How to Set a Passive Port Range in Serv-U FTP Server  -  KB Article #2100

Related Articles -- 1044, 2091

As you probably already know, FTP uses multiple connections on multiple ports to perform file transfers.

Many firewalls "understand" plan text FTP and can open/close the appropriate ports dynamically if you specifically configure "FTP" (rather than "TCP port 21") on firewall rules. However, when FTPS is used, the control channel the firewall would usually read is encrypted, so firewall technicians find they need to open up ranges of high inbound TCP ports to get FTPS to work in passive mode. (We do not recommend the use of active mode FTPS transfers; fortunately most clients that can do FTPS select passive mode transfers by default.)

To avoid ridiculous ranges (e.g., "allow TCP from all to ports 1024-65535"), specific ranges of inbound passive ports can be configured on both your FTP server and your firewall. These instructions show how to configure a passive FTP port range on Serv-U. (Related instructions show how to require the use of passive mode transfers in Serv-U.)

Instructions

1. Open your Serv-U Management Console and navigate to the "Server Settings" tab under "Server Limits & Settings". (Do not go to your Domain-level Limits & Settings.)
   
2. Scroll down until you see the "Network Settings" panel. Fill in a value for the "PASV Port Range". (We recommend starting with 50000-50009; you can use a narrower port range if you never hit simultaneous transfers; use a wider port range if you support more simultaneous transfers.)
   
   
3. Click the "Save" button in the "Network Settings" panel.
4. To test, connect to Serv-U using an FTP client that is set up to use passive mode. Connect to the server from outside your firewall, attempt several directory listings and transfers, and make sure passive transfers work.

Related Articles

• Serv-U Firewall Rules
• Requiring Passive Transfers

Additional Notes

• Firewall rules that prohibit all outbound connections from Serv-U should also be implemented; no outbound connections are needed when passive mode FTP transfers are performed.
• These instructions also apply when Serv-U Gateway is used to avoid deploying Serv-U in a DMZ segment.
• Also remember to require the use of passive mode on Serv-U.
  

출처 : http://www.serv-u.com/kb/2100/How-to-Set-a-Passive-Port-Range-in-ServU-FTP-Server