IIS6 FTP server is not working properly in passive mode with MS Firewall

IIS6 FTP server is not working properly in passive mode with MS Firewall

am 20.07.2007 23:54:41 von Deniz

Hi,

I have been having problems with FTP on our Windows 2003 server since
I activated the firewall on the server. I Googled around and read all
the KBs & discussions that I could find about this issue.

Problem/Symptom:

Once the Windows 2003 firewall is active (AND FTP Server is CHECKED
under Advanced > Settings), FTP clients hang during "List" of certain
directories. In some cases file list comes incomplete and/or jumbled
up (this second part can be client-specific)

Example:

If I have directories A B C D E served on FTP, when the firewall is
on, I can browse directories A, C, E with no problem from my FTP
client, and I get stuck at 16,718 bytes and 5,124 bytes while reading
the directories B and D. For instance, when I try to connect to the
FTP server using login A, it logs me in. Then I can browse the
directory and sub directories underneath. If I try to open a directory
that does not list (i.e. gets stuck during "List" command) I have to
disconnect. When I try to connect to the FTP server using login B, it
logs me in. It starts reading the directory, gets stuck at 16,718
bytes, and times out if I don't disconnect (similar to above). This
amount (16,718 bytes) is always same for this directory. If I disable
the firewall, this doesn't happen at all. If directory C is
successfully listed, it is always successfully listed. If listing
directory D is failed, it is always failed at the same place (e.g.
after reading certain bytes).

Tried Solution:

Limiting the port range for passive mode: Using Metabase Explorer, in
LM/MSFTPSVC I created a STRING record named PassivePortRange with the
value "5001-5050" (without quotes). I then added these ports to the
Windows Firewall using a batch script. I double checked and saw all 50
ports were added successfully in Windows Firewall. I restarted the FTP
service, but this did not solve anything. I also added port 21 just in
case.

If I disable the passive mode in my FTP client (Flash FXP 3.4) then I
can access those problem-directories, and they list just fine. And it
is faster too.

Are there any solutions, or troubleshooting methods that you can offer
to make IIS FTP service running behind the firewall in passive mode?
Or do I have to tell my FTP clients to turn the passive mode off?

Server is IIS 6.0 on Windows 2003 Standard SP1 w/ 6 IPs and Windows
Firewall.

Thanks in advance,

Deniz