Troubleshooting Windows Server 2008 R2 FTP Firewall Blocking Issues with PASV Mode Configuration


2 views

When your FTP server works locally but fails remotely with timeout errors during directory listing, you're likely facing a firewall configuration issue. The key evidence lies in these symptoms:

  • Successful authentication but directory listing timeout
  • Firewall logs showing DROP entries for high port connections
  • Working connection when firewall is disabled
// Sample firewall log entry showing blocked traffic
2012-04-23 14:44:54 DROP TCP 192.168.15.90 192.168.15.12 55743 49342 52 S 650301735 0 65535 - - - RECEIVE

The critical issue occurs during passive mode (PASV) operation when the server responds with a random high port (49342 in this case). The firewall blocks this dynamic port because:

  1. Windows Firewall doesn't auto-open FTP data channel ports
  2. The default FTP Windows Service doesn't properly register its ports
  3. Enterprise firewalls often block high ports by default

Here's the complete technical solution for IIS FTP on Windows Server 2008 R2:

1. Configure Firewall Port Rules

Open PowerShell as Administrator and run:

# Allow FTP control channel
New-NetFirewallRule -DisplayName "FTP Control" -Direction Inbound -Protocol TCP -LocalPort 21 -Action Allow

# Allow FTP data channel range (recommended 50000-51000)
New-NetFirewallRule -DisplayName "FTP Data" -Direction Inbound -Protocol TCP -LocalPort 50000-51000 -Action Allow

2. Configure IIS FTP Firewall Support

In IIS Manager:

  1. Select your FTP site → FTP Firewall Support
  2. Set "Data Channel Port Range" to 50000-51000
  3. Enter your external IP in "External IP Address of Firewall"

3. Verify with Network Tracing

Run this command before testing your connection:

netsh trace start scenario=netconnection capture=yes tracefile=C:\\temp\\ftp_trace.etl
netsh trace stop

For complex networks, you might need additional steps:

# Registry tweak for large passive port ranges
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "MaxUserPort" -Value 65534 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "TcpTimedWaitDelay" -Value 30 -Type DWord

# Configure FTP service to use specific ports
appcmd set config /section:system.ftpServer/firewallSupport /lowDataChannelPort:50000 /highDataChannelPort:51000

Modify FileZilla settings for better diagnostics:

  1. Edit → Settings → Connection → FTP → Transfer Mode: Passive
  2. Check "Limit number of simultaneous connections"
  3. Set "Maximum number of connections" to 2

After configuration, test with:

telnet your.server.ip 21
telnet your.server.ip 50000

Both should connect successfully. If port 50000 fails, recheck your firewall rules and IIS configuration.

When your FTP server works locally but fails remotely with timeout errors during directory listing, you're likely facing passive mode firewall issues. The Windows Firewall is notoriously strict about FTP data channel connections.

From the FileZilla log snippet, we can see:

Response:   227 Entering Passive Mode (192,168,15,12,192,160).
Error:  Connection timed out

The firewall logs confirm blocked connections:

2012-04-23 14:44:54 DROP TCP 192.168.15.90 192.168.15.12 55743 49342 52 S

First, configure these settings in IIS Manager:

  1. Open FTP Firewall Support settings
  2. Set the external IP address of your server
  3. Specify the passive port range (e.g., 5000-5100)

Create these inbound rules via PowerShell:

# Allow FTP server
New-NetFirewallRule -DisplayName "FTP Server" -Direction Inbound -LocalPort 21 -Protocol TCP -Action Allow

# Allow passive mode range
New-NetFirewallRule -DisplayName "FTP Passive Ports" -Direction Inbound -LocalPort 5000-5100 -Protocol TCP -Action Allow

If behind NAT, configure these registry values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC\Parameters]
"ExternalIPAddress"="your.public.ip"
"PassivePortRange"="5000-5100"

Verify with this PowerShell test:

Test-NetConnection -ComputerName localhost -Port 21
Test-NetConnection -ComputerName localhost -Port 5000

For encrypted connections, add these rules:

# Allow FTP over SSL
New-NetFirewallRule -DisplayName "FTP SSL Control" -Direction Inbound -LocalPort 990 -Protocol TCP -Action Allow
  • Verify firewall rules appear in "Inbound Rules" list
  • Check Windows Firewall logging is enabled
  • Confirm no conflicting third-party firewalls
  • Restart FTP service after configuration changes