In the past, we’ve covered the basics of FTP port management in our overview of FTP and FTPS ports blog. However, there are several additional best practices to consider when managing FTP server ports. Let’s dive in.
1. Bulletproof your port forwarding
Cerberus FTP Server by Redwood and most other file servers require administrators to activate port forwarding in order to connect to the external internet. Port forwarding is a gateway/router (and sometimes firewall) configuration that directs external traffic requesting connections to a specific location on your internal network.
Specific guides to port forwarding depend on your particular network equipment combination. Below are links to several more popular providers’ port forwarding resources.
- Cisco port forwarding resources
- Netgear port forwarding information
- Juniper Networks port forwarding help information
Preventing port forwarding errors and issues
To make your FTP server port forwarding as secure and seamless as possible, consider the following actions:
- Double-check your FTP port settings: Start by confirming that the ports for the protocols you want to use are all available and correctly forwarded from your gateway or router. For example, FTP, SFTP and FTPS ports default to 21, 22 and 990 respectively, but your organization may use different port numbers. Also, if you’re using a different file transfer protocol such as AS2, you’ll need to specifically choose your port and test its forwarding as AS2 does not have its own standardized port.
- Confirm the passive FTP port range on your file server: Cerberus FTP server recommends running your file transfer in passive mode, as this mode generally provides better compatibility with firewall security settings. Most ftp servers will allow you to specify your passive port range, and you’ll want to confirm that the passive port range forwarding settings on your gateway/router match with your ftp server configuration. You can read more on the steps to forward passive FTP port ranges here.
- Confirm your protocol settings: make sure that you’ve specified your TCP/UDP protocol settings for each port connection. Cerberus FTP Server generally recommends TCP due to its error checking and redundancy tools, but UDP transfer will occur at a faster rate.
- Make sure you’re forwarding traffic to the right LAN IP address: This recommendation almost goes without saying, but we’ve all made IP address typos before, so you’ll want to confirm that you’ve got the correct IP address for your FTP server when setting up your forwarding.
Port scanner utilities are handy tools to use when confirming the above areas.
2. Run your FTP server in passive mode
FTP servers operate in either active mode or passive mode, which affects how connections are made:
- In Active mode, client requests to your FTP server will come in on the command channel, and your server will respond by assigning a specific data transfer port to the client. This port will have the same IP address as the requesting client.
- Passive mode connections, on the other hand, allow the client to establish the ports for both the command and data channels. The client will ask your server to listen on a particular port or range, and the server will respond with the specific port number it selects to do so.
Passive mode is much more compatible with firewalls, allowing your FTP greater flexibility in finding permitted data paths. Active mode can create firewall issues when your FTP server attempts to send data to the client-specified port. Depending on network security configurations, the transfer could be blocked by your LAN’s firewall or the client’s firewall.
Note that even in passive mode, you may run into FTP firewall issues. We have a support article on resolving issues with passive FTP connections at this link.
3. Actively monitor your dynamic data ports
Firewalls and NAT gateways generally have a harder time managing FTP server connections due to the creation and use of multiple dynamic data ports. It can be difficult to separate suspicious traffic in an environment that opens and closes hundreds of ports every hour, and it can be very tempting to be less restrictive on port security if your organization encounters frequent issues with failed or blocked transfers.
If your organization transfers significant data volumes, consider investing in file transfer tools that provide more active security tools to serve as a compliment to your existing network security.
Cerberus FTP server offers several tools to help actively monitor dynamic data ports:
- Automatic IP access management with auto-blocking
- Automated network scanning with rogue transfer detection and shutdown
We hope you’ve found the above information on FTP server port management best practices helpful. If you have questions about how to resolve particular connection issues, the Cerberus FTP Server support team is always happy to help.