Default FTP Firewall Support Settings <firewallSupport>


The <ftpServer/firewallSupport> element of the <siteDefaults> element is used to configure the way that the FTP service works with firewalls by default.

This element allows server administrators to configure the external address of the firewall that the FTP service will send to FTP clients when passive connections are being used.

When passive connections are negotiated using the FTP PASV command, the FTP server sends a response which contains IP address and port of the server. By specifying the externalIp4Address attribute, you can direct FTP clients to communicate with your firewall, which should route the client traffic to your FTP server. By specifying an external IP address for your firewall per-site, this allows you to route the firewall traffic for each FTP site through a different firewall.

Note: While the external IP address can be configured per-site, you can also specify the data channel port range that the FTP service will use in the global <system.ftpServer/firewallSupport> element.


Version Notes
IIS 7.5 The <firewallSupport> element of the <ftpServer> element ships as a feature of IIS 7.5.
IIS 7.0 The <firewallSupport> element of the <ftpServer> element was introduced in FTP 7.0, which was a separate download for IIS 7.0.
IIS 6.0 N/A

Note: The FTP 7.0 and FTP 7.5 services shipped out-of-band for IIS 7.0, which required downloading and installing the modules from the following URL:

With Windows 7 and Windows Server 2008 R2, the FTP 7.5 service ships as a feature for IIS 7.5, so downloading the FTP service is no longer necessary.


To support FTP publishing for your Web server, you must install the FTP service. To do so, use the following steps.

IIS 7.5 for Windows Server 2008 R2

  1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
  3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
  5. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  6. Click Next.
  7. On the Confirm Installation Selections page, click Install.
  8. On the Results page, click Close.

IIS 7.5 for Windows 7

  1. On the taskbar, click Start, and then click Control Panel.
  2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
  3. Expand Internet Information Services, and then FTP Server.
  4. Select FTP Service.

    Note: To support ASP.Membership authentication or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.
  5. Click OK.

IIS 7.0 for Windows Server 2008 and Windows Vista

  1. Download the installation package from the following URL:
  2. Follow the instructions in the following walkthrough to install the FTP service:

How To

How to configure the FTP service for the default external IP address to use for your firewall

  1. Open Internet Information Services (IIS) Manager:
    • If you are using Windows Server 2008 or Windows Server 2008 R2:
      • On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
    • If you are using Windows Vista or Windows 7:
      • On the taskbar, click Start, and then click Control Panel.
      • Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
  2. In the Connections pane, click the server name.
  3. In the server's Home pane, double-click FTP Firewall Support.
  4. In the External IP Address of Firewall box, type the IPv4 address of the Internet-facing network adapter of your firewall.
  5. In the Actions pane, click Apply.

Note: The data channel port range must be configured in the global <system.ftpServer/firewallSupport> element.

For additional information about how to configure the firewall settings for the FTP service, see the following topic on the Microsoft IIS.NET web site:

Configuring FTP Firewall Settings



Attribute Description
externalIp4Address Optional string attribute.

Specifies the external IPv4 address for your firewall.

There is no default value.

Child Elements


Configuration Sample

The following configuration sample displays an example <firewallSupport> element for a server that defines the default firewall settings.

      <firewallSupport externalIp4Address="" />

Sample Code

The following code samples demonstrate how to configure the default firewall settings for the FTP service.


REM Configure the default external IP address of a firewall.
appcmd.exe set config -section:system.applicationHost/sites /siteDefaults.ftpServer.firewallSupport.externalIp4Address:"" /commit:apphost

Note: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.


using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
   private static void Main()
      using (ServerManager serverManager = new ServerManager())
         Configuration config = serverManager.GetApplicationHostConfiguration();
         ConfigurationSection sitesSection = config.GetSection("system.applicationHost/sites");
         ConfigurationElement siteDefaultsElement = sitesSection.GetChildElement("siteDefaults");
         ConfigurationElement ftpServerElement = siteDefaultsElement.GetChildElement("ftpServer");

         ConfigurationElement firewallSupportElement = ftpServerElement.GetChildElement("firewallSupport");
            firewallSupportElement["externalIp4Address"] = @"";



Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample
   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetApplicationHostConfiguration
      Dim sitesSection As ConfigurationSection = config.GetSection("system.applicationHost/sites")
      Dim siteDefaultsElement As ConfigurationElement = sitesSection.GetChildElement("siteDefaults")
      Dim ftpServerElement As ConfigurationElement = siteDefaultsElement.GetChildElement("ftpServer")

      Dim firewallSupportElement As ConfigurationElement = ftpServerElement.GetChildElement("firewallSupport")
         firewallSupportElement("externalIp4Address") = ""

   End Sub

End Module


var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";

var sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST");
var siteDefaultsElement = sitesSection.ChildElements.Item("siteDefaults");
var ftpServerElement = siteDefaultsElement.ChildElements.Item("ftpServer");

var firewallSupportElement = ftpServerElement.ChildElements.Item("firewallSupport");
   firewallSupportElement.Properties.Item("externalIp4Address").Value = "";



Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set sitesSection = adminManager.GetAdminSection("system.applicationHost/sites", "MACHINE/WEBROOT/APPHOST")
Set siteDefaultsElement = sitesSection.ChildElements.Item("siteDefaults")
Set ftpServerElement = siteDefaultsElement.ChildElements.Item("ftpServer")

Set firewallSupportElement = ftpServerElement.ChildElements.Item("firewallSupport")
   firewallSupportElement.Properties.Item("externalIp4Address").Value = ""

Deprecated Elements