So, you’ve installed FTP 7.5 and tried to connect to your server remotely and noticed that even though you can connect ok, you can’t in fact get a file-listing from your new FTP server. Well, I noticed this too.

So, you’re probably wondering how to fix it. You may have even tried adding some new firewall rules to Windows yourself to open up the data channel. Well, unfortunately that doesn’t quite fix the problem.

Background

For those of you who haven’t noticed, Microsoft have released a new version of the FTP services that have been completely re-written for Windows Server® 2008… FTP 7.5.
If you don’t have it already, you can download it from http://www.iis.net/.
Note that you must be running Windows Server 2008 with IIS7.
You can download the packages independently from here:

• FTP 7.5 for IIS 7 (x64)
• FTP 7.5 for IIS 7 (x86)

There’s a special setting in the Windows Firewall that you can’t configure (as far as I can determine) via the administration console. You need to get down to command-line options to tweak things a bit.

The following information is an excerpt from: http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/
It was exactly the information required to fix the access issues I was having with FTP services.

---

There are a few different configurations to consider when using the FTP service with the Windows Firewall – whether you will use active or passive FTP connections, and whether you will use unencrypted FTP or use FTP over SSL (FTPS). Each of these configurations are described below.

Note: You will need to make sure that you follow the steps in this section walk-through while logged in as an administrator. This can be accomplished by one of the following methods:

• Logging in to your server using the actual account named “Administrator”.
• Logging on using an account with administrator privileges and opening a command-prompt by right-clicking the Command Prompt menu item that is located in the Accessories menu for Windows programs and selecting “Run as administrator”.

One of the above steps is required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating systems prevents administrator access to your firewall settings. For more information about UAC, please see the following documentation:

• http://go.microsoft.com/fwlink/?LinkId=113664

Note: While Windows Firewall can be configured using the Windows Firewall applet in the Windows Control Panel, that utility does not have the required features to enable all of the features for FTP. The Windows Firewall with Advanced Security utility that is located under Administrative Tools in the Windows Control Panel has all of the required features to enable the FTP features, but in the interests of simplicity this walk-through will describe how to use the command-line Netsh.exe utility to configure the Windows Firewall.

Using Windows Firewall with non-secure FTP traffic

To configure Windows Firewall to allow non-secure FTP traffic, use the following steps:

1. Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.
2. To open port 21 on the firewall, type the following syntax then hit enter:
   

   netsh advfirewall firewall add rule name="FTP (non-SSL)" action=allow protocol=TCP dir=in localport=21

3. To enable stateful FTP filtering that will dynamically open ports for data connections, type the following syntax then hit enter:
   

   netsh advfirewall set global StatefulFtp enable

Important Notes:

• Active FTP connections would not necessarily covered by the above rules; an outbound connection from port 20 would also need to be enabled on server. In addition, the FTP client machine would need to have its own firewall exceptions setup for inbound traffic.
• FTP over SSL (FTPS) will not be covered by these rules; the SSL negotiation will most likely fail because the Windows Firewall filter for stateful FTP inspection will not be able to parse encrypted data. (Some 3rd-party firewall filters recognize the beginning of SSL negotiation, e.g. AUTH SSL or AUTH TLS commands, and return an error to prevent SSL negotiation from starting.)

Using Windows Firewall with secure FTP over SSL (FTPS) traffic

The stateful FTP packet inspection in Windows Firewall will most likely prevent SSL from working because Windows Firewall filter for stateful FTP inspection will not be able to parse the encrypted traffic that would establish the data connection. Because of this behavior, you will need to configure your Windows Firewall settings for FTP differently if you intend to use FTP over SSL (FTPS). The easiest way to configure Windows Firewall to allow FTPS traffic is to list the FTP service on the inbound exception list. The full service name is the “Microsoft FTP Service”, and the short service name is “ftpsvc”. (The FTP service is hosted in a generic service process host (Svchost.exe) so it is not possible to put it on the exception list though a program exception.)

To configure Windows Firewall to allow secure FTP over SSL (FTPS) traffic, use the following steps:

1. Open a command prompt: click Start, then All Programs, then Accessories, then Command Prompt.
2. To configure the firewall to allow the FTP service to listen on all ports that it opens, type the following syntax then hit enter:
   

   netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in

3. To disable stateful FTP filtering so that Windows Firewall will not block FTP traffic, type the following syntax then hit enter:
   

   netsh advfirewall set global StatefulFtp disable