Link to home
Start Free TrialLog in
Avatar of NicoNL
NicoNLFlag for Netherlands

asked on

Inbound ports to open for passive FTP (server 2012R2)

I'm configuring a 2012R2 server for simple anounimous passive FTP (read/write) file storage.
In I found that the port range to allow for the inbound firewall rule should be 1024-65535. And indeed, without this wide port range 1024-65535, the communication to the FTP server fails.

Is there a way to limit this 1024-65535 inbound port range to be opened?
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of NicoNL


Hi David,

Thank you for your reply.

> Enter the external IPv4 address of the firewall through which the data connections arrive.
The server is for intranet only, so there is no global / external IP address to enter for the server.

I found the Technet article "How to Configure Windows Firewall for a Passive Mode FTP Server"
Did the configuration, but this didn't do the trick, for some reason FTP can't connect to the server using the firewall rule "netsh advfirewall firewall add rule name=”FTP Service” action=allow service=ftpsvc protocol=TCP dir=in
to not filter any ftp traffic", disabling  StatefulFTP "netsh advfirewall set global StatefulFTP disable" and setting the 100 port range 41000-41099, or an other range. Even with these 100 ports configured FTP only connects when inbound 1024-65535 TCP is allowed (and of course the control port 21).
Enter the external IPv4 address of the firewall through which the data connections arrive. external to the machine not the network so you would put a range in here ..  easier to do it via the gui.
Avatar of NicoNL


I set the IP address, it didn't change anything about needing the whole 1024-65535 range to function.
Avatar of NicoNL


Case not solved, closing it