Passive FTP Port Range Server 2008 Firewall
Posted by stooley, 04-21-2009, 09:13 AM Do you still have to add each port individually to Server 2008's Firewall like we did on Server 2003? If so, will the guides that were put out for 2003 work on 2008's? I want to be sure before putting all these ports in....if I can just specify a range instead, it would be much easier!
Posted by Collabora, 04-21-2009, 03:25 PM Since the new firewall includes stateful inspection the procedure is a little easier. The following procedure shows the steps for configuring the FTP service on Internet Information Services (IIS) version 7.0. For SSL see the IIS documentation. Configure the FTP service to only use a limited number of ports for passive mode FTPIn the IIS 7.0 Manager, in the Connections pane, click the top node for your server.In the details pane, double-click FTP Firewall Support.Enter the range of port numbers that you want the FTP service to use. For example, 5001-5101 allows the server to support 100 passive mode data connections simultaneously.Enter the external IPv4 address of the firewall through which the data connections arrive (if necessary).In the Actions pane, click Apply to save your settings.You must also create a firewall rule on the FTP server to allow inbound connections on the ports you configured in the previous procedure. Although you could create a rule that specifies the ports by number, it is easier to create a rule that opens any port on which the FTP service is listening. You limit the ports on which FTP is listening by following the steps in the previous procedure. While Windows Firewall can be configured using the Windows Firewall applet in the Windows Control Panel, that utility does not have the required features to enable all of the features for FTP. The Windows Firewall with Advanced Security utility that is located under Administrative Tools in the Windows Control Panel has all of the required features to enable the FTP features, but in the interests of simplicity this walkthrough will describe how to use the command-line Netsh.exe utility to configure the Windows Firewall. Using Windows Firewall with non-secure FTP traffic To configure Windows Firewall to allow non-secure FTP traffic, use the following steps:Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.To open port 21 on the firewall, type the following syntax then hit enter:To enable stateful FTP filtering that will dynamically open ports for data connections, type the following syntax then hit enter:Important Notes:Active FTP connections would not necessarily covered by the above rules; an outbound connection from port 20 would also need to be enabled on server. In addition, the FTP client machine would need to have its own firewall exceptions setup for inbound traffic.FTP over SSL (FTPS) will not be covered by these rules; the SSL negotiation will most likely fail because the Windows Firewall filter for stateful FTP inspection will not be able to parse encrypted data. (Some 3rd-party firewall filters recognize the beginning of SSL negotiation, e.g. AUTH SSL or AUTH TLS commands, and return an error to prevent SSL negotiation from starting.)See your IIS docs for SSL, or post a request here.
Posted by stooley, 04-21-2009, 05:32 PM Thank you very much.
Posted by jNive, 04-21-2009, 07:59 PM just remember to set the corresponding port ranges in the FTP client