This has always been a pain for me to find online whenever I’m using the builtin Win 2k3 firewall and the builtin FTP server for IIS6. Almost every FTP client needs to run behind a firewall and use pasv FTP to connect to a server. So I thought I would post something for I can find later.
Here is a batch file (pasv.bat.txt) to do the work:
Echo OFF
ECHO ADDING PORT RANGE TO IIS
C:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5550″
ECHO OPENING FIREWALL PORTS
FOR /L %%I IN (5500,1,5550) DO NETSH FIREWALL ADD PORTOPENING TCP %%I FTPPort%%I
iisreset
ECHO FINISHED
Pause
January 6, 2007 at 7:42 am
Clint — I have been having problems with this for a very long time, and then I happened to find your batch file here this morning. It worked like a charm! Thanks very much!
January 6, 2007 at 3:52 pm
Glad I was able to help Tim
February 9, 2007 at 5:31 pm
I have recently setup the IIS ftp server. I can connect to this on the local LAN. I set the port range for 5500-5700 and forwarded these ports through on my router.
However, I can only connect via Active mode FTP and not PASV. Is something being blocked at my client’s router?
It accepts my password but will not do a directory listing. I have tried connecting through IE, Filezilla, and FireFTP.
February 19, 2007 at 1:01 am
I have been worried about whether or not my manual settings for PasV was working correctly. Im always worried with FTP and security and wanted only active mode but found i needed some pasv ports too. This bat file is really helpful. thank you.
March 22, 2007 at 9:36 am
good stuff, thanks man!
March 25, 2007 at 4:43 pm
This worked great to resolve my IIS passive issues!
thanks!
May 1, 2007 at 7:31 pm
So I ran the batch file, and I even restarted the services manually, but IIS continues to use whatever ports it wants. I even restarted the server. here is my log file from windows firewall:
2007-05-01 19:27:31 OPEN UDP 209.xxx.xxx.xxx 192.197.212.69 1485 53 - - - - - - - - -
2007-05-01 19:27:31 DROP UDP 64.46.36.222 255.255.255.255 1034 24124 116 - - - - - - - RECEIVE
2007-05-01 19:27:31 DROP UDP 64.46.36.222 255.255.255.255 1039 32000 82 - - - - - - - RECEIVE
2007-05-01 19:27:31 DROP UDP 64.46.36.222 255.255.255.255 1039 32001 82 - - - - - - - RECEIVE
2007-05-01 19:27:31 DROP UDP 64.46.36.222 255.255.255.255 1039 32002 82 - - - - - - - RECEIVE
2007-05-01 19:27:31 DROP UDP 64.46.36.222 255.255.255.255 1039 32003 82 - - - - - - - RECEIVE
2007-05-01 19:27:31 DROP UDP 64.46.36.222 255.255.255.255 1039 32004 82 - - - - - - - RECEIVE
2007-05-01 19:27:31 DROP UDP 64.46.36.222 255.255.255.255 1039 32005 82 - - - - - - - RECEIVE
2007-05-01 19:27:31 DROP UDP 64.46.36.222 255.255.255.255 1039 32006 82 - - - - - - - RECEIVE
May 10, 2007 at 12:44 am
Folks,
I have been reading about this problem a lot and I tend to agree that Microsoft has not been very clear about documenting the features that has been provided with Windows firewall.
Instead of jumping through all the loops of guessing the ports (which in a case of TCP client/server connection could be very random for the client) its always better to configure the Firewall and attend to its behavior.
Check these following steps and am sure it should help:
Within Windows Firewall->Advanced->(Network Connection Settings) Settings->FTP Server
This is allow FTP Server to be bypassed by the firewall.
Hope this helps.
Manoj Mathew
Sigma Info Solutions
http://www.sigmainfo.net
May 11, 2007 at 4:25 pm
Folks,
I have the same problem as Ken has. I have setup IIS 6.0 on Win2k3 Srv and I am able to access FTP only through the LAN. But from outside I am not able to access. In fact, it authenticates me only, and than it does not do the directory listing. I have opened ports 21 and 20 in my firewall, but on monitoring its events I notice that there are many ports over 5000 the ftp client is trying to access. SO what are the ports numbers ftp service is using?
Thanks in advance
Oliver
May 11, 2007 at 5:26 pm
restart the ftp service
June 7, 2007 at 11:09 am
There are satiate a advance day loan pay alarm
waterfront pension is capable of doing that for you.
If you are late on pledges, you village riping slapped with penalties.
July 16, 2007 at 4:01 pm
Worked well however it required CScript to either be set as default vbs handler (not desired), or change in batch file to be…
cscript C:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5550″
…not to mention the rewritten fancy quotes that need to be changed. Thsi may be why it doesn;t work for some as the IIS adsutil may not be successfully run. Either due to csript (which raises alert) or becasue of the bad quotes.
July 26, 2007 at 2:02 pm
changing from
C:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5550″
to
cscript C:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5550″
will be better
August 9, 2007 at 10:11 pm
milfslover.info
Thanks, Interesting read.
August 13, 2007 at 2:56 am
Problem solved:
1. Uncheck “FTP Server” in Windows Firewall Extended tab for every location
2. Add 21 port to exceptions
August 28, 2007 at 3:08 pm
I solve this issue by unchecking by clients the FTP passive use.
look @Internet Options/Extendet.
System is WS-2003 with newest patches and IE7. I got that problem after patching the server and upgrade to IE7. Ftp Connection with Authentication was working, but no listing came up.
September 12, 2007 at 12:16 pm
Thanks. A concise, elegant solution after 2 hours of googling. Kudos.
September 18, 2007 at 10:59 pm
La meilleure réponse du net à ce problème !
Thanks a lot
September 20, 2007 at 5:42 am
Great work thanks Clint. Been wanting a quick way of doing this!
I don’t suppose you know of a way of the bat file adding a “Custom list” IP scope to each of the firewall entries as it creates them? I’m still having to go through all 50 firewall entries and pasting in the IP scope as I want to limit these ports to specific IP’s to make it even more secure.
n.b. I also suggest a change to the bat file as Pter above says - you need to run Cscript.exe before the adsutil.vbs so that people with Wscript as their default handler don’t get the pop up.
Therefore line 3 should be:
Cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5550″
September 26, 2007 at 3:22 pm
FOR /L %%I IN (5500,1,5550) DO NETSH FIREWALL ADD PORTOPENING TCP %%I FTPPort%%I SCOPE=CUSTOM ADDRESSES=10.0.0/255.0.0.0,192.168.1.0/255.255.255.0
October 9, 2007 at 4:33 am
In doing some testing of various settings in windows firewall along with the bat file I negligently ran bat file twice. Now the FTP site will not start. Any suggestions? Is there another script I can run to fix the problem I caused?
Thanks for your help. The bat file along with Jeff Lau’s suggestion had me up and running for a few minutes before my “testing”.
October 9, 2007 at 7:55 am
Nevermind, I copied the version of the script in the post and it had funky characters for quotes. Once I fixed that and re-ran it was fine
October 14, 2007 at 12:03 pm
Brilliant!!
October 29, 2007 at 3:16 pm
great!!
i will sleep well.
thank you
and you
and you
November 30, 2007 at 6:12 am
Automotive Audio Equipment
Buy automotive audio at low prices.
November 30, 2007 at 3:11 pm
Get full uncut Paris Hilton sex video clips wet
Paris Exposed - Paris Hilton Sex Tape
December 13, 2007 at 3:11 pm
sex antonio amateur amateur can sex
January 10, 2008 at 12:18 am
[...] day of messages going backwards and forwards between myself and our firewall admins, here’s a gem of a post with a script to restrict the port range used by passive FTP on Windows 2003 server (as well as [...]
March 14, 2008 at 9:55 am
This script worked like a charm. I was looking for this script for a long time. For opening ports, using %%I didn’t work. I just used %I. Thank you for the script.
March 29, 2008 at 3:18 pm
The double % is only needed if you are running the script from within a batch file.
April 1, 2008 at 5:03 am
Works fine. Thanks a lot!
May 12, 2008 at 1:09 am
[...] day of messages going backwards and forwards between myself and our firewall admins, here’s a gem of a post with a script to restrict the port range used by passive FTP on Windows 2003 server (as well as [...]
May 27, 2008 at 12:43 am
Ahh, the sheer power of BAT programming!
Good job, Clint!
May 28, 2008 at 6:45 am
Note that after running the script you might need to restart Windows Firewall as well.
My IIS6 kept returning ports out of the specified range despite the numerous requests and that was only fixed after I turned off Windows Firewall from Control Panel to see if it will change something.
It did and after activating it again it continued to return the proper ports.
May 28, 2008 at 3:56 pm
thanks man. saved my behind
July 22, 2008 at 9:25 am
This did the trick! Thank you very much.
I agree with the suggestion to add “CScript.exe” in front of the VBScript call on line 3, as suggested above by Pter, Itamar, and James Ward.
July 26, 2008 at 11:01 pm
online internet casino gambling directory gambling online casino
September 9, 2008 at 8:10 pm
i saved bat script, made change on line 3 as per suggestions above, and fired it up. problem solved. thank you, thank you.
September 22, 2008 at 7:03 am
You fiind the answer for IIS 7/ FTP here:
http://blog.studiocoast.com.au/post/2008/07/07/FTP-7-Passive-Firewall-Setup.aspx
October 6, 2008 at 10:09 am
Bisogna impostare la porta 21 tcp nelle eccezzioni di Windows Firewall e toglierla dalle impostazioni avanzate
October 8, 2008 at 7:55 am
[...] de 1900-2000. Mas, tente isto, parece que muda o range (no uso iis, s filezilla no windows) Configuring Windows 2003 Firewall and IIS 6 for pasv ftp port range. Clint Modien - Esria Inc. No caso eu uso IIS 6 ento passei para o link abaixo que no abre __________________ A [...]
November 8, 2008 at 4:13 am
Hey I am having problems with setting up my IIS server because I want to run a system there for trials but afterinstalling the whole IIS, I could see on the left corner column my computer name listed as a local host server but whenever I try to click on it, the system tells me there was an error when trying to connect and should enter my credentials. The details of the error are below.
“Could not load file or assembly “Microsoft.Web.Administration, Version=7.0.0.0,Culture=nuetral, PublicKey token=31bf3856ad364e35′ or one of its dependencies. The system cannot find the file specified”
November 19, 2008 at 9:15 am
Make sure you set the ports above 5000 (5001+) or the FTP service will not start. (error 1411 dll)