Serv-U Firewall Rules (Also Router Rules) - KB Article #1044Related Articles -- 1639, 1289, 2091, 2100
If you use the default ports for each protocol on Serv-U, you will set up the following rules on your firewall. Note that most of these ports are configurable(see below) and that you can also set up multiple listeners for each protocol.
To see which Serv-U Edition supports each protocol, consult our Serv-U Editions table.
Configuring Your Firewall - Without Serv-U Gateway
Find the protocols you support on the chart below and then open the necessary ports on your firewall from the Internet to Serv-U.
All the rules pictured above are meant to be implemented as "any port, any IP to (specific port(s)) on specific IP" firewall rules. For example, "HTTP: TCP Port 80" means "from any port on any IP to port 80 on Serv-U."
All of the ports pictured above are configurable. Any non-default ports you configured on your Serv-U for your protocol listeners and your FTP passive port range should be used instead of the ports pictured above."
Configuring Your Firewall - With Serv-U Gateway
When you add Serv-U Gateway to your deployment you ensure that all connections coming from the Internet are terminated in the DMZ and no connections are initiated from the DMZ into internal networks.
All the rules pictured above are meant to be implemented as "any port, any IP to (specific port(s)) on specific IP" firewall rules. For example, "HTTP: TCP Port 80" means "from any port on any IP to port 80 on Serv-U Gateway." Similarly, "Serv-U to Serv-U Gateway: TCP Port 1180" means "from any port on any IP to port 1180 on Serv-U Gateway."
To provide the same protocol services (e.g., HTTPS and SFTP) to external and internal users, you may either:
- Make your internal users connect to the Serv-U Gateway too. To accomplish this, add the same rules from your internal network as you add for your external users on the Internet, and disable all "local" listeners on Serv-U.
- Allow your internal users to connect directly Serv-U. To accomplish this, simply make sure you have enabled "local" listeners on Serv-U (i.e., non-Gateway listeners). No additional firewall rules are necessary.
Small Router Configuration
If you are working with a home or small office router, you can configure file transfer traffic to be routed through the router and directly to Serv-U through "Port Forwarding." An example of how to forward ports in a LinkSys router is available at How To Configure A Linksys Router For Serv-U. Alternately, if your router supports Universal Plug and Play Serv-U versions 6.2 and later can automatically configure your router through UPnP.
Configuring FTP and FTPS in Serv-U
Once your router is forwarding the file transfer ports to your server, make sure that Serv-U is listening on the correct ports by checking in the Domain Details menu under the Listeners tab. If you are using FTP or FTPS, make sure to also configure the PASV port range in Serv-U using these steps, or by following this article.
- Navigate to "Server Limits and Settings | Settings"
- Enter the PASV port range in the Network Settings area (RhinoSoft recommends using the port range 50000-50009)
If you are still unable to connect, the next step is to configure the IP address Serv-U uses for its response to the PASV command so that it uses the actual IP address and not the internal IP that Serv-U sees. Serv-U 7.0 and above include the ability to specify a domain name instead of IP address. To do this, follow the steps below.
- Navigate to Domain Details | Listeners
- Select your FTP/FTPS listener(s) and click Edit
- Enter the external IP address (or domain name if applicable) of your internet connection in the PASV IP Address Or Domain Name field. You can find this by surfing to www.whatismyip.com. If you are using Serv-U with a dynamic IP address, leave this field blank.
If a this point you are still unable to connect, try disabling the "Block FTP_Bounce and FXP" option - this has been known to cause issues for some clients. To do this, follow the steps below:
- Navigate to Server Limits and Settings | FTP Settings
- Select Global Proprties. If this is not available, first select Use Custom Settings to gain access to it
- Navigate to the Advanced Options tab and make sure that "Block FTP_Bounce and FXP" option is unchecked (which it is by default)
Configuring SFTP, HTTP, HTTPS in Serv-U
To configure SFTP, HTTP, or HTTPS in Serv-U, first ensure that Serv-U is listening on the proper port by navigating to the Domain Details menu and opening the "Listeners" tab.
If you are using SFTP or HTTPS, ensure that you have configured Serv-U to accept encrypted connections using the instructions at KB Article 1053 and KB Article 1712. If there is not an entry in Listeners that matches the protocol you wish to connect to, click "Add" and then add the listener (typically, the default port values are best).
Configuring Serv-U to Serv-U Gateway Connection
The secure connection Serv-U uses to communicate with Serv-U Gateway uses TCP port 1180. This value is not currently configurable.