The Scenario
You need to setup the Windows FTP service that is part of IIS 6.0 on a port number other than the standard port 21 and are using Windows Firewall on the server.
The Challenge
Getting an FTP server and the firewall to play nicely can be a bit of an adventure because FTP uses two ports for communicating - one for establishing the connection (typically port 21) and another one for transferring the data. I believe that the FTP service for IIS 6.0 uses port 20 as the data port when using port 21 as the connection port, but I am not 100% certain. What I am certain of is that the data port may be randomly selected from a wide range of ports, and that is certainly the case when you select an alternate port number for the FTP service. The challenge lies in configuring the firewall to accept incoming requests to both the alternate port and the randomly selected data port.
If neither port is opened in the firewall then when you attempt to connect to the FTP server the client will hang and eventually report that it cannot connect. If only the connection port is open then the FTP client will connect successfully but will repor the error: Failed to retrieve directory listing. The reason is because the connection can be established over the connection port, but the request made to the data port to get the directory listing was blocked by the firewall. Long story short, you need to make sure that the firewall will allow traffic for the randomly selected data port.
The Solution
- Create an FTP site on the port number of choice, such as 12345. Typically you'll want to use a high port number to minimize the likelihood of a conflict. See Creating Multiple FTP Site (IIS 6.0) for more information on how to create multiple FTP sites using multiple ports.
- If you are using Windows Vista or Windows 2008 as the server, run the following command from the command line: sc sidtype MSFTPSVC unrestricted
- Stop and restart the FTP service.
- Note: I got an error when restarting the service that complained that an unrestricted service could not be started in the same host as restricted services. I'm sure there is a more elegant workaround, but what worked for me was to reboot the server.
- Configure Windows Firewall to allow all TCP traffic in for the MSFTPSVC service. This will allow traffic on the randomly selected data port to penetrate the firewall. You can do this from the Windows Firewall configuration GUI or from the command line via: netsh advfirewall firewall add rule name="FTP" service=MSFTPSVC action=allow protocol=TCP dir=in
- Ensure that the FTP filter for Windows Firewall is disabled. You can do this via the command line, as well: netsh advfirewall set global Statefulftp disable
For more on Steps 2-5 see Windows Firewall Setup for Microsoft FTP Publishing Service for IIS 7.0. Some of the command line arguments are different in the article than what I have posted above because my commands are for the FTP Service that's part of IIS 6.0 whereas the article linked to looks at using the FTP Publishing Service for IIS 7.0.
I spent the better part of an afternoon figuring out these five steps. I hope this blog entry saves someone else a few precious hours.