Why is RPC dynamic port range used for FTPS ?

Sidiki CAMARA 41 Reputation points
2020-12-18T09:11:33.217+00:00

Hello !

I just set up an FTP site and configured a certificate for SSL connection.

I was able to connect using implicite FTPS while i was in the same LAN. When i tried from another network (behind the firewall) it didn't work. I would connect but it then failed when listing directory content.

I read a bunch of article indicating that i need to use active mode and specify the interface of my firewall but that did not work for me. I had to allow RPC Dynamic port range on my firewall.

Can someone explain why is this range needed for the application to work.

Thank you in advance.

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,266 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,746 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Candy Luo 12,656 Reputation points Microsoft Vendor
    2020-12-21T06:38:44.657+00:00

    Hi ,

    Based on my research, firewall NATs the Public IP to private IP and maintains the connection. But when client sends a PASV Request command for moving into passive mode, the server responds back to the client as a PASV response with internal IP address of the FTP server in it. Since the IP address of the control channel is different from the IP that server is asking the client to to connect for data channel in PASV Response packet, Client will fail to establish a Data channel for data transfer as it is behind the Firewall.

    To over come the above problem. Configure the FTP Firewall Support with external IP of the firewall that it is listening for FTP.

    On FTP Firewall Support, enter the external IPv4 address of the firewall through which the data connections arrive. You can also configure the range of passive port numbers that you want the FTP service to use. For example, 41000-41099 allows the server to support 100 passive mode data connections simultaneously.

    Ensure that you also create a firewall rule on the firewall device to allow inbound connections on the ports that you configured above.

    As picture below:

    49834-image.png

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. Sidiki CAMARA 41 Reputation points
    2020-12-25T15:56:13.28+00:00

    Hello
    Yes Indeed
    I thank you for your time. The response has been quite valuable