I wanted to open up FTP for a project some of my former students and I are working on. So I did the usual. Started up the service and added the exception to the firewall.

Easy as that?

From my laptop I could connect, but I could not get a directory listing (LIST). I assumed this was because I was using windows list instead of *nix, but I was wrong. I could connection using the command line FTP, so I knew something could work. I can also FTP to various other sites just fine. So what gives?

Passive FTP versus active ftp

FTP is a funny thing. Funny like Lucifer.

So you ftp into a server in passive mode. The server responds telling you what port to reconnect to. Your client obliges. This is passive FTP.

Active FTP your client (your laptop) tells the server which port to open. In both cases the ports need to be open on the firewall. Or so it seemed.

The command line ftp client built in with windows uses active FTP. It works.

Passive does not. The client needs to be able to connect back out on the port request (outbound is usually allowed on all ports right?) but the server needs to accept inbound on those ports.

FTP on IIS 6.0 is setup to use a port range that is something like 54 – 10000000000. Windows firewall makes you enter the ports ONE AT A TIME. I did some calculations and the calculations took me longer than this process should. So I stopped.

So you need to tell FTP server to only listen on a few ports when in active mode. It will then tell your laptop to use one of those ports and you can easily open 5 ports on the firewall right?

So what is the fix?

This one I actually searched google a lot for. I ended up finding an incorrect copy of the following page from, who else? M$:
http://support.microsoft.com/kb/555022

And so you do not even need to go there you do this:

For Windows 2003 Server

a) To Enable Direct Metabase Edit
1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select Properties.
4. Make sure the Enable Direct Metabase Edit checkbox is checked.

b) Configure PassivePortRange via ADSUTIL script
1. Click Start, click Run, type cmd, and then click OK.
2. Type cd Inetpub\AdminScripts and then press ENTER.
3. Type the following command from a command prompt.
adsutil.vbs set /MSFTPSVC/PassivePortRange “5500-5700″
4. Restart the FTP service.

You’ll see the following output, when you configure via ADSUTIL script:

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

PassivePortRange : (STRING) “5500-5700″

But check that site in case I copied and pasted something wrong