Configuring an FTP firewall in active and passive mode

Control-M MFT supports both the Active Data Transfer Process, and the Passive Data Transfer Process, enabling it to work behind a firewall and connect to remote FTP servers. The FTP mode is defined in the Connection Profile utility, when you define the connection definition.

This procedure describes how to configure an FTP firewall in active and passive mode.

To configure an FTP firewall in active and passive mode:

1. Open the following communication channels in the FTP server firewall:
   • FTP server's port 21 from anywhere (Client Connects the Server)
   • FTP server's port 21 to ports greater than 1023 (Server responds to client's control port)
   • FTP server's port 20 to ports greater than 1023 (Server initiates data connection to client's data port)
   • FTP server's port 20 from ports greater than 1023 (Client sends ACKs to server's data port)

   Active mode can be problematic for FTP clients behind a firewall because the FTP client does not initiate the connection to the data port of the server; rather the server connects to the client port as defined in the PORT command. Usually an outside system initiating a connection to the client is blocked by the client firewall.

   The FTP Passive Data Transfer mode was developed to resolve this issue. In Passive mode, the following sequence of events occurs:

   1. The client initiates both connections to the server, by first connecting to Server command port 21.
   2. The client then issues the PASV command, (which requests that the Server open a random unprivileged port for the data port, and sends the PORT command to the client).
   3. The client then connects to the data Server port as specified in the PORT command.
2. Open the following communication channels in the FTP server firewall, to support Passive mode FTP:
   • FTP server's port 21 from anywhere (Client connects the server)
   • FTP server's port 21 to ports greater than 1023 (Server responds to client's control port)
   • FTP server's ports greater than 1023 from anywhere (Client initiates data connection to random port specified by server)
   • FTP server's ports greater than 1023 to remote ports greater than 1023 (Server sends ACKs (and data) to client's data port)

   Problems can occur if an FTP server is behind a firewall, when FTP clients try to use passive mode to connect to a temporary random port number on the FTP server machine. The most common of these is that the firewall blocks the connection from the client to the server.

   When a restrictive firewall (one that denies a connection except for a few well known ports) exists on both the server and client sides, you should configure the firewall on the server side.Many FTP servers allow the administrator to specify a range of ports for the FTP server to use. The administrator can then limit the port range for the FTP server, and the firewall can then be configured to allow connection for the specified FTP server port range.