The FTP Server included in the Microsoft Server OS is a bit limited. Only direct connections are enabled by default. To allow passive FTP connections to your server you have to do some manual configuration of the IIS metabase, Windows Firewall (if enabled), and any hardware firewall that you may have in place.

Unfortunately, in order to configure your FTP server to utilize passive connections you have to manually change the IIS Metabase. There isn’t any user-friendly IIS Manager checkbox or anything you can just click to make it happen. The easiest tool to use to browse and edit the IIS Metabase is Microsoft’s Metabase Explorer which is included in the IIS 6.0 Resouce Kit.

To enable passive FTP connections and set the port range, do the following:

1. Install the IIS Resource Kit on your server and open the IIS Metabase utility

2. Browse to [ServerName] (local) -> LM -> MSFTPSVC

3. Right-click on MSFTPSVC and create a new string record entry (New -> String Record)

4. Choose PassivePortRange as the Record Name or Identifier and String for the Data Type

5. Enter the range of ports you would like the FTP Server to use for passive connections; i.e. 5500-5525

6. Close the Metabase Explorer and bounce the IIS services or reboot the server to make sure the changes are put into effect

If your server is also running Windows Firewall, you will also have to allow incoming connections via the port range you specified for your passive connections. This is truly a pain since there isn’t a nice and easy way to define a firewall rule for a range of ports in the Windows Firewall admin utility. You have to enter a rule for each port in the range individually – ugh. But with the use of a simple script, you can automate this process. I originally found this info on David Eedle’s site and wanted to pass it on.

The following will add a Windows Firewall rule for each of the specified ports – 5500 thru 5525 – and name them “Passive FTP [port#]”

FOR /L %I IN (5500,1,5525) DO netsh firewall add portopening TCP %I “Passive FTP” %I

The last step is remembering to also open up the same TCP port range on any hardware firewall / router you may have in place; all pointing to the internal IP address of your FTP server.