I would like to set up an FTP service on a non-standard port (i.e. not 21) using the FTP service in IIS 6 on a Windows 2008 Server.
I have set it up and tested it locally - it all works.
However I am having issues when accessing it remotely. I can Telnet to the new port and see an FTP response, but I cannot create a true FTP connection.
So I think the firewall port for the connection from my remote PC to the server is open, but the response from the server to my PC occurs on a random port.
In order to limit the return (Outbound) ports used in the IIS 6 FTP service, I have followed the steps detailed here: Event ID 16 — IIS FTP Service Configuration (although adsutil.vbs was not on the server so I downloaded it it from another source and used that).
Then I used the command cscript.exe adsutil.vbs set /MSFTPSVC/PassivePortRange "6000-7000" which ran okay. In then
Then I ran net stop msftpsvc, net start msftpsvc and sc query msftpsvc.
Everything ran okay, but when I test using Wireshark, I can see that the ports 6000-7000 are not being used.
Any idea what might be wrong?
See MS KB article 555022
This article describes the ports used by FTP. The connection is made over the control port but the data transfer occurs over a different port. Try configuring a limited set of data transfer ports in IIS and configure your firewall to allow those ports for your FTP server IP.
I use network sniffers to troubleshoot these kinds of problems. The firewall is a likely culprit, so analyzing the network traffic on the outside and inside of the firewall can reveal what specifically is going wrong with the FTP connection.
One thing to check on the firewall policy is that the non-standard port is actually configured to handle FTP traffic. It seems that the policy has been configured to enable a TCP connection to the non-standard port. Has the policy been configured to allow specifically FTP traffic?
If you are using a very low-end firewall that can only perform NAT and basic packet inspection (i.e., not a TCP state aware firewall), then you will need to configure the FTP server to only allow passive mode, configure the FTP server to only allow DATA connections on some small range of ports (10 or 20?), and then configure the firewall to allow inbound connections to the FTP server for those 10-20 ports.
I found the full details here: http://scottonwriting.net/sowblog/posts/13857.aspx