Passive FTP on IIS6

Lately I find myself wading through a lot of IIS-related issues and the IIS6 FTP server has been driving me crazy.

I’ve never really worked with IIS before. Given Microsoft’s bent to make things as simple as possible, I’m surprised at the amount of time I have to spend figuring out basic configuration issues. The various Microsoft GUIs contain no way to set a passive FTP port range, or even a range of ports in Windows Firewall for that matter.

I’d originally assumed that I could just add the FTP server .exe to the list of exceptions in the firewall Exceptions tab: This way any ports that the server opened would be automagically accepted by Windows. From the running services it appears that Inetinfo.exe is the FTP server, or at least encapsulates an FTP service along with other services. An article here tells me that adding Inetinfo.exe to the list of exceptions would be rather naughty, so I have resorted to the tedious, manual means of configuring and opening passive FTP ports. I wonder if there’s a real FTP server binary somewhere in there that I could make an exception.

Anyway, the manual process in a nutshell…

  1. Set some passive ports in the IIS Metabase:
    C:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange "5000-5010"
    (note that you cannot explicitly tell IIS to use active or passive.. it wants to figure that out for itself based on the available ports and what the ftp client is requesting)
  2. Open same ports in Windows Firewall:
    FOR /L %%I IN (5000,1,5010) DO NETSH FIREWALL ADD PORTOPENING TCP %%I FTPPort%%I
  3. Restart IIS:
    iisreset
  4. Go back to doing more productive things.

Unless you have a lot of people FTPing in and out of your server, ten or so open ports should work.

Thanks to New Age Digital for their straightforward article on this. Some may also want to read the Slacksite article, the definitive explanation of Active/Passive FTP.

6 thoughts on “Passive FTP on IIS6

  1. From MS KB, and verified on IIS 6.0/Win2k3 SP2:

    “When you manually specify a value for PassivePortRange, you must specify a value from 5001 to 65535. The value that you specify may be a range or a single number.”

    The range 5000-5010 will throw an error.

  2. 2. Open same ports in Windows Firewall:
    FOR /L %%I IN (5000,1,5010) DO NETSH FIREWALL ADD PORTOPENING TCP %%I FTPPort%%I

    On some of Windows 2003 server that command would result in “%%I was unexpected at this time” error.

    If that’s happened, then just removed the extra %. So the command would be

    FOR /L %I IN (5000,1,5010) DO NETSH FIREWALL ADD PORTOPENING TCP %I FTPPort%I

  3. range 5000-5010 will give you error when you try to restart your FTP, use 5001-5010 work fine. user following commands

    C:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange “5001-5010”

    FOR /L %I IN (5001,1,5010) DO NETSH FIREWALL ADD PORTOPENING TCP %I FTPPort%I

  4. Hello

    Nice article thanks.
    And 5000-5010 not worked 5001-5010 worked succesfuly, thansk for who commented for this too.

Leave a Reply

Your email address will not be published. Required fields are marked *