IIS 7.5 FTP Passive Mode Port Range Not Working for Plain FTP: Configuration and Workarounds


3 views

During a recent server configuration, I encountered an interesting behavior with IIS 7.5's FTP service. While the passive port range configuration works perfectly for FTP over SSL (FTPES) and FTP over TLS (FTPS), it completely ignores these settings when dealing with plain FTP connections.

FTP operates in two modes:
1. Active mode (PORT command)
2. Passive mode (PASV command)

The issue specifically manifests when:
- Using plain FTP (not encrypted)
- Client sends PASV command
- Server responds with random high ports outside configured range

Here's how you can test this behavior yourself:

telnet your.ftp.server 21
USER username
PASS password
PASV

The response will show an IP and port combination where the port number isn't from your configured range.

Even with the following registry settings configured at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSFTPSVC\Parameters

"PassivePortRange" = "60000-60050"
"PassivePortControl" = "60000"

The plain FTP connections still use random ports.

After examining Microsoft's documentation and testing various scenarios, this appears to be by design. The passive port range restriction only applies to secure FTP variants in IIS 7.5. This behavior stems from:

  • Different code paths for plain vs secure FTP
  • Security model differences between protocols
  • Historical implementation decisions

For those needing to enforce passive port ranges for plain FTP, consider these approaches:

Option 1: Windows Firewall Configuration
Create inbound rules that only allow your specified passive ports:

netsh advfirewall firewall add rule name="FTP Passive Ports" dir=in action=allow protocol=TCP localport=60000-60050
netsh advfirewall firewall add rule name="FTP Passive Ports" dir=in action=block protocol=TCP localport=1024-65535

Option 2: Third-party FTP Server
Consider using alternative FTP servers like FileZilla Server or Cerberus FTP which properly respect passive port ranges for all protocol variants.

Option 3: Upgrade Path
Newer versions of IIS (8.0+) handle this differently. The workaround might be to upgrade your server if possible.

This behavior actually presents security concerns:

  • Firewalls need to open wide port ranges
  • Makes network security policies harder to enforce
  • Increases attack surface unnecessarily

This is likely why Microsoft restricted the passive port range feature to secure FTP variants where security is already a higher priority.

While frustrating, this behavior makes some sense from a security perspective. Plain FTP is inherently insecure, and enforcing port ranges only on secure variants pushes administrators toward better security practices. The workarounds above should help manage the situation until you can transition to more secure FTP implementations.

After spending hours troubleshooting IIS 7.5's FTP service, I discovered a frustrating behavior: the configured passive port range only applies to FTP over SSL (FTP/ES) or FTP over TLS (FTP/IS). When using plain FTP, the server completely ignores your specified port range and assigns random ephemeral ports.

In passive mode FTP:

Client: PASV
Server: 227 Entering Passive Mode (192,168,1,100,X,X)

The server should use ports from your configured range (e.g., 50000-50100) for the data connection. In IIS 7.5, this only works when encryption is enabled.

Try this simple test:

# Without SSL:
ftp> open myserver
Connected to myserver.
220 Microsoft FTP Service
User (myserver:(none)): anonymous
331 Anonymous access allowed.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (192,168,1,100,195,187) # Random port 50059

# With SSL:
227 Entering Passive Mode (192,168,1,100,195,70) # Within configured 50000-50100 range

The behavior stems from how Microsoft implemented the FTP service:

  • Plain FTP connections use Windows' default ephemeral port range (49152-65535)
  • The configured port range only applies to the SSL/TLS encrypted control channel
  • This is documented in KB article 929131 but not obvious in the UI

Create Windows Firewall rules to restrict outbound ports:

netsh advfirewall firewall add rule name="FTP Passive Ports" dir=in action=allow protocol=TCP localport=50000-50100
netsh advfirewall firewall add rule name="FTP Passive Ports Out" dir=out action=allow protocol=TCP localport=50000-50100

For plain FTP, modify the ephemeral port range system-wide:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"ReservedPorts"="50000-50100"
"TcpTimedWaitDelay"=dword:0000001e

Note: This affects all applications, not just FTP.

The most reliable solution is to use FTP over SSL/TLS where the port range works as expected. Configure it in IIS Manager:

1. Select FTP SSL Settings
2. Choose "Allow SSL Connections"
3. Select your certificate
4. Set "Passive Port Range" to desired values

Automate the FTPS configuration:

Import-Module WebAdministration
Set-ItemProperty 'IIS:\Sites\Default FTP Site' -Name ftpServer.security.ssl.controlChannelPolicy -Value "SslAllow"
Set-ItemProperty 'IIS:\Sites\Default FTP Site' -Name ftpServer.security.ssl.dataChannelPolicy -Value "SslAllow"
Set-ItemProperty 'IIS:\Sites\Default FTP Site' -Name ftpServer.firewallSupport.externalIp4Address -Value "192.168.1.100"
Set-ItemProperty 'IIS:\Sites\Default FTP Site' -Name ftpServer.firewallSupport.passivePortRange -Value "50000-50100"