADSUTIL script
1. Click Start, click Run, type cmd, and then click OK.
2. Type cd Inetpub\AdminScripts and then press ENTER.
3. Type the following command from a command prompt.
adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5700”
4. Restart the FTP service.

You’ll see the following output, when you configure via ADSUTIL script:

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001.

All rights reserved.PassivePortRange : (STRING) “5500-5700”

B) Add firewall exception in windows firewall

To add a range of ports to Windows Firewall from the Command Line

1. Click Start, click Run, type cmd, and then click OK.
2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.
FOR /L %I IN (5500,1,5701) DO netsh firewall add portopening TCP %I “Passive FTP”%I
3. Each port in the range will be added with an “OK” confirmation.

Or you can manually add the port exception as follows.

1. Click Start >> Run >> firewall.cpl ( Hit enter) , and select the Exceptions tab.
2. Click the Add Port button.
3. Enter a Name for the Exception and the first number in the port range.
4. Click TCP if not already selected and click OK.
5. Repeat for each port in the range – for large ranges see the end of the document.
6. Enable the Windows Firewall on the General Tab.

For Windows 2008 Server


A) Add Passive port range  in IIS

1. Go to IIS 7.0 Manager. In the Connections pane, click the server-level node in the tree.
2.  Double-click the FTP Firewall Support icon in the list of features.
3. Enter a range of values for the Data Channel Port Range.
4. Once you have entered the port range for your FTP service, click Apply in the Actions pane to save your configuration settings.

Notes:

1. The valid range for ports is 1024 through 65535. (Ports from 1 through 1023 are reserved for use by system services.)
2. You can enter a special port range of “0-0” to configure the FTP server to use the Windows TCP/IP dynamic port range. The default dynamic port range in windows 2008 server is from 49152 to 65535.

You can view this details by issuing the folowing command in the server.

C:\Users\Administrator>netsh int ipv4 show dynamicport tcp

3. For additional information, please see the following Microsoft Knowledge Base articles:

* 929851 – http://support.microsoft.com/kb/929851/

4. This port range will need to be added to the allowed settings for your firewall server.

To configure the external IPv4 Address for a Specific FTP Site


1. Go to IIS 7.0 Manager. In the Connections pane, click the FTP site that you created earlier in the tree, Double-click the FTP Firewall Support icon in the list of features.
2. Enter the IPv4 address of the external-facing address of your firewall server for the External IP Address of Firewall setting.
3. Once you have entered the external IPv4 address for your firewall server, click Apply in the Actions pane to save your configuration settings.

B. Add firewall exception in windows firewall

To add a range of ports to Windows Firewall from the Command Line

1. Click Start, click Run, type cmd, and then click OK.
2. Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.

3.  FOR /L %I IN (49152,1,65535) DO netsh advfirewall firewall add rule name=”Passiveport”%I dir=out action=allow protocol=TCP localport=%I

4. Each port in the range will be added with an “OK” confirmation.

The command to add individual port in exception is pasting below.

C:\Users\Administrator>netsh advfirewall firewall add rule name=”OpenPort65535″ dir=out action=allow protocol=TCP localport=65535

Reference : http://support.microsoft.com/kb/555022

http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

Advertisements

3 responses to “How To Configure PassivePortRange In IIS ?

  1. Pingback: Windows ftp passive mode connection problem | Sys Admin Guides, How To's, etc by Marios Maravelias

  2. Pingback: Configure IIS FTP Firewall

  3. Hello, I think your site might be having browser compatibility issues.
    When I look at your website in Chrome, it looks fine but when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that, amazing blog!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s