FTP Firewall Support <firewallSupport>


The <ftpServer/firewallSupport> element of the <site> element is used to configure the way that the FTP service works with firewalls per-site.

This element allows server administrators to configure the external address of the firewall that the FTP service will send to FTP clients when passive connections are being used.

When passive connections are negotiated using the FTP PASV command, the FTP server sends a response which contains IP address and port of the server. By specifying the externalIp4Address attribute, you can direct FTP clients to communicate with your firewall, which should route the client traffic to your FTP server. By specifying an external IP address for your firewall per-site, this allows you to route the firewall traffic for each FTP site through a different firewall.

Note: While the external IP address can be configured per-site, you can also specify the data channel port range that the FTP service will use in the global <system.ftpServer/firewallSupport> element.


Version Notes
IIS 7.5 The <firewallSupport> element of the <ftpServer> element ships as a feature of IIS 7.5.
IIS 7.0 The <firewallSupport> element of the <ftpServer> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0 N/A

Note: The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:


With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.


To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

IIS 7.5 for Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
  5. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  6. Click Next.
  7. On the Confirm Installation Selections page, click Install.
  8. On the Results page, click Close.

IIS 7.5 for Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, and then FTP Server.
  4. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  5. Click OK.

IIS 7.0 for Windows Server 2008 and Windows Vista

  1. Download the installation package from the following URL:
  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

How to configure an FTP site to use the external IP address for your firewall

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, expand the server name, expand the Sites node, and then click the name of the site.
  3. In the site's Home pane, double-click FTP Firewall Support.
  4. In the External IP Address of Firewall box, type the IPv4 address of the Internet-facing network adapter of your firewall.
  5. In the Actions pane, click Apply.

Note: The data channel port range must be configured in the global <system.ftpServer/firewallSupport> element.

For additional information about how to configure the firewall settings for the FTP service, see the following topic on the Microsoft IIS.NET web site:

Configuring FTP Firewall Settings


The <firewallSupport> element is configured at the site level or in the site defaults.


Attribute Description
externalIp4Address Optional string attribute.

Specifies the external IPv4 address for your firewall.

There is no default value.

Child Elements


Configuration Sample

The following sample displays a <firewallSupport> element for an FTP site that configures the FTP service to use for the external IPv4 address of your firewall.

<site name="ftp.example.com" id="5">
  <application path="/">
    <virtualDirectory path="/" physicalPath="c:\inetpub\www.example.com" />
    <binding protocol="ftp" bindingInformation="*:21:" />
   <firewallSupport externalIp4Address="" />
        <basicAuthentication enabled="true" />
        <anonymousAuthentication enabled="false" />

Sample Code

The following examples configure an FTP site to use for the external IPv4 address of your firewall.


appcmd.exe set config -section:system.applicationHost/sites /[name='ftp.example.com'].ftpServer.firewallSupport.externalIp4Address:"" /commit:apphost

Note: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.


using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
   private static void Main()
      using (ServerManager serverManager = new ServerManager())
         Configuration config = serverManager.GetApplicationHostConfiguration();
         ConfigurationSection sitesSection = config.GetSection("system.applicationHost/sites");
         ConfigurationElementCollection sitesCollection = sitesSection.GetCollection();

         ConfigurationElement siteElement = FindElement(sitesCollection, "site", "name", @"ftp.example.com");
         if (siteElement == null) throw new InvalidOperationException("Element not found!");
         ConfigurationElement ftpServerElement = siteElement.GetChildElement("ftpServer");

         ConfigurationElement firewallSupportElement = ftpServerElement.GetChildElement("firewallSupport");
         firewallSupportElement["externalIp4Address"] = @"";

   private static ConfigurationElement FindElement(ConfigurationElementCollection collection, string elementTagName, params string[] keyValues)
      foreach (ConfigurationElement element in collection)
         if (String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase))
            bool matches = true;
            for (int i = 0; i < keyValues.Length; i += 2)
               object o = element.GetAttributeValue(keyValues[i]);
               string value = null;
               if (o != null)
                  value = o.ToString();
               if (!String.Equals(value, keyValues[i + 1], StringComparison.OrdinalIgnoreCase))
                  matches = false;
            if (matches)
               return element;
      return null;



Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample
   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim sitesSection As ConfigurationSection = config.GetSection("system.applicationHost/sites")
      Dim sitesCollection As ConfigurationElementCollection = sitesSection.GetCollection

      Dim siteElement As ConfigurationElement = FindElement(sitesCollection, "site", "name", "ftp.example.com")
      If (siteElement Is Nothing) Then
         Throw New InvalidOperationException("Element not found!")
      End If
      Dim ftpServerElement As ConfigurationElement = siteElement.GetChildElement("ftpServer")

      Dim firewallSupportElement As ConfigurationElement = ftpServerElement.GetChildElement("firewallSupport")
      firewallSupportElement("externalIp4Address") = ""

   End Sub

   Private Function FindElement(ByVal collection As ConfigurationElementCollection, ByVal elementTagName As String, ByVal ParamArray keyValues() As String) As ConfigurationElement
      For Each element As ConfigurationElement In collection
         If String.Equals(element.ElementTagName, elementTagName, StringComparison.OrdinalIgnoreCase) Then
            Dim matches As Boolean = True
            Dim i As Integer
            For i = 0 To keyValues.Length - 1 Step 2
               Dim o As Object = element.GetAttributeValue(keyValues(i))
               Dim value As String = Nothing
               If (Not (o) Is Nothing) Then
                  value = o.ToString
               End If
               If Not String.Equals(value, keyValues((i + 1)), StringComparison.OrdinalIgnoreCase) Then
                  matches = False
                  Exit For
               End If
            If matches Then
               Return element
            End If
         End If
      Return Nothing
   End Function

End Module


var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST");
var sitesCollection = sitesSection.Collection;

var siteElementPos = FindElement(sitesCollection, "site", ["name", "ftp.example.com"]);
if (siteElementPos == -1) throw "Element not found!";
var siteElement = sitesCollection.Item(siteElementPos);
var ftpServerElement = siteElement.ChildElements.Item("ftpServer");

var firewallSupportElement = ftpServerElement.ChildElements.Item("firewallSupport");
firewallSupportElement.Properties.Item("externalIp4Address").Value = "";


function FindElement(collection, elementTagName, valuesToMatch) {
   for (var i = 0; i < collection.Count; i++) {
      var element = collection.Item(i);
      if (element.Name == elementTagName) {
         var matches = true;
         for (var iVal = 0; iVal < valuesToMatch.length; iVal += 2) {
            var property = element.GetPropertyByName(valuesToMatch[iVal]);
            var value = property.Value;
            if (value != null) {
               value = value.toString();
            if (value != valuesToMatch[iVal + 1]) {
               matches = false;
         if (matches) {
            return i;
   return -1;


Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST")
Set sitesCollection = sitesSection.Collection

siteElementPos = FindElement(sitesCollection, "site", Array("name", "ftp.example.com"))
If siteElementPos = -1 Then
   WScript.Echo "Element not found!"
End If
Set siteElement = sitesCollection.Item(siteElementPos)
Set ftpServerElement = siteElement.ChildElements.Item("ftpServer")

Set firewallSupportElement = ftpServerElement.ChildElements.Item("firewallSupport")
firewallSupportElement.Properties.Item("externalIp4Address").Value = ""


Function FindElement(collection, elementTagName, valuesToMatch)
   For i = 0 To CInt(collection.Count) - 1
      Set element = collection.Item(i)
      If element.Name = elementTagName Then
         matches = True
         For iVal = 0 To UBound(valuesToMatch) Step 2
            Set property = element.GetPropertyByName(valuesToMatch(iVal))
            value = property.Value
            If Not IsNull(value) Then
               value = CStr(value)
            End If
            If Not value = CStr(valuesToMatch(iVal + 1)) Then
               matches = False
               Exit For
            End If
         If matches Then
            Exit For
         End If
      End If
   If matches Then
      FindElement = i
      FindElement = -1
   End If
End Function
Deprecated Elements