SolarWinds | Serv-U
Contact Support: 866-530-8040 | Contact Sales: 855-498-4154 or email | Show Flags | Login
Serv-U FTP Server Home Page
The Best for Less
Secure file transfer & share files
from anywhere - affordably

BUY NOW
FREE for 14 Days
Full featured trial with secure
FTP, file sharing & web transfer

DOWNLOAD FREE TRIAL


Active and Passive FTP Transfers Defined  -  KB Article #1138

Related Articles -- 2091, 2100

FTP and FTPS both use multiple connections to perform file transfers. The first "control" connection is always made to a defined TCP port such as 21 or 990 but all directory listing and file transfer data is passed through additional "data" connections.

Passive (or "Firewall Friendly") Mode

In "passive" mode (a.k.a. "PASV"), both control and data connections are made from your FTP client to the FTP server. In firewalled deployments, all connections are made from the Internet to the server (rather than from the server back to the Internet), so passive mode is also known as "firewall friendly" mode in some products.

Active Mode

"Active" mode is how FTP originally worked, and it is still supported (and occasionally required) by many servers. In active mode, the control connection is made from the FTP client but all data connections are made from the FTP server to the FTP client. (Yes, back the other way.) In order for this to work, you usually need either no firewalls or firewalls that understand the FTP protocol and can dynamically open ports between clients and servers that look like they are performing ACTIVE mode FTP transfers.

Recommended Transfer Mode

You should always try to use passive mode, and only use active mode if a legacy deployment absolutely requires it. Fortunately, most modern clients and servers already support passive mode and use it by default when transferring files.

Network security teams prefer passive mode because it avoids inbound connections from the Internet back into individual clients. (Almost no corporate security team would permit this.) End users prefer passive mode because it is more reliable than active mode over the Internet. (Active mode doesn't work unless multiple firewalls have been configured to allow it; passive mode generally only requires the server firewall to have been configured.) Passive mode is also preferred when using FTPS (FTP over SSL/TLS) because firewalls that can make active mode adjustments for plain text FTP cannot read FTPS control channels or make active mode FTPS adjustments.

FTP Voyager Active/Passive Support

Our FTP Voyager FTP client tries to use passive mode by default (and falls back to active mode if passive does not work), but this setting can be overridden on a site-by-site basis under the "Advanced | Connection" settings ("Force PASV Mode") for the occasional server that requires active mode.

Serv-U Active/Passive Support

Our Serv-U FTP server supports both active and passive mode by default. However, it is common to restrict the passive port range offered by Serv-U. Many customers also disable active mode on Serv-U.

FTP Commands

Passive Mode Transfers

The PASV and EPSV commands are both used in passive mode. EPSV is used by modern client/server implementations and is required when using IPv6.

When Passive mode is used the Client first connects to the server on port 21. Then the client issues a PASV or EPSV command. The server then replies with an IP address and port number. The client finally uses that IP Address and port number to establish the data connection.

In the illustration below we will see what would happen to establish a data connection. The green text is still part of the command connection. The blue text is the successful result of the data connection being established. Where the server replies to the PASV command the first four numbers are the servers IP Address. The last two define the port that will be used for the data connection. To figure out what port is used multiply the first digit by 256 and add in the second. So in this example (( 55 x 256 ) + 99) = 14179.

Active Mode Transfers

The PORT and EPRT commands are both used in active mode. EPRT is used by modern client/server implementations and is required when using IPv6.

An Active connection is different because the server actually connects back to the FTP Client for the data connection. In the illustration below we see the Port command being sent by the client. This time the client sends the server the IP Address and port number to connect to. Then the FTP Server tries to connect back to the FTP Client using that information. (However, this typically only works if the client can receive inbound connections.)



Login to Customer Service Center

Please enter your e-mail address and password in the fields below.

Email Address:

Password: