How to Require Passive FTP Transfers (or "Disable Active Mode") in Serv-U - KB Article #2091Related Articles -- 1044, 2100
Many security teams now prohibit outbound connections from FTP servers. Since outbound connections are required for FTP active mode transfers, this means that passive mode transfers, which only involve inbound connections, must be required instead.
Firewall technicians often enforce this requirement by setting up firewall rules that prohibit all outbound connections. However, this often leads to connectivity issues and support calls from users who simply see failed transfers and timeouts when they attempt to perform active mode transfers.
A more elegant solution is to turn off active mode transfers at the server level and configure the FTP server to send back helpful error messages that tell end users to stop using active mode transfers. The following instructions tell how to do this in the Serv-U FTP server by disabling two active mode commands (PORT and EPRT) and changing the text Serv-U sends in its "command not implemented" error message.
- Open your Serv-U Management Console, select the appropriate domain, and then navigate to the Limits & Settings tab.
- Select the FTP Settings tab.
- Click Use custom settings.
- Double-click the "EPRT" command, select Disable command, and then click Save.
- Double-click the "PORT" command, select Disable command, and then click Save.
- Click Global Properties at the bottom of the FTP Settings tab. This will open the FTP Command Properties tab.
- Double-click the 502 - Command not implemented entry. Change the text from "Command not implemented." to either "Command not implemented. (Note that ACTIVE mode is not supported!)" or "Command not implemented. (ACTIVE mode is not supported - use PASSIVE instead!)" Then click Save.
- To test, connect to Serv-U using an FTP client that is set up to only support active mode. Connect to the server, attempt a directory listing or transfer, and look for your custom 502 error message. Then reconfigure the FTP client to support passive mode, reconnect, and make sure passive transfers work.
- Firewall rules that prohibit all outbound connections from Serv-U should still be implemented; these instructions simply avoid support calls by helping end users understand why their active mode transfer are failing.
- These instructions also apply when Serv-U Gateway is used to avoid deploying Serv-U in a DMZ segment.
- Also remember to set a specific passive port range on both Serv-U and your firewall.
- While it is possible to enable or disable FTP commands at the domain level, making this type of change at the server level is preferred because your firewall team will probably not be interested in making outbound connection exceptions for specific FTP server domains.