Categories
Problems and Solutions Windows server 2008 R2

FTP Over SSL

 

Have you ever been asked to deploy FTP service Over SSL?

We know that FTP uses two ports by default: 21 for sending commands, and 20 for sending data.  For instance if you said “FTP://<ServerName>” it would make the attempt using port 21.  If the session was established, port 20 would be using for the data.

So what about FTP Over SSL? Is there a dedicated port for it? In fact, I faced this question before around 2 weeks and I would like to share with you my experience and how I worked around this issue. Unfortunately, no dedicated port number for FTP Over SSL. it’s open a random port bigger than 1024 which mean you must open all ports on your firewall…. I know you will say it’s a joke…me too said the same thing I will not open all ports on firewall 🙂  .. so what is the solution?

I read a lot about limitation the FTP Over SSL random ports. Microsoft says you can do that by configure Data Channel Port Range in (IIS —> FTP Firewall Support) okay I did that but with no success.  I was wondering if there is another way to do that and finally I thought from another side and I asked the question: how can I limit the random ports? I found the key; the below command used to limit the random ports:

netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number  num=range

This command sets the dynamic port range for TCP. The start port is number, and the total number of ports is range. The following are sample commands:

  • netsh int ipv4 set dynamicport tcp start=10000 num=1000
  • netsh int ipv4 set dynamicport udp start=10000 num=1000
  • netsh int ipv6 set dynamicport tcp start=10000 num=1000
  • netsh int ipv6 set dynamicport udp start=10000 num=1000

These sample commands set the dynamic port range to start at port 10000 and to end at port 11000 (1000 ports). The minimum range of ports that can be set is 255. The minimum starting port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This results in a start port of 1025 and an end port of 5000. for more information please see: http://support.microsoft.com/kb/929851

And here we are…it’s worked fine and I configured the firewall to open only the range of ports which used by FTP Over SSL.

I wish you find this article useful  🙂

By Eng. Abdallah Sawalha

IT Consultant and Trainer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s