Differences
This shows you the differences between the selected revisions of the page.
| ftp_modes 2015-02-18 | ftp_modes 2022-04-30 (current) | ||
| Line 1: | Line 1: | ||
| - | ====== FTP Connection Modes ====== | + | ====== FTP Connection Modes (Active vs. Passive) ====== |
| [[ftp|FTP]] may operate in an active or a passive mode, which determines how a data connection is established. In both cases, a client creates a TCP control connection to an FTP server command port 21. This is a standard outgoing connection, as with any other file transfer protocol (SFTP, SCP, WebDAV) or any other %%TCP%% client application (e.g. web browser). So, usually there are no problems when opening the control connection. | [[ftp|FTP]] may operate in an active or a passive mode, which determines how a data connection is established. In both cases, a client creates a TCP control connection to an FTP server command port 21. This is a standard outgoing connection, as with any other file transfer protocol (SFTP, SCP, WebDAV) or any other %%TCP%% client application (e.g. web browser). So, usually there are no problems when opening the control connection. | ||
| Line 20: | Line 20: | ||
| ~~AD~~ | ~~AD~~ | ||
| - | The firewall and NAT on the FTP server side have to be configured not only to allow/route the incoming connections on %%FTP%% port 21,((Or implicit FTPS port 990)) but also a range of ports for the incoming data connections. Typically, the %%FTP%% server software has a configuration option to setup a range of the ports, the server will use. And the same range has to be opened/routed on the firewall/%%NAT%%. | + | The firewall and NAT on the FTP server side have to be configured not only to allow/route the incoming connections on %%FTP%% port 21,((Or implicit FTPS port 990.)) but also a range of ports for the incoming data connections. Typically, the %%FTP%% server software has a configuration option to setup a range of the ports, the server will use. And the same range has to be opened/routed on the firewall/%%NAT%%. |
| When the %%FTP%% server is behind a %%NAT%%, it needs to know it's external IP address, so it can provide it to the client in a response to ''PASV'' command. | When the %%FTP%% server is behind a %%NAT%%, it needs to know it's external IP address, so it can provide it to the client in a response to ''PASV'' command. | ||
| - | It is typical, that the %%FTP%% server is not configured properly and provides its internal IP address, that cannot be used from a client network. By default WinSCP detects, when an unroutable IP address is provided, and uses a server (control connection) address instead.((Actually very rarely, if ever, the %%IP%% address of the data connection is different from the %%IP%% address of the control connection.)) You can tell that this happened from [[logging|a session log]]: | + | It is common, that the %%FTP%% server is not configured properly and provides its internal IP address, that cannot be used from a client network. By default WinSCP detects, when an unroutable IP address is provided, and uses a server (control connection) address instead.((Actually very rarely, if ever, the %%IP%% address of the data connection is different from the %%IP%% address of the control connection.)) You can tell that this happened from [[logging|a session log]]: |
| <code> | <code> | ||
| Server sent passive reply with unroutable address ..., using host address instead. | Server sent passive reply with unroutable address ..., using host address instead. | ||
| </code> | </code> | ||
| - | |||
| - | When the %%NAT%% happens on a client side, what the %%FTP%% server cannot know, the IP address it provides is wrong too. You can force WinSCP to ignore the %%IP%% address provided using a //[[ui_login_ftp|Force IP address for passive mode connections]]// session setting. | ||
| Learn how to: | Learn how to: | ||
| Line 36: | Line 34: | ||
| * [[guide_windows_ftps_server#firewall|Configure port range for data connections and external IP address on Microsoft IIS FTP Server]]; | * [[guide_windows_ftps_server#firewall|Configure port range for data connections and external IP address on Microsoft IIS FTP Server]]; | ||
| * [[guide_azure_ftps_server#firewall|Route port range for data connections on Microsoft Azure firewall/NAT]]. | * [[guide_azure_ftps_server#firewall|Route port range for data connections on Microsoft Azure firewall/NAT]]. | ||
| + | |||
| + | ==== [[passive_local]] Notes for Uncommon Local Network Configurations ==== | ||
| + | |||
| + | When the %%NAT%% happens on a client side, what the %%FTP%% server cannot know, the IP address it provides is wrong too (from a client's perspective). You can force WinSCP to ignore the %%IP%% address provided by the server using a //[[ui_login_ftp|Force IP address for passive mode connections]]// session setting. | ||
| + | |||
| + | When using a restrictive local firewall that blocks even outgoing connections, you need to open not only control connection port 21, but also a port range for data connections. To open as little ports as possible, find out what ports is the %%FTP%% server configured to use. If you cannot know that, you have to open all unprivileged port range, 1024--65535. | ||
| ===== [[active]] Network Configuration for Active Mode ===== | ===== [[active]] Network Configuration for Active Mode ===== | ||
| Line 41: | Line 45: | ||
| With the //active// mode, most of the configuration burden is on the client side. | With the //active// mode, most of the configuration burden is on the client side. | ||
| - | The firewall (e.g. Windows firewall) and NAT (e.g. ADSL modem routing rules) on the client side have to be configured to allow/route a range of ports for the incoming data connections. As WinSCP does not allow configuring a range of the ports it uses for data connections, all ports in Windows dynamic port range 49152 - 65535((For Windows Vista and later. &winvista For details refer to //Remarks// section in documentation of ''[[msdn>ms737550|bind]]'' WinAPI function. )) have to be opened. To open the ports, go to //Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules > New Rule//. For routing the ports on the %%NAT%% (if any), refer to its documentation. | + | The firewall (e.g. Windows firewall) and NAT (e.g. ADSL modem routing rules) on the client side have to be configured to allow/route a range of ports for the incoming data connections. You should restrict [[ui_pref_network|range of local ports that WinSCP uses for the active mode]]. Then open those ports in Windows Firewall. Go to //Control Panel > System and Security > Windows Defender Firewall//((//Windows Firewall// on older versions of Windows.))// > Advanced Settings > Inbound Rules > New Rule//. &wincp &win10 For routing the ports on the %%NAT%% (if any), refer to its documentation. |
| When there's %%NAT%% in your network, you have to configure an external IP address that the WinSCP needs to provide to the %%FTP%% server using ''PORT'' command. So that the server can correctly connect back to WinSCP to open the data connection. For that use //[[ui_pref_network|External IP address]]// setting in Preferences. | When there's %%NAT%% in your network, you have to configure an external IP address that the WinSCP needs to provide to the %%FTP%% server using ''PORT'' command. So that the server can correctly connect back to WinSCP to open the data connection. For that use //[[ui_pref_network|External IP address]]// setting in Preferences. | ||
| - | ===== Smart Firewalls/NATs ===== | + | ===== [[smart]] Smart Firewalls/NATs ===== |
| - | Some firewalls/NATs try to automatically open/close data ports by inspecting %%FTP%% control connection and/or translate the data connection %%IP%% addresses in control connection traffic. | + | Some firewalls/NATs try to automatically open/close data ports by inspecting %%FTP%% control connection and/or translate the data connection %%IP%% addresses in control connection traffic.((For example in the built-in Windows firewall, the function is called ''StatefulFTP''.)) |
| With such a firewall/%%NAT%%, the above configuration is not necessary for a plain unencrypted %%FTP%%. But this cannot work with [[ftps|FTPS]], as the control connection traffic is encrypted and the firewall/%%NAT%% cannot inspect nor modify it. | With such a firewall/%%NAT%%, the above configuration is not necessary for a plain unencrypted %%FTP%%. But this cannot work with [[ftps|FTPS]], as the control connection traffic is encrypted and the firewall/%%NAT%% cannot inspect nor modify it. | ||