Inbound ports to open for passive FTP (server 2012R2)

I'm configuring a 2012R2 server for simple anounimous passive FTP (read/write) file storage.
In http://stackingtech.com/2014/03/13/how-to-configure-ftp-server-in-windows-2012-r2/ I found that the port range to allow for the inbound firewall rule should be 1024-65535. And indeed, without this wide port range 1024-65535, the communication to the FTP server fails.

Is there a way to limit this 1024-65535 inbound port range to be opened?
NicoNLAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
In the IIS  Manager, in the Connections pane, click the top node for your server.
In the details pane, double-click FTP Firewall Support.
Enter the range of port numbers that you want the FTP service to use. For example, 41000-41099 allows the server to support 100 passive mode data connections simultaneously.
Enter the external IPv4 address of the firewall through which the data connections arrive.
in the Actions pane, click Apply to save your settings.

netsh advfirewall firewall add rule name=”FTP Service” action=allow service=ftpsvc protocol=TCP dir=in
to not filter any ftp traffic
netsh advfirewall set global StatefulFTP disable
https://technet.microsoft.com/en-us/library/dd421710%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396#bkmk_1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NicoNLAuthor Commented:
Hi David,

Thank you for your reply.

> Enter the external IPv4 address of the firewall through which the data connections arrive.
The server is for intranet only, so there is no global / external IP address to enter for the server.

I found the Technet article "How to Configure Windows Firewall for a Passive Mode FTP Server"
Did the configuration, but this didn't do the trick, for some reason FTP can't connect to the server using the firewall rule "netsh advfirewall firewall add rule name=”FTP Service” action=allow service=ftpsvc protocol=TCP dir=in
to not filter any ftp traffic", disabling  StatefulFTP "netsh advfirewall set global StatefulFTP disable" and setting the 100 port range 41000-41099, or an other range. Even with these 100 ports configured FTP only connects when inbound 1024-65535 TCP is allowed (and of course the control port 21).
David Johnson, CD, MVPOwnerCommented:
Enter the external IPv4 address of the firewall through which the data connections arrive. external to the machine not the network so you would put a range in here ..  easier to do it via the gui.
NicoNLAuthor Commented:
I set the IP address, it didn't change anything about needing the whole 1024-65535 range to function.
NicoNLAuthor Commented:
Case not solved, closing it
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.