Enabling FTP Passive Mode on IIS for Servers Running on Top of Amazon EC2

Summary: This article explains how to enable FTP passive mode on IIS for servers running on top of Amazon EC2.

Using the File Transfer Protocol (FTP) service on a server behind Amazon Web Services (AWS) infrastructure may create some challenges due to the way FTP works.

To avoid these challenges, FTP also supports a “passive” operational mode in which the client initiates the data channel connection. To better secure the server, you can restrict the port range used by the FTP service, and then create a firewall rule that allows FTP traffic only on the allowed port numbers.

The following procedure provides the steps for configuring the FTP service on Internet Information Services (IIS).

To configure the FTP service to use only a limited number of ports for passive mode FTP:

1. Open IIS Manager.

2. In the Connections pane, click the top node of your server.

3. In the details pane, double-click FTP Firewall Support.

4. Enter the range of port numbers that you want the FTP service to use. For example, 41000-41099 allows the server to support 100 passive mode data connections simultaneously.

5. Enter the external IPv4 address (Public IP address) through which the data connections arrive.

6. In the Actions pane, click Apply to save your settings.

7. From an administrative command prompt, restart the Microsoft FTP Service to make sure all the changes took effect:

   net stop ftpsvc

   net start ftpsvc

Important: You must also create a firewall rule on the AWS environment (Security Group) to allow inbound connections on the TCP ports you configured in the above procedure. Please work with your system/network administrator in order to allow it.

 

Created by: Arik Michaelovich, last updated: May 9, 2016