How can we help?

Auvik Backup fails using passive FTP on Windows machines

Follow

To understand why this happens, you need to understand the difference between Active and Passive FTP; which is how the data collection is established between the FTP client and the server.

With active FTP, the client initiates a connection from a random ephemeral port (M > 1023) to the FTP server’s port 21 (the control port); which is the same in both active and passive modes. The server then initiates the data connection from its own port 20 to the client’s provided ephemeral port. The potential issue with this is because the server needs to initiate a connection back to the client on a random port, this can cause issues when firewalls and NAT are in place, as they may block the incoming connection.

With passive FTP, the client initiates a connection from a random ephemeral port to the server's port 21 (same as Active FTP); where it requests the server to enter Passive mode using the PASV command. The server then opens a random ephemeral port (M > 1023) and provides that port number to the client. The client initiates the data connection to the server’s provided ephemeral port. The benefit to this is that because the client initiates both the control and data connections which works better with firewall and NAT as it avoids the need for the server to establish a connection to the client.

 

Key Differences:

 

  Active FTP Passive FTP
Control Connection Client (ephemeral port) → Server (port 21)     Client (ephemeral port) → Server (port 21)    
Data Connection    Server (port 20) → Client (ephemeral port)     Client (ephemeral port) → Server (ephemeral port)
Who Initiates Data Server initiates data connection to client     Client initiates data connection to server    
Firewall/NAT Impact May have issues due to server-initiated connection Easier with firewalls as client initiates connections
Usage              Historically the default mode for FTP         Preferred in modern networks, especially with firewalls

To allow passive FTP through a Windows firewall, you can:

  1. Go to Control Panel
    controlpanel.png
  2. Select System & Security
    systemandsecurity.png
  3. Select Windows Firewall
    windowsdefenderfirewall.png
  4. Go to Advanced Settings
  5. Click Inbound Rules on the left
    inboundrules.png
  6. Click New Rule on the right
  7. Choose Port for your rule type
    newinboundruleport.png
  8. Click Next
  9. Select TCP at the top of the next box
    tcp21.png
  10. Passive FTP requires two firewall rules to function properly:
    • The firewall must allow connections on port 21
    • The firewall must allow connections to the ephemeral ports used by the FTP application
  11. Check Allow the Connection
    allowtheconnection.png
  12. Click Next
  13. Unless there is a reason for the rules to not apply in all three of these scenarios (Domain, Private and Public) leave all checked
    rulesapply.png
  14. Click Next
  15. Enter a Name for the rule
    • If desired add a Description
      final.png
  16. Click Finish

Note: For this to work you will also need to configure specific ranges of inbound passive ports on your FTP server and firewall.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request