SWITCH | SWITCHdrive | SWITCHengines |

Windows Server 2012 ftp access


I’m trying to deploy files to an IIS Server through ftp but could not setup the ftp to work correctly. My problem is that the port 21 is not opened somehow. The Windows Server FTP rules are enabled.

There is no specific documentation on Switch engines. Could someone provide me support what steps I have to do to access ftp like ftp://8x.xxx.xx.xx:21 or with FileZilla?


In general, you need to create (or extend) a security group to allow access to the port(s) required by a new service. The general approach is described on one of our help pages.

Note that FTP is a somewhat complex protocol for firewalls, partly because it was developed long before firewalls became popular! Unlike HTTP, where the server uses a single well-known port (usually TCP port 80 or 443 when TLS/HTTPS is used), FTP requires separate “control” and “data” connections. The control connection uses TCP port 21 on the server, so that port needs to be opened before anything can work.

But for the actual data transfer—and that includes the transfer of directory listings—additional connections are opened. In the original FTP model, those connections were opened from the server to the client(!) in the so called “active” mode. Today, since clients often don’t have ports or even IP addresses that can be reached from the Internet, this has generally been replaced by “passive” mode, where those connections are opened from the client to the server. Unfortunately, those “passive mode” data connections don’t use a single “well-known” port number on the server side. By default they can use any TCP port number in the dynamically-assigned range, e.g. anything between 1024 and 65535. Various FTP servers allow that port range to be restricted. Here are some instructions for configuring passive-mode port range for IIS.

So basically what you still need to do is:

  • Create an OpenStack Security Group (see help page). You could call it “FTP”.
  • Possibly configure the dynamic port range for passive-mode connections (instructions here) to the range minmax. Choose a large-enough range to allow for as many parallel data connections as you expect. Ideally the range shouldn’t overlap with other existing services’ TCP ports. If you leave it as the defaults, then min defaults to 1024, max to 65535.
  • Add the following rules to your “FTP” Security Group:
    • TCP port 21 from ::/0 (for IPv6)
    • TCP port 21 from (for IPv4)
    • TCP range minmax from ::/0 (for IPv6)
    • TCP range minmax from (for IPv4)
  • Add the “FTP” Security Group to your instance. This can be done while the instance is running, and should have immediate effect.

Hope this helps!