Unlike HTTP and other protocols used on the Internet, the FTP protocol uses a minimum of two connections during a session: a half-duplex connection for control, and a full-duplex connection for data transfer. By default, TCP port 21 is used on the server for the control connection, but the data connection is determined by the method that the client uses to connect to the server, as detailed below.
Active-mode FTP connections are sometimes referred to as "client-managed" because the client sends a port command to the server, over the control connection. The command requests the server to establish a data connection from TCP port 20 on the server to the client, using the TCP port that is specified by the port command.
Passive-mode FTP connections are sometimes referred to as "server-managed", because after the client issues a pasv command, the server responds with one of its transient ports used as the server-side port of the data connection. After a data connection command is issued by the client, the server connects to the client using the port immediately above the client-side port of the control connection.
In Passive-mode IIS FTP randomly choose to response with port ranging within 1024 - 65535 by default. To further limit these huge port range, system administrator can configure a metabase property key named PassivePortRange, this property key only exist in IIS 6.0, for IIS 5.0 in Windows 2000, system administrator need to install Service Pack 4 and add in PassivePortRange key in system registry.
To change the PassivePortRange for IIS, perform the procedure that is described in one of the following sections.
For Windows 2003 Server
a) To Enable Direct Metabase Edit
1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select Properties.
4. Make sure the Enable Direct Metabase Edit checkbox is checked.
b) Configure PassivePortRange via ADSUTIL script
1. Click Start, click Run, type cmd, and then click OK.
2. Type cd Inetpub\AdminScripts and then press ENTER.
3. Type the following command from a command prompt.
adsutil.vbs set /MSFTPSVC/PassivePortRange "5500-5700"
4. Restart the FTP service.
You'll see the following output, when you configure via ADSUTIL script:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
PassivePortRange : (STRING) "5500-5700"
For Windows 2000 Server
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs.
In order for this PassivePortRange to work in Windows 2000, system administrator must install Service Pack 4 (SP4) or later, For additional information, visit the following article number to view the article in the Microsoft Knowledge Base:
How to Obtain the Latest Windows 2000 Service Pack
Configure PassivePortRange via Registry Editor
1. Start Registry Editor (Regedt32.exe).
2. Locate the following registry key:
3. Add a value named "PassivePortRange" (without the quotation marks) of type REG_SZ.
4. Close Registry Editor.
5. Restart the FTP service.
Note: The range that FTP will validate is from 5001 to 65535.
For additional information, visit the following article number to view the article in the Microsoft Knowledge Base:
Information About the IIS File Transmission Protocol (FTP) Service
Article ID: 555022 - Last Review: Feb 14, 2017 - Revision: 1