Đợt này làm mấy con server cũng đến mệt, nhất là làm policy, firewall,... bấm mỏi cả tay, hoa cả mắt.
Lưu lại cái bài của author: Bernard
Cheah MVP ở đây đã. Cái FTP passive của IIS có khác các FTP server khác
một chút, các cổng passive phải từ 5001 trở lên, nếu vô tình ko để ý
service của nó sẽ toi. Mà config cái này nó không có giao diện mà phải
dùng 1 script của admin mới tạo dc.
SUMMARY
This article describes the procedures to customize FTP passive port range for Passive Mode client connecting to IIS FTP Server.
MORE INFORMATION
The
IIS-based FTP service supports both active and passive mode
connections, depending on the method that is specified
by the client.
IIS does not support disabling either active or passive connection
modes.
Unlike HTTP and other protocols used on the Internet,
the FTP protocol uses a minimum of two connections during a session: a
half-duplex connection for control, and a full-duplex connection for
data transfer.
By default, TCP port 21 is used on the server for the
control connection, but the data connection is determined
by the method
that the client uses to connect to the server, as detailed below.
Active-mode FTP connections are sometimes referred to as "client-managed" because the client sends a
port
command to the server, over the control connection. The command
requests the server to establish a data connection from TCP port 20 on
the server to the client, using the TCP port that is specified
by the
port command.
Passive-mode FTP connections are sometimes referred to as "server-managed", because after the client issues a
pasv
command, the server responds with one of its transient ports used as
the server-side port of the data connection. After a data connection
command is issued
by the client, the server connects to the client
using the port immediately above the client-side port of the control
connection.
In Passive-mode IIS FTP randomly choose to response
with port ranging within 1024 - 65535
by default. To further limit
these huge port range, system administrator can configure a metabase
property key named
PassivePortRange, this property
key only exist in IIS 6.0, for IIS 5.0 in Windows 2000, system
administrator need to install Service Pack 4 and add in
PassivePortRange key in system registry.
To change the
PassivePortRange for IIS, perform the procedure that is described in one of the following sections.
For Windows 2003 Server a) To Enable Direct Metabase Edit
1. Open the IIS Microsoft Management Console (MMC).
2. Right-click on the Local Computer node.
3. Select
Properties.
4. Make sure the
Enable Direct Metabase Edit checkbox is checked.
b) Configure PassivePortRange via ADSUTIL script
1. Click
Start, click
Run, type cmd, and then click
OK.
2. Type cd Inetpub\AdminScripts and then press ENTER.
3. Type the following command from a command prompt.
adsutil.vbs set /MSFTPSVC/
PassivePortRange "5500-5700"
4. Restart the FTP service.
You'll see the following
output, when you configure via ADSUTIL script:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
PassivePortRange : (STRING) "5500-5700"
For Windows 2000 Server
IMPORTANT:
This article contains information about modifying the registry. Before
you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs.
In order for this PassivePortRange to work in Windows 2000, system administrator must install Service Pack 4
(SP4) or later, For additional information, visit the following article
number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
Configure PassivePortRange via Registry Editor
1. Start Registry Editor (Regedt32.exe).
2. Locate the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\Parameters\
3. Add a value named "PassivePortRange" (without the quotation marks) of type REG_SZ.
4. Close Registry Editor.
5. Restart the FTP service.
Note: The range that FTP will validate is from 5001 to 65535.