Amazon EC2 Elastic IPs, IIS FTP Server and Passive FTP clients

authored by Frank Lynam at 31/01/2013 18:23:26

This post is about getting a passive FTP connection working into a Windows Server running IIS on an Amazon EC2 instance. For my test setup I was using the following specific components:


FTP Server--IIS8--Windows Server 2012--Amazon EC2 instance using an Elastic IP address


Windows 7--FileZilla

Note that I am not covering in this post how to get PASV ports working through the Amazon EC2 firewall but there are plenty of other posts that deal with this.

Now, if you set all of this up on your own you will find that an active FTP connection works but that a passive one stops once the PASV FTP command is sent from the client to the server. If you use a network packet sniffer such as Microsoft Network Monitor you will find that the packet gets sent from the FTP client (note that I’ve replaced the actual IP addresses with CLIENTIP, SERVERIP and PRIVATESERVERIP)…

39           17:51:18 31/01/2013        8.0163695            filezilla.exe         [CLIENTIP]           [SERVERIP]         FTP         FTP:Request from Port 50003, 'PASV'           {TCP:15, IPv4:93}

…and that it gets received by the server…

43           5:51:18 PM 1/31/2013    12.6017968          svchost.exe        [CLIENTIP]           [PRIVATESERVERIP]        FTP                FTP:Request from Port 50003, 'PASV'      {TCP:10, IPv4:16}

…and when the FTP server responds, you’ll find that it answers with a packet that gives a new destination IP address along with a passive-range TCP port...

44           5:51:18 PM 1/31/2013    12.6021913          svchost.exe        [PRIVATESERVERIP]        [CLIENTIP]           FTP                FTP:Response to Port 50003, '227  Entering Passive Mode ([PRIVATESERVERIP],195,84).'                {TCP:10, IPv4:16}

The problem is that the IP address that it sends back is not the same as the Elastic IP address that you allocated your EC2 instance. Instead, it’s the private IP address of the server within the EC2 server farm.

So, how do you make it send back the Elastic IP address instead? Simple. You go into your IIS console and you click on your FTP site node on the left-hand side. Now double-click on the FTP Firewall Support icon on the right. Now enter your Elastic IP address into the External IP Address of Firewall field. Restart your FTP site just to be on the safe side and you’re done. The FTP server will now send back the public Elastic IP address whenever it gets a PASV request.