Windows Server 2003 Passive FTP beyond (NAT/Firewall)

Posted on 2006-04-04
Last Modified: 2012-08-14

May I ask some help regarding configuration of Windows Server 2003 Passive FTP beyond (NAT/Firewall). My setup has only one public IP and the NAT/Firewall is enabled. DSL internet connection and port 21 is open in the firewall.

Internal network works fine but accessing the FTP outside also works only if you uncheck the "Use Passive FTP (for firewall and DSL modem compatibility)" option in the Internet Explorer.

Experts is there someting that I forgot to configure?

Thank you.

Question by:marvelsoft
    LVL 2

    Expert Comment

    Hi marvelsoft,

    Try opening port 20 on the firewall as well.  

    LVL 70

    Accepted Solution


    Passive FTP only uses Port 21 for the initial connection, after that it shifts it onto a high-numbered port. Since you only have port 21 open it's very likely that there's no way for the traffic to get through. The default port range for this is really very large (just greater than 1023).

    Fortunately things can be simplified considerably, if you're using IIS on there then it's possible to define the range of ports you want to use for FTP like using ADSUtil (Defaults to C:\InetPub\AdminScripts):

    adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5700"

    Where 5500 to 5700 is the range you want to set.

    Fully documented here:



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now