none
FTP on Windows 2008 Server - Firewall Solution

    Question

  •  

    It seems there was some confusion in the Microsoft camps on properly installing the FTP services. This seems to have stemmed from the fact that they made a last minute decision to exclude the new FTP Publishing Service for IIS7 in favor of the old FTP Publishing Service we all love to hate.

     

    At any rate after checking to install the FTP option in the Add Features of my Server Manager I noticed that it merrily added a new entry of "FTP Server" in my Windows Firewall. So after banging my head against the wall for 15-20 minutes fiddling around with user permissions, checking my Netscreen firewall policies, etc. I found that if I turned off the Windows Firewall completely I could connect and list files without any problem. If the Windows Firewall was on I could log in but not list any files...leaves one to scratch their head and start breaking out the manual on Active/Passive FTP and the necessary ports to enable to make either operational.

     

    I broke out Google on this Microsoft quandary and quickly determined that Microsoft had made this last minute decision to change which FTP Server was going with the RTM (my guess is that the new FTP application couldn't pass security muster)...so while I had seen others decide to go with the IIS7 version of FTP Publishing Service I decided to investigate further and avoid yet another Microsoft exploit.

     

    Here's what I found:

    • Adding FTP Server to the exception rules is obviously a special name for the new IIS7 FTP Publishing Service. Having it there with the IIS6 version of FTP does absolutely nothing for you.
    • Adding a simple entry of FTP (TCP port 21) doesn't do anything for you either b/c FTP isn't just a single port. That's only half the equation and depending on whether your supporting Active or Passive you might be looking at a range or also port 20 (which btw...adding port 20 as data port didn't help either).
    • Finally I just added c:\windows\system32\inetsrv\inetpub.exe to the list of "exceptions" and found everything to work like a charm. I'm sure with a "netstat an" I could find exactly what ports or port ranges it tends to use but felt that adding the program to the list of exceptions combined with my Netscreen out in front would be suitably secure.

     

    Hope this helps people who are trying to set up Windows 2008 Server and adding FTP services.

    Saturday, June 14, 2008 3:48 AM

All replies

  • inetpub.exe does not exist on my installed standard version of Windows Server 2008. Is there another way to get FTP to work? I've tried all that you did and also added ports 20 and 21 to my router. Thanks

    Bob Piro

     

    Saturday, July 12, 2008 12:08 PM
  •  

    c:\windows\system32\inetsrv\inetpub.exe is the file you need to add to your exceptions in Windows Server 2008.

     

    Hope this helps.

    Tuesday, July 15, 2008 11:28 AM
  •  

    If inetpub.exe is not in the disk then you have not installed FTP services for IIS6
    Tuesday, July 15, 2008 5:37 PM
  • If tou add inetinfo.exe, it works !!
    Friday, July 18, 2008 9:25 PM
  • I have the new FTP publishing service for IIS 7 and this fix does not work for me. For example, using ftp.exe I cannot use the ls command whilst the Windows Firewall is on - turned off it works fine. The Firewall has been setup to allow inbound connections on all ports for the ftp service. I'm still searching for a solution.

    • Proposed as answer by donniemit Tuesday, February 16, 2010 4:16 PM
    Thursday, September 11, 2008 5:20 PM
  • The same thing happening here.. !! Sad
    Thursday, September 18, 2008 12:08 PM
  • Windows Firewall and non-secure FTP traffic

    Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic

    1) Open port 21 on the firewall

    netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

    2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections

    netsh advfirewall set global StatefulFtp enable

    • Proposed as answer by Korayem Thursday, March 19, 2009 11:01 AM
    Saturday, October 04, 2008 12:07 AM
  • Excellent! Worked like a charm.

    Thank you for the solution.

    Jim
    Wednesday, October 15, 2008 3:09 PM
  • Avram,

     

    Thank you for the information.

     

    I'd like to point everyone to the Learn IIS 7.0 pages for the manufacturer's firewall reference.

    Configuring FTP Firewall Settings

    http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/

     

     

    Additionally Robert McMurray's [MSFT] Blog

    IIS, FTP, WebDAV, FPSE, WMI, ADSI, ISAPI, ASP, FastCGI, etc. ;-)

    http://blogs.msdn.com/robert_mcmurray/archive/2008/02/27/ftp7-for-windows-server-2008-rtm-is-released.aspx

     

    Hoe this Helps,

    Richard

     

     

    Friday, October 17, 2008 5:20 PM
  • Avram Thank you so much for posting your comment. I just tried that and it worked like a charm. I had already had the port 21 open on my router and allow the firewall to accept ftpserver. So after going into the command line I typed word per word and it solved my problem. I can know browse my ftp server data from IE without getting the error message "ftp folder error the operation timed out". The alternative solution I had was to use filezilla the free version which worked great. This worked for me on 12-23-08 just before Christmas.. XoXo ..I'd give you 5/5.

     

    Tony M.

    Tuesday, December 23, 2008 11:40 PM
  •  

    After I added both to the exception the ftp started working correctly.

    %SystemRoot%\System32\inetsrv\inetpub.exe

    %SystemRoot%\System32\inetsrv\inetinfo.exe

    Saturday, January 17, 2009 5:45 PM
  • There is also another way to open the windows firewall.  Create a new rule, then go to Custom and then click services and select the Microsoft FTP Service.

    • Proposed as answer by Korayem Thursday, March 19, 2009 11:02 AM
    Monday, March 09, 2009 11:52 PM
  • There is also another way to open the windows firewall.  Create a new rule, then go to Custom and then click services and select the Microsoft FTP Service.

    Is the best and simple way to enable FTP on windows firewall.

    Tested!!!!
    Friday, May 29, 2009 7:23 PM
  • i click on Services button on "New inbound Rule" wizard, Customised Service settings appear.
    Where do i find "Microsoft FTP service" ?

    thanks
    Monday, July 13, 2009 5:34 AM
  • good job. it worked...
    Monday, November 23, 2009 6:58 AM
  • Installing FTP 7.5 on Windows Server 2008

    Applies To: Windows Server 2008
    http://technet.microsoft.com/en-us/library/dd722761(WS.10).aspx



    Just installed 7.5 and had no issues with firewall.  Everything worked fine right out of the box.

    I did not have 7.0 previously installed (if you do, remove it).

    http://learn.iis.net/page.aspx/263/installing-and-configuring-ftp-on-iis-7/

    Friday, March 12, 2010 4:00 PM
  • thank you so much - adding inetinfo.exe worked for me finally as well!!  Thank you!
    Friday, September 03, 2010 9:32 PM
  • Windows Firewall and non-secure FTP traffic

    Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic

    1) Open port 21 on the firewall

    netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

    2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections

    netsh advfirewall set global StatefulFtp enable

    I did this and it worked for me! I spent all morning looking for the solution!

    Thanks

    Tuesday, October 26, 2010 2:13 PM
  • I have just tryed this but had no luck. I can get onto the site but it wants me to enter a username and password. I have tried what is in the properties box, but it does not let me in.
    Sunday, November 07, 2010 7:48 PM
  • Make sure the settings of your FTP Service are set to port 21. You also have to set Passive Ports.

    FTP is to make connection

    Passive FTP is to receive and send files from and to the FTP.

     

    Thursday, December 09, 2010 8:58 AM
  • Hi all

    I have tried all of the above except add the following to exceptions in the firewall

    %SystemRoot%\System32\inetsrv\inetpub.exe

    as i do not have that file but am still unable to recieve a pasword request or find the ftp site through filezilla or through internet explorer.

    Ports 21 and 20 are open

    ip address set to computer with ftp site

    ftp site is in ftp root folder

    routers are open on port 21

    I thought maybe it was the computer i was trying to find the ftp site from but i can trace route the address for the ftp site with no problem.

    im using iis 7 server 2008 standard

     

    any ideas been at this for 8 hours now with no luck

     

    Thursday, January 20, 2011 4:07 PM
  • Excellent.

     

    Thanks for the solution.

     

    I was trying for hours and finally got your solution.

    Thanks

    Gopal Thorve

    Friday, January 21, 2011 11:53 AM
  • After not getting the inbound rule to work, I tried to make an own rule.

     

    I've installed the ftp-service only and there is no inetinfo nor inetpub on my harddrive. There is an ftp rule in the advanced firewall settings which allows svchost.exe on port 21. So I created the same rule again: svchost.exe port 21 and now things go very well.

     

    Problem solved - but the solution is a littlebit jerky for me.  No connection possible with the server-made rule but connection possible with the same rule selfmade.

    Monday, February 07, 2011 6:29 AM
  • Sounds realy jerky, but worked for me too...

     

    I tried everything described in this page before, without success, except allowing traffic for inetpub.exe...

    • Edited by LucioMarques Thursday, February 17, 2011 1:18 PM
    Thursday, February 17, 2011 1:03 PM
  • There is one difference: The predefined rules "FTP Server" and FTP Server Passive" point to "%windir%/system32/svchost/exe", while my rules point to "%systemroot%/system32/svchost/exe". Both paths address to the same file, but the predefined doesn't work.

     

    Simply weird. If someone find a explanation, please tell me.

    Thursday, February 17, 2011 1:18 PM
  • Windows Firewall and non-secure FTP traffic

    Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic

    1) Open port 21 on the firewall

    netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

     

    2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections

     

    netsh advfirewall set global StatefulFtp enable

     

    Hello!

    This solution worked for me. Why this worked when adding the rule through CLI is beyond my knowledge, because I revised the rules through the GUI in Windows and I didn't notice any differences. Weird!

    Thursday, April 14, 2011 8:58 AM
  • This worked for me.  My server 2008 didn't have the inetpub.exe in the system32 or sysWOW64.  I am running a 64 bit server 2008 so i figured i would check both.  I used the inetinfo.exe in the system32 folder in the exceptions of the firewall and now its working.  Thanks Rphoenix
    Wednesday, April 27, 2011 1:12 PM
  • We found a workaround which worked in our case (we had already enabled default firewall rules FTP Server, FTP Server Passive, FTP Server Secure):

    1. although "sc qsidtype ftpsvc" already stated that SERVICE_SID_TYPE was UNRESTRICTED change sidtype of ftp service to unrestricted with:
    sc sidtype ftpsvc unrestricted

    2. restart ftp service
    net stop ftpsvc & net start ftpsvc
    • Proposed as answer by SnakeJawz Saturday, June 30, 2012 5:55 AM
    Friday, February 24, 2012 1:44 PM
  • This was the only solution listed that I could get to work. ran those two commands, my firewall setting are working with FTP very well now.   thank you very much avram.  
    Wednesday, March 28, 2012 8:54 PM
  • We found a workaround which worked in our case (we had already enabled default firewall rules FTP Server, FTP Server Passive, FTP Server Secure):

    1. although "sc qsidtype ftpsvc" already stated that SERVICE_SID_TYPE was UNRESTRICTED change sidtype of ftp service to unrestricted with:
    sc sidtype ftpsvc unrestricted

    2. restart ftp service
    net stop ftpsvc & net start ftpsvc

    I tried every single solution on this page and nothing worked but these two lines. How in the world did you come up with this?

    Thanks!

    Tuesday, April 17, 2012 12:26 AM
  • Tried all of the suggestions above, non have worked.

    inetpub and inetinfo are not there.

    Tried Shutting off firewalls on both the SERVER and the CLIENT but still won't list the directory.

    I can connect just fine to the FTP but I still can not  LIST the DIR.

    Suggestions?

    Tuesday, April 17, 2012 3:49 PM
  • We found a workaround which worked in our case (we had already enabled default firewall rules FTP Server, FTP Server Passive, FTP Server Secure):

    1. although "sc qsidtype ftpsvc" already stated that SERVICE_SID_TYPE was UNRESTRICTED change sidtype of ftp service to unrestricted with:
    sc sidtype ftpsvc unrestricted

    2. restart ftp service
    net stop ftpsvc & net start ftpsvc

    really would like more explination on this, nothing else seemed to work and then BAM, this fixes it.

    why?

    Saturday, June 30, 2012 5:56 AM
  • i never added any IIS Roles/Services... simply wanted to retrieve file from an FTP Script.  would fail too at  ls and mget commands.

    i added svchost for my domain in the allow programs and changed the notification option to let me know when a new program wants to modify the firewall.

    sure enough, when i fired up the FTP connection again and logged in, ran the ls command the Windows pop-up windows came up asking me whether to allow the rule.  i said yes and all was fine.

    sure hope this continues to allow our automated scripts to run with task manager.

    thanks for the thread.

    Tuesday, November 13, 2012 3:54 PM
  • Thanks , it worked for me .Excellent :-)
    Thursday, October 24, 2013 1:56 PM