Mar 11, 2007, 06:58 AM
FTP site on non-standard port?
I'm trying to set up an FTP site to access files outside of the Plesk file structure, to upload & download files that I don't want Plesk to backup.
Rather than mess with Plesk's FTP setup, I setup a seperate FTP site in IIS manager on a non-standard port and enabled the port in the Plesk firewall.
I also setup a user account in the Windows user manager and grant it permission to access that disk space.
The FTP client authenticates OK, but then I get 'Invalid PORT Command'.
Mar 12, 2007, 06:40 AM
The problem is the 2nd FTP channel for data. But that could be any one of a wide range of ports. Windows Firewall doesn't allow you to open a range of ports.
This page suggests opening all ports individually. Is this really necessary?
IIS FTP is working fine on port 21. I can't see firewall exceptions that would allow its data channels. How does that work?
If the firewall is switched off then there's no problem, but that's not an option.
Mar 13, 2007, 04:19 AM
To enable FTP on a non-standard port, specify every possible data channel port individually as a firewall exception. But first, reduce the number of possible ports by configuring the range like so:
cscript c:\Inetpub\AdminScripts\adsutil.vbs set /MSFTPSVC/PassivePortRange "10000-10007"
Then restart the service.
This example allocates 8 ports in the range 10000 to 10007.
The lower value must be greater than 5000, otherwise the FTP service will not restart.
Make sure that this range doesn't conflict with any other services using the non-standard port range (1025-65535).
(It's good practice to know what ports are used by what and minimise them to reduce the attack surface.)
This property can be set only at the service level i.e. for all FTP sites. You can't set the range individually per site or IP address.
To query the current value use the command:
cscript c:\Inetpub\AdminScripts\adsutil.vbs enum /MSFTPSVC
If PassivePortRange isn't among the settings listed, then it's using the default 1025-5000