With FTP Active, the client makes a connection to the server on port 21
which is the default (or what ever port you configured), this is the control
channel (no data or directory information). When the client issues a Port
command (somthing like LIST) the server makes the second connection back to
the client on a high port number, that the client is listening on. If the
client is behind a firewall (DSL router or something) the server cannot make
the connection because it is blocked. (This is where passive mode comes in).
In passive mode the client makes both connections to the server, so a
DSL router isn't a problem because both connections are outbound for the
client. The first connection is just like Active mode, but when the client
issues a request, it issues a passive request. The server then tells the
client to make the second connection and gives it the port number that it
(the server) is listening on, which could be anything from 1024 to 65,535.
(IIS is supposed to stay between 1024 and 5000, but I see it connecting at
around 15,000 all the time). These ports would need to be opened on the
server side. You can tighten this up by making an edit in the Metabase on
IIS6, or a registry edit on IIS5. But depending how many clients are
connecting you still might need a couple hundred (the same client will move
to different high port number as the session goes on.)
And if you are using IE for FTP and configure it for PASV mode by going
into properties, clicking the Advanced tab and putting a check next to USE
PASV MODE FOR FTP (good for DSL) you are still in ACTIVE MODE. You also have
to UNCHECK next to USE FOLDER VIEW FOR FTP.
"Perry Diels" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I have setup IIS on W2K3 standard which is running ok. The only problem is
> for users that are logging into the FTP server via an internet connection
> who are themselves behind a firewall, NAT, router or whatever cannot
> communicate with our FTP server, unless I disable the basic firewall on
our
> server in the RRAS console (on the Internet NIC). Users that are directly
> connected to the Internet have no problem at all even though the firewall
is
> turned on. I suppose some ports need to be opened in our firewall in order
> to leave it running, which I'd prefer in order to have more security. Is
> this correct? If yes I need to know what port numbers need to be opened, I
> have tried some but without success. Our FTP server is running at port
1994
> (which I have opened in the firewall for sure), but I know that FTP needs
> more than one port in order to communicate correctly. Just in case you
> should ask, yes I have tried both passive (PASV) and Active from the
client
> side.
>
> Thanks for your help.
> Perry
>
>
|
Similar Threads
Linear Mode
