Active v.s.

Passive FTP Simplified Page 1 of 8

QUESTIONS? CALL US TODAY! U.S. 1.786.375.8091 UK EUR 44.20.7193.2879

Blog
Managed File Transfer and Network Solutions

Active v.s. Passive FTP Simplified

Posted by John V. on Sat, Jul 19, 2014 @ 05:10 PM

Tweet 109 Share 74 Like Share 32 12

Overview
If a client encounters problems when connecting to your FTP server, one of the first things you might want
to check is your FTP data transfer mode. Depending on certain network configurations, this mode should
be set to either active or passive. In this post, you’ll understand the salient points of active and passive
FTP and learn how to avoid connectivity issues associated with them.

Note: For those who have landed on this page some time in the past, we’d like to inform you that we’ve
recently added a new section discussing the passive port range and how large it should be.

Before we talk about which mode is best for what scenario, let’s first cover one important topic: the two
channels of an FTP session.

FTP command channel and data channel

A typical FTP session operates using two channels: a command (or control) channel and a data channel.
As their names imply, the command channel is used for transmitting commands as well as replies to
those commands, while the data channel is used for transferring data.

Unless you configure your FTP server differently, you will normally set your command channel to use port
21. The port you'll use for the data channel, on the other hand, can differ depending on which data
transfer mode you choose. If you choose active mode, then the data channel will normally be port 20. But
if you choose passive mode, then the port that will be used will be a random port.

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified 7/17/2015
Active v.s. Passive FTP Simplified Page 2 of 8

Note that the ports we are referring to here up to this point are only the ports on the server side. We'll
include client-side ports in our discussion in a short while.

Active mode FTP

Among the two modes, Active mode is the older one. It was the mode introduced in the early days of
computing when mainframes were more common and attacks to information security were not as
prevalent.

Here's a simplified explanation on how an active mode connection is carried out, summarized in two
steps. Some relevant steps (e.g. ACK replies) have been omitted to simplify things.

1. A user connects from a random port on a file transfer client to port 21 on the server. It sends the
PORT command, specifying what client-side port the server should connect to. This port will be
used later on for the data channel and is different from the port used in this step for the command
channel.

2. The server connects from port 20 to the client port designated for the data channel. Once
connection is established, file transfers are then made through these client and server ports.

Passive mode FTP

In passive mode, the client still initiates a command channel connection to the server. However, instead
of sending the PORT command, it sends the PASV command, which is basically a request for a server
port to connect to for data transmission. When the FTP server replies, it indicates what port number it has
opened for the ensuing data transfer.

Here's how passive mode works in a nutshell:

1. The client connects from a random port to port 21 on the server and issues the PASV command.
The server replies, indicating which (random) port it has opened for data transfer.

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified 7/17/2015
Active v.s. Passive FTP Simplified Page 3 of 8

2. The client connects from another random port to the random port specified in the server's
response. Once connection is established, data transfers are made through these client and server
ports.

Active mode vs Passive mode - which is more suitable for you?

There's a reason why I opted to simplify those two diagrams above. I wanted to focus on the main
difference between active mode and passive mode FTP data transfers. If you compare those two
diagrams, one of the things that should really stand out are the opposing directions at which the second
arrows (which also represent the data channels) are pointing to.

In this section, we'll focus on those second arrows and the ports associated with them.

In the active mode, the second arrow is pointing to the client. Meaning, the client initially specifies which
client-side port it has opened up for the data channel, and the server initiates the connection.

By contrast, in the passive mode, the second arrow is pointing to the server. Here, the server specifies
which server-side port the client should connect to and the client initiates the connection.

There shouldn't be any problem had there not been any firewalls in existence. But threats to information
security are on the rise and hence the presence of firewalls is almost always a given. In most cases,
clients are located behind a firewall or a NAT (which basically functions like a firewall). In such cases, only
a select number of predefined ports are going to be accessible from the outside.

Remember that in an active mode configuration, the server will attempt to connect to a random client-
side port. So chances are, that port wouldn't be one of those predefined ports. As a result, an attempt to
connect to it will be blocked by the firewall and no connection will be established.

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified 7/17/2015
Active v.s. Passive FTP Simplified Page 4 of 8

In this particular scenario, a passive configuration will not pose a problem. That's because the client will
be the one initiating the connection, something that a client-side firewall won't have any problem with.

Of course, it's possible for the server side to have a firewall too. However, since the server is expected to
receive a greater number of connection requests compared to a client, then it would be but logical for the
server admin to adapt to the situation and open up a selection of ports to satisfy passive mode
configurations.

Security considerations when setting up passive FTP

As explained earlier, if you're administering an FTP server, it would be best for you to configure your
server to support passive mode FTP. However, you should bear in mind that in doing so, you would be
making your system more vulnerable to attacks. Remember that, in passive mode, clients are supposed
to connect to random server ports.

Thus, to support this mode, not only should your server have to have multiple ports available, your firewall
should also allow connections to all those ports to pass through!

But then the more open ports you have, the more there will be to exploit. To mitigate the risks, a good
solution would be to specify a range of ports on your server and then to allow only that range of ports on
your firewall.

How wide should the passive port range be?

The number of ports you need to specify in passive FTP largely depends on the number of concurrent
connections/file transfers you expect to have. However, although, say, 100 concurrent file transfers would
only require 100 open ports on the server, always remember that what most people consider as a "single
file transfer" may actually consist of more than one. Let me explain.

For a typical end user, everything he downloads or uploads between the time he logs in to the FTP server
and the time he logs out, is just part of a single FTP file transfer. That's not true. Each file transmitted
during that entire login session will actually require at least one port. So if 10 files are downloaded, then
10 ports are used. That's not all.

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified 7/17/2015
Active v.s. Passive FTP Simplified Page 5 of 8

Some clients now use multiple connections when uploading files. For example, if a client has 100 files to
upload, it might spawn 5 separate sessions to make the upload go faster. The result is that a single client
may have 5 open passive connections at a time.

So, when deciding how many passive ports you want to open you need to consider that a single client
may actually open multiple concurrent passive connections. While there are no hard and fast rules
dictating the number of ports that should comprise a port range, you will really want to project your
maximum number of concurrent users and allocate a sizable allowance based on that.

Where to set up passive port range in JSCAPE MFT Server

For those of you who are already using JSCAPE MFT Server, you can specify a range of ports for your
passive mode FTP connections by going to Services > FTP/S > Passive port range in your JSCAPE
MFT Server Manager. Because low ports (particularly those < 1024) are reserved, choose a high port
range (i.e. large numbers). For example, from 5000 to 6000. For better security, don't just copy the
example. Use your own!

In the event that the IP address your server uses in responding to requests for passive connections is not
routable via the Internet, you'll need to enter your public IP address in the Passive IP field.

That's it. We hope we were able to explain the difference between active and passive FTP in a manner
you could easily understand.

Get Started
Would you like to try an FTP server that supports:

◾ automated file transfers,

◾ other file transfer protocols (e.g. SFTP, SCP, FTPS, WebDAV, AS2, AFTP and HTTP/S),

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified 7/17/2015
Active v.s. Passive FTP Simplified Page 6 of 8

◾ the ability to send large files through email,

◾ high speed data transfers,
◾ and several security features?

Download the free, fully-functional evaluation edition of JSCAPE MFT Server now.

Download
JSCAPE MFT Server

Want to be updated on posts like this? Connect with us...

Subscribe via E-mail

Latest Blog Posts

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified 7/17/2015
Active v.s. Passive FTP Simplified Page 7 of 8

12 File Transfer Protocols

And The Businesses
They're Best Suited For

JSCAPE MFT Server 9.2

Released

JSCAPE MFT Gateway 3.3

Released

Can You Identify The Port

Numbers of These 12 File
Transfer Protocols?

Posts by category
◾ Accelerated File Transfer (15)

◾ Ad-Hoc File Transfers (20)

◾ AnyClient (27)

◾ AS2 (12)

◾ Big Data (2)

◾ Business Process Automation (48)

◾ Case Studies (5)

◾ Cloud Computing (8)

◾ Compliance (30)

◾ Data Loss Prevention (11)

◾ DLP (2)

◾ DMZ Streaming (1)

◾ eDiscovery (5)

◾ Email Factory for .NET (1)

◾ Email Large Files (6)

◾ Failover (1)

◾ Fast File Transfer (2)

◾ File Transfer Clients (14)

◾ FTP (25)

◾ FTPS (17)

◾ High Availability (10)

◾ HIPAA (5)

◾ JSCAPE MFT Gateway (30)

◾ JSCAPE MFT Monitor (13)

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified 7/17/2015
Active v.s. Passive FTP Simplified Page 8 of 8

◾ JSCAPE MFT Server (181)

◾ JSCAPE MFT Server Plugin for Outlook (7)

◾ JSCAPE Reverse Proxy (1)

◾ Load Balancing (3)

◾ Managed File Transfer (182)

◾ MFTExpress (4)

◾ Mobile (7)

◾ News (86)

◾ OpenPGP (11)

◾ PCI-DSS (5)

◾ regular expressions (7)

◾ Reverse Proxy (12)

◾ SaaS (1)

◾ Secure File Transfer (70)

◾ Secure FTP Factory (7)

◾ Secure iNet Factory (9)

◾ Security (46)

◾ SFTP (25)

◾ SSH Factory (4)

◾ Triggers (21)

◾ Tutorials (44)

◾ Videos (43)

Home | Company | Products | Solutions | Purchase | Support | Services | Blog

© 2014 JSCAPE LLC

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified 7/17/2015