Passive FTP and dynamic ports in IIS8 and Windows Azure Virtual Machines

Today Windows Azure supports up to 150 endpoints which is great for those applications that rely on persistent connections, like an FTP Server. You can run an FTP Server in 2 modes:

  • Active mode: The server connects to a negotiated client port
  • Passive mode: The client connects to a negotiated server port

Passive mode is by far the most popular choice since it doesn’t require you to open ports on your machine together with firewall exceptions and port forwarding. With passive mode it’s up to the server to open the required ports. Let’s see how we can get an FTP Server running in Passive mode on Windows Azure…

Configuring the endpoints

So I’ve created a new Windows Server 2012 VM in the portal. What we need to do now is open a range of ports (let’s say 100) that can be used by the FTP Server for the data connection. Usually you would do this through the portal:

Adding 100 ports manually through the portal can take some time, that’s why we’ll do it with Powershell. Take a look at the following script:

This simple script does the required work for you:

  • Checks if you’re adding more than 150 ports, but it doesn’t check if you already have endpoints defined on the VM
  • Add an endpoint for the public FTP port
  • Add the range of dynamic ports used for the data connection

Calling it is simple (here I’m opening port 2500 for the control connection and port range 10000-10125 for the data connection on my VM called passiveftp):

And here is the result, all ports have been added:

Configuring the FTP Server

We made the required changes to the endpoints, the only thing we need to do now is configure the FTP Server. First we’ll see how we can configure the server in the UI. The first thing we need to do is add a Web Role and choose to install the FTP Server role services:

Then we need to create a new FTP Site in IIS, configure the port (2500) and set the authentication:

In the portal we opened the tcp ports 10000 to 10125. If we want Passive FTP to work, we need to configure the same range in IIS. This is done in the FTP Firewall Support feature. You’ll need to fill in exactly the same port range together with the public IP of the VM. To find it simply ping the VM (ping or go to the portal.

Finally open the firewall and open the control channel port (2500) and the data channel port range (10000-10125):

And there you go, I’m able to connect to my FTP Server using Passive mode:

Installing and configuring the FTP Server automatically

While it’s great to click around like an IT Pro, it’s always useful to have a script that does all the heavy lifting for you.

This script does… about everything:

  • Install IIS with FTP Server
  • Create the root directory with the required permissions
  • Create the FTP Site
  • Activate basic authentication and grant access to all users
  • Disable SSL (remove this if you’re using the FTP Site in production)
  • Configure the dynamic ports and the public IP
  • Open the ports in the firewall

Calling the script is very easy, you simply pass the name of the FTP Site, the root directory, the public port, the data channel range and the public IP. Remember that you need to run this on the VM, not on your own machine.

Both scripts are available on GitHub:


About Sandrino Di Mattia

Sandrino Di Mattia is a Customer Success Engineer at Auth0 and a Microsoft Azure MVP.

  • Fabio Mariano

    Hi Sandrino, great article. Could it work the same rule for 2 VM in load balancing for the port 21 and 10000-10005 ?

  • Nel Rod

    On the installing FTP line the last script shows pkgmgr has been deprecated. Replace with DISM

  • Elias

    Perfectly working. Thank for all.

  • דרור סדן

    Two comments based on my experience today:

    You do not need to configure any rules in Windows Firewall on the VM since they are already defined.

    IMPORTANT! You need to stop and start the FTP service using the command line since stopping/starting from the IIS Manager dose NOT make the FTP service read the changes you made to the FTP Firewall ports:

    1. Start an elevated (=administrator level) cmd shell.

    2. Stop the service by “net stop ftpsvc” (and NOT “net stop msftpsvc”)

    3. Start the service by “net start ftpsvc”

  • Toothbrush

    Thank you! May HaShem bless you.