Differences
This shows you the differences between the selected revisions of the page.
ftp_modes 2018-09-27 | ftp_modes 2022-04-30 (current) | ||
Line 14: | Line 14: | ||
Use //[[ui_login_connection|Passive mode]]// session settings to toggle between the //active// and the //passive// mode. | Use //[[ui_login_connection|Passive mode]]// session settings to toggle between the //active// and the //passive// mode. | ||
- | ===== [[passive]] Network Configuration for Passive Mode and active mode sub kuch ===== | + | ===== [[passive]] Network Configuration for Passive Mode ===== |
With the //passive// mode, most of the configuration burden is on the server side. The server administrator should setup the server as described below. | With the //passive// mode, most of the configuration burden is on the server side. The server administrator should setup the server as described below. | ||
Line 20: | Line 20: | ||
~~AD~~ | ~~AD~~ | ||
- | The firewall and NAT on the FTP server side have to be configured not only to allow/route the incoming connections on %%FTP%% port 21,((Or implicit FTPS port 990)) but also a range of ports for the incoming data connections. Typically, the %%FTP%% server software has a configuration option to setup a range of the ports, the server will use. And the same range has to be opened/routed on the firewall/%%NAT%%. | + | The firewall and NAT on the FTP server side have to be configured not only to allow/route the incoming connections on %%FTP%% port 21,((Or implicit FTPS port 990.)) but also a range of ports for the incoming data connections. Typically, the %%FTP%% server software has a configuration option to setup a range of the ports, the server will use. And the same range has to be opened/routed on the firewall/%%NAT%%. |
When the %%FTP%% server is behind a %%NAT%%, it needs to know it's external IP address, so it can provide it to the client in a response to ''PASV'' command. | When the %%FTP%% server is behind a %%NAT%%, it needs to know it's external IP address, so it can provide it to the client in a response to ''PASV'' command. | ||
Line 39: | Line 39: | ||
When the %%NAT%% happens on a client side, what the %%FTP%% server cannot know, the IP address it provides is wrong too (from a client's perspective). You can force WinSCP to ignore the %%IP%% address provided by the server using a //[[ui_login_ftp|Force IP address for passive mode connections]]// session setting. | When the %%NAT%% happens on a client side, what the %%FTP%% server cannot know, the IP address it provides is wrong too (from a client's perspective). You can force WinSCP to ignore the %%IP%% address provided by the server using a //[[ui_login_ftp|Force IP address for passive mode connections]]// session setting. | ||
- | When using a restrictive local firewall that blocks even outgoing connections, you need to open not only control connection port 21, but also a port range for data connections. To open as little ports as possible, find out what ports is the %%FTP%% server configured to use. If you cannot know that, you have to open all unprivileged port range, 1024·-·65535. | + | When using a restrictive local firewall that blocks even outgoing connections, you need to open not only control connection port 21, but also a port range for data connections. To open as little ports as possible, find out what ports is the %%FTP%% server configured to use. If you cannot know that, you have to open all unprivileged port range, 1024--65535. |
===== [[active]] Network Configuration for Active Mode ===== | ===== [[active]] Network Configuration for Active Mode ===== | ||
Line 45: | Line 45: | ||
With the //active// mode, most of the configuration burden is on the client side. | With the //active// mode, most of the configuration burden is on the client side. | ||
- | The firewall (e.g. Windows firewall) and NAT (e.g. ADSL modem routing rules) on the client side have to be configured to allow/route a range of ports for the incoming data connections. As WinSCP does not allow configuring a range of the ports it uses for data connections, all ports in Windows dynamic port range 49152 - 65535((For Windows Vista and later. &winvista For details refer to //Remarks// section in documentation of ''[[https://docs.microsoft.com/en-us/windows/desktop/api/winsock/nf-winsock-bind|bind]]'' WinAPI function. )) have to be opened. To open the ports, go to //Control Panel > System and Security > Windows Firewall//((//Windows Defender Firewall// on Windows 10.))// > Advanced Settings > Inbound Rules > New Rule//. &wincp For routing the ports on the %%NAT%% (if any), refer to its documentation. | + | The firewall (e.g. Windows firewall) and NAT (e.g. ADSL modem routing rules) on the client side have to be configured to allow/route a range of ports for the incoming data connections. You should restrict [[ui_pref_network|range of local ports that WinSCP uses for the active mode]]. Then open those ports in Windows Firewall. Go to //Control Panel > System and Security > Windows Defender Firewall//((//Windows Firewall// on older versions of Windows.))// > Advanced Settings > Inbound Rules > New Rule//. &wincp &win10 For routing the ports on the %%NAT%% (if any), refer to its documentation. |
When there's %%NAT%% in your network, you have to configure an external IP address that the WinSCP needs to provide to the %%FTP%% server using ''PORT'' command. So that the server can correctly connect back to WinSCP to open the data connection. For that use //[[ui_pref_network|External IP address]]// setting in Preferences. | When there's %%NAT%% in your network, you have to configure an external IP address that the WinSCP needs to provide to the %%FTP%% server using ''PORT'' command. So that the server can correctly connect back to WinSCP to open the data connection. For that use //[[ui_pref_network|External IP address]]// setting in Preferences. |