Windows FTP Passive Mode connection problem

iIf you use windows server 2003 or 2008 with windows ftp you have for sure face the annoying problem when a client tries to connect to his ftp account with Passive Mode and the ftp connection just hungs, so the only way out is to tell the client to use Active Mode (if he can choose that in his ftp client program).

First of all you have to understand what is the difference between Active and Passive Mode.

Unlike HTTP and other protocols used on the Internet, the FTP protocol uses a minimum of two connections during a session: a half-duplex connection for control, and a full-duplex connection for data transfer. By default, TCP port 21 is used on the server for the control connection, but the data connection is determined by the method that the client uses to connect to the server, as detailed below.

Active-mode FTP connections are sometimes referred to as “client-managed” because the client sends a port command to the server, over the control connection. The command requests the server to establish a data connection from TCP port 20 on the server to the client, using the TCP port that is specified by the port command.

Passive-mode FTP connections are sometimes referred to as “server-managed”, because after the client issues a pasv command, the server responds with one of its transient ports used as the server-side port of the data connection. After a data connection command is issued by the client, the server connects to the client using the port immediately above the client-side port of the control connection.

For me in order to solve this problem in a Windows 2008 server with Plesk 9.x I did the following:

First of all check by opening the IIS 6.0 Manager and by pressing the local computer, if you can see the “Ftp Sites – Service is Runnig” , that means that you control the ftp server from IIS 6.0 Manager, no matter that the vhosts run through IIS 7

Your next step is to:

A) Add Passive port range in IIS

a) To Enable Direct Metabase Edit

1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select Properties.
4. Make sure the Enable Direct Metabase Edit checkbox is checked.

b) Configure PassivePortRange via ADSUTIL script
1. Click Start, click Run, type cmd, and then click OK.
2. Type cd Inetpub\AdminScripts and then press ENTER.
3. Type the following command from a command prompt.adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5700?4. Restart the FTP service.

A) Add Passive port range in IIS

a) To Enable Direct Metabase Edit

1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select Properties.
4. Make sure the Enable Direct Metabase Edit checkbox is checked.

b) Configure PassivePortRange via ADSUTIL script
1. Click Start, click Run, type cmd, and then click OK.
2. Type cd Inetpub\AdminScripts and then press ENTER.
3. Type the following command from a command prompt.

adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5700?

4. Restart the FTP service.

You’ll see the following output, when you configure via ADSUTIL script:
PassivePortRange : (STRING) “5500-5700”

Now you have to add the range port to firewall.

If you have Plesk you can do it by the easy way, login to Plesk, -> Main Menu -> Settings -> Manage Firewall Rules

since you cannot add more than 99 range of ports you will have to make 3 rules with the following ports:

Passive ftp 1 5500-5599 / TCP
Passive ftp 2 5600-5699 / TCP
Passive ftp 3 5700 / TCP

after that restart the ftp server and try to connect with an ftp account with passive mode, it will connect fast and without any problem.

(source articles here & here )