By opening a "command channel" connection to TCP port number 2 1, the standard mode FTP client will start a session to the server. The client requests file transfer by sending a PORT command to the server. The server will then attempt to start a "data channel" connection back to the client on TCP port number 20. A typical firewall running on the client will treat this data channel connection request from the server as unsolicited, and will discard the data packet, resulting in file transfer failure. The Advanced Security Windows Firewall in Windows Vista and Windows Server 2008 supports stateful FTP, which allows inbound connection requests on port 20 to match previous outbound port commands from clients. However, if you use FTP over SSL to encrypt and protect FTP communication, the firewall will no longer check inbound connection requests from the server and these requests will be blocked. To avoid this problem, FTP also supports a "passive" operation mode, in which the client initiates a data channel connection. Instead of using the PORT command, the client sends the PASV command on the command channel. The server responds with a TCP port number to which the client should connect to establish a data channel. By default, the server uses a small range of available ports (1025 to 5000). In order to better protect the security of the server, we can limit the port range used by FTP service, and then create a firewall rule: FTP communication is only carried out on those allowed port numbers. This topic will discuss how to do the following: 1. Configure FTP service to passive mode. FTP 2 only uses a limited number of ports. Configure inbound firewall rules to establish inbound FTP connections only on allowed ports. The following procedure shows the steps to configure FTP service on Internet Information Services (IIS) version 7.0. If you use other FTP services, please consult the product documentation to find the corresponding steps. Configuring SSL support is beyond the scope of this topic. For more information, see the IIS documentation. Configure FTP service to passive mode FTP 1 only uses a limited number of ports. In the Connections pane of IIS 7.0 Manager, click the top node of the server. 2. In the details pane, double-click FTP firewall support. 3. Enter the port number range you want the FTP service to use. For example, 4 1000-4 1099 allows the server to support 100 passive mode data connections at the same time. 4. Enter the external IPv4 address of the firewall where the data connection arrives. 5. In the Actions pane, click Apply to save your settings. You must also create firewall rules on the FTP server to allow inbound connections on the ports configured in the previous procedure. Although you can create rules that specify ports by number, it is easier to create rules that open any port that FTP services listen on. By following the steps in the previous procedure, you can limit the ports that FTP listens on. Configure inbound firewall rules to allow only inbound FTP to connect to FTP listening port 1. Open the administrator command prompt. Click Start, click All Programs, click Accessories, right-click the command prompt, and then click Run as Administrator. 2. Run the following command: copy the code netsh advfirewall firewall add rule name = "ftpservice" action = allowservice = ftpsvc protocol = tcpdir = in3. Finally, disable stateful FTP filtering so that the firewall does not block any FTP traffic. Copy the code netsh advfirewall set global stateful FTP disable Windows firewall and non-secure FTP traffic Windows firewall can be configured from the command line. Use the netsh command. It takes 2 simple steps to set up a Windows firewall to allow unsafe FTP traffic 1) Open port 21netsh advfirewall add rule name = "FTP (no SSL) on the firewall. "action = allowprotocol = tcpdir = inlocalport = 212) activate the FTP (also called stateful FTP) firewall application filter netsh adv Firewall to set global stateful FTP enable.