FTP functions on a client-server model. The server hosts the files to be shared and the client provides the interface to access, download, or upload files to the file server. The computers transferring the files can be within the same network where the FTP server is configured, as well as outside the network (over the Internet). FTP uses two ports, one for connection and one for sending data.
FTP can run in two modes: active and passive. And, it uses two channels between the client and server: the command channel and the data channel. The command channel is for sending the commands and responses, and the data channel is for sending the actual data. As for the active and passive modes, in the active mode, the client launches the command channel, and the server establishes the data channel. In the passive mode, both the command and data channels are established by the client.
Most organizations prefer passive mode. In this mode, the client initiates both channels; therefore, the organization has less or no alterations to make on the client firewall. The connection is from the client to the server, and the data will be return traffic to the client. Overall, organizations can allow their users (clients) to connect to FTP servers without compromising network security.
Primarily, the command channel is opened by the client to the FTP server on port 21. The client also opens two random, unprivileged ports on the client (typically a port greater than 1023). We’ll call the first port P and the second port P+1. The FTP client initiates the connection to the server by sending a PASV command. The client connects to the server from port P to server port 21 with the PASV command. The server then opens another unprivileged port Q (any port greater than 1023), and sends the port information back as a reply to the PASV command. Now the client initiates the connection from port P+1 to port Q on the server to start the data transfer.
|Step 1||The client contacts the server using the PASV command on port 21.|
|Step 2||The server replies using the port 2000. Here, port 2000 is the port that the server will be listening to for the data connection.|
|Step 3||The client initiates the connection from port 1025 to 2000 (on the server).|
|Step 4||The server sends back the ACK (acknowledgement).|
Client side: Data and other communications from the client should reach the FTP server. Make sure you allow the outgoing data and other communications from the client to go to the FTP server.
Server side: Port 21 should be open, as that is the port which receives the PASV command for initiating the connection. The port used by the server to respond to the client can be anything between Port 22 to 1022. Because the FTP server specifies a random port (anything greater than 1023), those ports should be open for communication.
“ICACLS "%SystemDrive%\ftp\ftproot" /Grant IUSR:R /T”.
"%SystemDrive%\ ftp \ftproot"(or the path to the root folder) should be set as the path for your FTP site. Even the software firewall (Windows firewall, Symantec, etc.) should allow connections to the FTP server.
In this example, we will use Windows Server 2008 R2 to configure FTP.
If IIS is not installed,
If IIS is installed already (as a Web server),
To transfer files, you should add an FTP site. Once the FTP site is enabled, clients can transfer to and from the site using the FTP protocol.
%SystemDrive%\ ftp \ftproot
To access files on the FTP server, open a file explorer and type ftp://serverIP. The FTP server asks for a username and password. Enter the username and password (Windows or Active Directory credentials) and click Logon. The files and folders display under the FTP server.
Secure FTP server software that provides comprehensive security, automation, and centralized control for file transfers across your organization