During the last few days I have been setting up a Windows Server 2008 R2 in a VMware. I installed the standard FTP-Server on it by using the Webserver (IIS)-role.
Everything works fine with accessing my FTP-Site with ftp://localhost in Firefox. I can also get access to it via the local IP of my Server. Actually everything works fine in my LAN.
But here's my problem:
I want to get access "from outside", using the external IP or a dyndns-URL. I have a LinkSys-Router in front of my Server, therefore I'm forwarding all the important ports.
If you may now think "this idiot has probably forgotten some ports", I must dissappoint you. It even works getting access to my Server-Website and messing around in some WebInterfaces.
The problem is my passive FTP (active works for me). I always get a timeout, when e.g. FileZilla waits for a response to the LIST-command. The one big thing I don't get, is, why my Server sends a response to the PASV-command, naming a port like 40918, even if I have restricted the data port range for my passive FTP ( in the IIS-Manager) to e.g. [5000-5009].
I simply don't want to open and forward all possible data ports!
And another thing is, I can't specify a static external IP address for my server, since I don't own any.
I have already tried these solutions:
- Out Of Band FTP 7 shows "Operation timed out"
- How to Configure Windows Firewall for a Passive Mode FTP Server
- ServerFault — Passive ftp on Server 2008
— EDIT: —
There is one idea rising up in my mind:
When I use FileZilla to connect by passive mode I always get something like this:
227 Entering Passive Mode (192,168,1,102,160,86)
According to a Rhinosof-article FZ tries to connect on port "160*256+86 = 41046", although I have restricted the data ports (as mentioned above). Could this be caused by the router, that doesn't forward out-ports directly, but uses different ones?
(–> The IP-Adress given is the local one, since I'm not able to define a static external in the IIS-Mgr)
— EDIT 2: —
I have had an idea about changing the dynamicportrange via netsh interface, but not even the examples given by the help-text itself worked. I think I'll give it up with the IIS-FTP und then use the FileZilla-Server.
Conclusion: Hello freeware, bye "costs, but simply works"-Windows * cough *.
Best Answer
Changing the dynamic port range in windows will not help. The only thing it does is limit what port will be used for the client side of a socket connection.
What you need to do is limit the port range used by IIS's FTP server. There is a pretty good blog post about that on MSDN but here are the high points:
If you're using the built-in FTP server, you need to first install the "IIS 6 metabase compatibility" role service (as well as the associated scriting tools) and then use the following command to set the proper metabase property:
adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5525"
Regardless of the above, you will still need to port forward the whole range on your NAT gateway device for external connections to work. Most descent Firewall/NAT devices have protocol helpers included for FTP that will allow them to identify the PASV command and react accordingly, but not all do (and it usually won't work if you're using non-standard port for the FTP command channel).
P.S. You should consider using a different protocol than FTP if you're behind NAT: you can't make it work without ugly - and risky - workarounds. I suggest you investigate SFTP or WebDAV.