Configure windows firewall for active ftp

I have an application that runs as a service and contains an FTP client. When I attempt to get a list of files or download a file, Windows Firewall is dropping the incoming connection from the FTP server. Active FTP is the protocol that requires the the server to open a connection to the client on a port that the client specified.

Is there some setting that needs to be made in order to have Windows Firewall automatically detect Active FTP and open up the necessary ports as needed? Can I change that setting programmatically? Here's the thing: Whether in Active or Passive mode, the server always uses port 20 on it's side for the data connection and connects to the client on whatever port the client specified when it issued the FTP PORT command.

After looking at the Windows 7 firewall it looks like you can create a custom inbound rule that allows connections to any local port from a specific remote port 20 for a given protocol type TCP. You can also specify the local and remote ip addresses that this rule applies to. I have to admit that I've never monkeyed around with the Windows firewall but it looks to me like it might work for you.

Instead of adding ports to the Windows Firewall exception list, add the application you need to have access. Windows Firewall will then allow that application to bind and use whatever ports it wishes. You need to ensure that this service is started for Active FTP to work. I had the problem with an FTP client on our Intranet, and didn't want to make a firewall exception for that particular program.

I tried to enable the "Application Layer Gateway Service" sc start ALG , and made sure that I had "statefulftp" enabled netsh advfirewall set global statefulftp enable. I suppose these are needed in some cases, but they didn't make a difference for me. I resolved this issue looking more accurately at the top of inbound rules. Disabled both and everything worked like a charm!

Just my 2 cent ;-. The application must be white listed before you access the connection from your sub-net or the internet. Then add exception for "inetinfo. I would recommend tunneling instead. It has UPnP and will auto open the port 22 for you. It has an accompanying client program called Tunnelier if you coming from the client side. The point here is that when you have a tunnel on port 22, then both active or passive FTP will work fine from that point forward via the tunnel.

Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Asked 12 years, 2 months ago. The challenges of working with FTP and firewalls doesn't end with the requirement of a secondary data connection; to complicate things even more, there are actually two different ways on how to establish data connection:.

Some FTP clients require explicit action to enable passive connections, and some clients don't even support passive connections. One such example is command-line Ftp. To add to the confusion, some clients attempt to intelligently alternate between the two modes when network errors happen, but unfortunately this does not always work.

Some firewalls try to remedy problems with data connections with built-in filters that scan FTP traffic and dynamically allow data connections through the firewall. These firewall filters are able to detect what ports are going to be used for data transfers and temporarily open them on firewall so that clients can open data connections.

Some firewalls may enable filtering FTP traffic by default, but it is not always the case. This type of filtering is known as a type of Stateful Packet Inspection SPI or Stateful Inspection, meaning that the firewall is capable of intelligently determine the type of traffic and dynamically choose how to respond.

Many firewalls now employ these features, including the built-in Windows Firewall. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info.

Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Note If you choose to type in the path to your content folder, you can use environment variables in your paths.

Note You will need to make sure that you follow the steps in this section walkthrough while logged in as an administrator. Note This may appear confusing to an FTP client, because the client will seem to be able to successfully log in to the server, but the connection may appear to timeout or stop responding when attempting to retrieve a directory listing from the server.

Note Some FTP clients require explicit action to enable passive connections, and some clients don't even support passive connections. In this article. The FTP 7. Ask a question. Quick access. Search related threads. Remove From My Forums. Answered by:.

Archived Forums. Setup Deployment. Sign in to vote. Which ports work for passive? Ty, Sid. Tuesday, April 4, PM. Tuesday, April 18, AM. Wednesday, April 5, AM. Hi John, Is it Ports 21 to or just Port 21 and ? Ty, Sayeed.