Setup FileZilla Server Passive Ports on Windows Server 2012

I prefer to use FileZilla FTP Server above the traditional IIS FTP module. FileZilla comes with a lite and lean GUI, great logging tools, connection (speed)limits and more. If you do not know FileZilla Server or the Filezilla Client I strongly encourage you to try them out at https://filezilla-project.org/

Setting up the FileZilla Server is straightforward, but after configuration the user/groups and directory you can have some trouble setting up the Windows Server 2012 Firewall. Traditional FTP uses port 21, you should open this on your Firewall (see below) but even after opening up this port some errors can rise to the occasion when using passive ftp.

I had the following problem:

Response:   227 Entering Passive Mode
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

When port 21 is configurated in the Firewall, and you have setup the users/groups in the FileZilla Server setup you still can encounter the problem above. By default the FTP client will connect through passive mode, and opens a random port between 1-65535. Now this is a wide range and I do not recommend opening all these ports. Instead you can limit the range of these ports to let’s say: 50100-51100.

So lets do this, configure FileZilla Server Passive Port Range:

  1. Open up the FileZilla GUI on your server.
  2. Click on the top menu Edit -> Settings.
  3. From the tree menu click on Passive mode settings.
  4. Now make sure the checkbox Use custom port range is checked and enter 50100 in the first box a and 51100 in the second.
  5. Click OK

Now that you have finished setting up the custom port we can move forward to the Windows Server 2012 Firewall.

Configurating the Firewall

Lets open up the Firewall panel, press the Windows key on your keyboard and start typing firewall. The result should be Windows Firewall with advanced.... Click it or hit enter.
(Pro tip 😉 hit Windows Key + R -> firewall.cpl -> hit enter)

  1. From the tree, select Inbound Rules.
  2. In the right panel, click New Rule.
  3. A windows pops up, select Port and click next.
  4. Make sure TCP is selected, and enter 50100-51100 in the Specific local ports field.
  5. Hit Next and make sure the Allow connection option is selected. Then hit Next again.
  6. Select the zones where this rule need to be applied (in my case I have selected all the zones).
  7. Click Next and give this rule a recognizable name: Passive FTP Ports - FileZilla.
  8. Click on Finish, and your done.

In case you have not yet added port 21 to the Firewall you can use the same steps, but instead of using port 50100-51100 just use port 21.

When connecting to your FTP Server the result now should be:

Response:   227 Entering Passive Mode
Command: LIST
Response: 150 Connection accepted
Response: 226 Transfer OK
Status: Received file listing

PS: this solution is ok such for 425 Can’t open data connection for transfer

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.