FTP on Windows 2008 Server - Firewall Solution

Question

 

It seems there was some confusion in the Microsoft camps on properly installing the FTP services. This seems to have stemmed from the fact that they made a last minute decision to exclude the new FTP Publishing Service for IIS7 in favor of the old FTP Publishing Service we all love to hate.

 

At any rate after checking to install the FTP option in the Add Features of my Server Manager I noticed that it merrily added a new entry of "FTP Server" in my Windows Firewall. So after banging my head against the wall for 15-20 minutes fiddling around with user permissions, checking my Netscreen firewall policies, etc. I found that if I turned off the Windows Firewall completely I could connect and list files without any problem. If the Windows Firewall was on I could log in but not list any files...leaves one to scratch their head and start breaking out the manual on Active/Passive FTP and the necessary ports to enable to make either operational.

 

I broke out Google on this Microsoft quandary and quickly determined that Microsoft had made this last minute decision to change which FTP Server was going with the RTM (my guess is that the new FTP application couldn't pass security muster)...so while I had seen others decide to go with the IIS7 version of FTP Publishing Service I decided to investigate further and avoid yet another Microsoft exploit.

 

Here's what I found:

• Adding FTP Server to the exception rules is obviously a special name for the new IIS7 FTP Publishing Service. Having it there with the IIS6 version of FTP does absolutely nothing for you.
• Adding a simple entry of FTP (TCP port 21) doesn't do anything for you either b/c FTP isn't just a single port. That's only half the equation and depending on whether your supporting Active or Passive you might be looking at a range or also port 20 (which btw...adding port 20 as data port didn't help either).
• Finally I just added c:\windows\system32\inetsrv\inetpub.exe to the list of "exceptions" and found everything to work like a charm. I'm sure with a "netstat an" I could find exactly what ports or port ranges it tends to use but felt that adding the program to the list of exceptions combined with my Netscreen out in front would be suitably secure.

 

Hope this helps people who are trying to set up Windows 2008 Server and adding FTP services.

Answer 1

inetpub.exe does not exist on my installed standard version of Windows Server 2008. Is there another way to get FTP to work? I've tried all that you did and also added ports 20 and 21 to my router. Thanks

Bob Piro

 

Answer 2

 

c:\windows\system32\inetsrv\inetpub.exe is the file you need to add to your exceptions in Windows Server 2008.

 

Hope this helps.

Answer 3

 

If inetpub.exe is not in the disk then you have not installed FTP services for IIS6

Answer 4

If tou add inetinfo.exe, it works !!

Answer 5

I have the new FTP publishing service for IIS 7 and this fix does not work for me. For example, using ftp.exe I cannot use the ls command whilst the Windows Firewall is on - turned off it works fine. The Firewall has been setup to allow inbound connections on all ports for the ftp service. I'm still searching for a solution.

Answer 6

The same thing happening here.. !!

Answer 7

Windows Firewall and non-secure FTP traffic

Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic

1) Open port 21 on the firewall

netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections

netsh advfirewall set global StatefulFtp enable

Answer 8

Excellent! Worked like a charm.

Thank you for the solution.

Jim

Answer 9

Avram,

 

Thank you for the information.

 

I'd like to point everyone to the Learn IIS 7.0 pages for the manufacturer's firewall reference.

Configuring FTP Firewall Settings

http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

 

 

Additionally Robert McMurray's [MSFT] Blog

IIS, FTP, WebDAV, FPSE, WMI, ADSI, ISAPI, ASP, FastCGI, etc. ;-)

http://blogs.msdn.com/robert_mcmurray/archive/2008/02/27/ftp7-for-windows-server-2008-rtm-is-released.aspx

 

Hoe this Helps,

Richard

 

 

Answer 10

Avram Thank you so much for posting your comment. I just tried that and it worked like a charm. I had already had the port 21 open on my router and allow the firewall to accept ftpserver. So after going into the command line I typed word per word and it solved my problem. I can know browse my ftp server data from IE without getting the error message "ftp folder error the operation timed out". The alternative solution I had was to use filezilla the free version which worked great. This worked for me on 12-23-08 just before Christmas.. XoXo ..I'd give you 5/5.

 

Tony M.

Answer 11

 

After I added both to the exception the ftp started working correctly.

%SystemRoot%\System32\inetsrv\inetpub.exe

%SystemRoot%\System32\inetsrv\inetinfo.exe

Answer 12

There is also another way to open the windows firewall.  Create a new rule, then go to Custom and then click services and select the Microsoft FTP Service.

Answer 13

There is also another way to open the windows firewall.  Create a new rule, then go to Custom and then click services and select the Microsoft FTP Service.

Is the best and simple way to enable FTP on windows firewall.

Tested!!!!

Answer 14

i click on Services button on "New inbound Rule" wizard, Customised Service settings appear.
Where do i find "Microsoft FTP service" ?

thanks

Answer 15

good job. it worked...

Answer 16

Installing FTP 7.5 on Windows Server 2008

Applies To: Windows Server 2008
http://technet.microsoft.com/en-us/library/dd722761(WS.10).aspx


Just installed 7.5 and had no issues with firewall.  Everything worked fine right out of the box.

I did not have 7.0 previously installed (if you do, remove it).

http://learn.iis.net/page.aspx/263/installing-and-configuring-ftp-on-iis-7/

Answer 17

thank you so much - adding inetinfo.exe worked for me finally as well!!  Thank you!

Answer 18

Windows Firewall and non-secure FTP traffic

Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic

1) Open port 21 on the firewall

netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections

netsh advfirewall set global StatefulFtp enable

I did this and it worked for me! I spent all morning looking for the solution!

Thanks

Answer 19

I have just tryed this but had no luck. I can get onto the site but it wants me to enter a username and password. I have tried what is in the properties box, but it does not let me in.

Answer 20

Make sure the settings of your FTP Service are set to port 21. You also have to set Passive Ports.

FTP is to make connection

Passive FTP is to receive and send files from and to the FTP.

 

Answer 21

Hi all

I have tried all of the above except add the following to exceptions in the firewall

%SystemRoot%\System32\inetsrv\inetpub.exe

as i do not have that file but am still unable to recieve a pasword request or find the ftp site through filezilla or through internet explorer.

Ports 21 and 20 are open

ip address set to computer with ftp site

ftp site is in ftp root folder

routers are open on port 21

I thought maybe it was the computer i was trying to find the ftp site from but i can trace route the address for the ftp site with no problem.

im using iis 7 server 2008 standard

 

any ideas been at this for 8 hours now with no luck

 

Answer 22

Excellent.

 

Thanks for the solution.

 

I was trying for hours and finally got your solution.

Thanks

Gopal Thorve

Answer 23

After not getting the inbound rule to work, I tried to make an own rule.

 

I've installed the ftp-service only and there is no inetinfo nor inetpub on my harddrive. There is an ftp rule in the advanced firewall settings which allows svchost.exe on port 21. So I created the same rule again: svchost.exe port 21 and now things go very well.

 

Problem solved - but the solution is a littlebit jerky for me.  No connection possible with the server-made rule but connection possible with the same rule selfmade.

Answer 24

Sounds realy jerky, but worked for me too...

 

I tried everything described in this page before, without success, except allowing traffic for inetpub.exe...

Answer 25

There is one difference: The predefined rules "FTP Server" and FTP Server Passive" point to "%windir%/system32/svchost/exe", while my rules point to "%systemroot%/system32/svchost/exe". Both paths address to the same file, but the predefined doesn't work.

 

Simply weird. If someone find a explanation, please tell me.

Answer 26

Windows Firewall and non-secure FTP traffic

Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic

1) Open port 21 on the firewall

netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

 

2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections

 

netsh advfirewall set global StatefulFtp enable

 

Hello!

This solution worked for me. Why this worked when adding the rule through CLI is beyond my knowledge, because I revised the rules through the GUI in Windows and I didn't notice any differences. Weird!

Answer 27

This worked for me.  My server 2008 didn't have the inetpub.exe in the system32 or sysWOW64.  I am running a 64 bit server 2008 so i figured i would check both.  I used the inetinfo.exe in the system32 folder in the exceptions of the firewall and now its working.  Thanks Rphoenix

Answer 28

We found a workaround which worked in our case (we had already enabled default firewall rules FTP Server, FTP Server Passive, FTP Server Secure):

1. although "sc qsidtype ftpsvc" already stated that SERVICE_SID_TYPE was UNRESTRICTED change sidtype of ftp service to unrestricted with:
sc sidtype ftpsvc unrestricted

2. restart ftp service
net stop ftpsvc & net start ftpsvc

Answer 29

This was the only solution listed that I could get to work. ran those two commands, my firewall setting are working with FTP very well now.   thank you very much avram.  

Answer 30

We found a workaround which worked in our case (we had already enabled default firewall rules FTP Server, FTP Server Passive, FTP Server Secure):

1. although "sc qsidtype ftpsvc" already stated that SERVICE_SID_TYPE was UNRESTRICTED change sidtype of ftp service to unrestricted with:
sc sidtype ftpsvc unrestricted

2. restart ftp service
net stop ftpsvc & net start ftpsvc

I tried every single solution on this page and nothing worked but these two lines. How in the world did you come up with this?

Thanks!

Answer 31

Tried all of the suggestions above, non have worked.

inetpub and inetinfo are not there.

Tried Shutting off firewalls on both the SERVER and the CLIENT but still won't list the directory.

I can connect just fine to the FTP but I still can not  LIST the DIR.

Suggestions?

Answer 32

We found a workaround which worked in our case (we had already enabled default firewall rules FTP Server, FTP Server Passive, FTP Server Secure):

1. although "sc qsidtype ftpsvc" already stated that SERVICE_SID_TYPE was UNRESTRICTED change sidtype of ftp service to unrestricted with:
sc sidtype ftpsvc unrestricted

2. restart ftp service
net stop ftpsvc & net start ftpsvc

really would like more explination on this, nothing else seemed to work and then BAM, this fixes it.

why?

Answer 33

i never added any IIS Roles/Services... simply wanted to retrieve file from an FTP Script.  would fail too at  ls and mget commands.

i added svchost for my domain in the allow programs and changed the notification option to let me know when a new program wants to modify the firewall.

sure enough, when i fired up the FTP connection again and logged in, ran the ls command the Windows pop-up windows came up asking me whether to allow the rule.  i said yes and all was fine.

sure hope this continues to allow our automated scripts to run with task manager.

thanks for the thread.