Active v.s.

Passive FTP Simplified

1 of 6

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified

QUESTIONS? CALL US TODAY! U.S. 1.786.375.8091 UK EUR

44.20.7193.2879
Home

Company

Products

Solutions

Purchase

Support

Services

Blog

Blog
Managed File Transfer and Network
Solutions

Subscribe via
E-mail
Email *

Active v.s. Passive FTP Simplified

Posted by John V. on Wed, Jul 16, 2014 @ 05:10 PM
Tweet

87

Share

55

Like

Share

29

When a client experiences problems when connecting to your FTP

server, one thing you might want to look into is whether you've set
your FTP data transfer mode to either active or passive.
Active and passive are two possible modes that an FTP connection
can operate on. Taking into consideration the network configurations
and security controls in place, you should choose one mode over
the other.
But before we discuss which mode is best for what scenario, let's
first talk about the basics of these two modes, which can best be
explained if we start our discussion with the two channels an FTP
session normally has.

FTP command channel and data channel

A typical FTP session operates using two channels: a command (or
control) channel and a data channel. As their names imply, the
command channel is used for transmitting commands as well as
replies to those commands, while the data channel is used for
transferring data.
Unless you configure your FTP server differently, you will normally
set your command channel to use port 21. The port you'll use for the
data channel, on the other hand, can differ depending on which data
transfer mode you choose. If you choose active mode, then the data
channel will normally be port 20. But if you choose passive mode,
then the port that will be used will be a random port.

Latest Blog
Posts
How To Set Up A
HTTPS File
Transfer
posted at Tuesday,
December 30, 2014 7:21
AM
Securing Trading
Partner File
Transfers w/ Auto
PGP Encryption &
FTPS
posted at Monday,
December 29, 2014 2:32
PM

1/5/2015 11:31 PM

Active v.s. Passive FTP Simplified

2 of 6

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified

PGP Encrypting
Every Single File
Uploaded By
Members Of A
Group
posted at Saturday,
December 27, 2014 7:42
PM

Note that the ports we are referring to here up to this point are only
the ports on the server side. We'll include client-side ports in our
discussion in a short while.

Active mode FTP

Among the two modes, Active mode is the older one. It was the
mode introduced in the early days of computing when mainframes
were more common and attacks to information security were not as

How To PGP
Encrypt Every
Single File
Uploaded By A
Particular User
posted at Friday,
December 26, 2014 2:55
PM

prevalent.
Here's a simplified explanation on how an active mode connection is
carried out, summarized in two steps. Some relevant steps (e.g.
ACK replies) have been omitted to simplify things.
1. A user connects from a random port on a file transfer client to
port 21 on the server. It sends the PORT command,
specifying what client-side port the server should connect to.

Posts by category
Managed File Transfer
(157)
JSCAPE MFT Server
(146)
News (80)

This port will be used later on for the data channel and is
different from the port used in this step for the command

Secure File Transfer

channel.

(48)

2. The server connects from port 20 to the client port

Videos (43)

designated for the data channel. Once connection is

Tutorials (39)

established, file transfers are then made through these client

and server ports.

Security (37)
Business Process
Automation (35)
Compliance (30)
AnyClient (26)
JSCAPE MFT Gateway
(23)
FTP (22)

Passive mode FTP

Ad-Hoc File Transfers

In passive mode, the client still initiates a command channel

connection to the server. However, instead of sending the PORT

(16)

command, it sends the PASV command, which is basically a request

Transfer (14)

for a server port to connect to for data transmission. When the FTP
server replies, it indicates what port number it has opened for the
ensuing data transfer.

Accelerated File

SFTP (14)
File Transfer Clients

1/5/2015 11:31 PM

Active v.s. Passive FTP Simplified

3 of 6

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified

Here's how passive mode works in a nutshell:

1. The client connects from a random port to port 21 on the
server and issues the PASV command. The server replies,
indicating which (random) port it has opened for data
transfer.
2. The client connects from another random port to the random
port specified in the server's response. Once connection is

(13)
JSCAPE MFT Monitor
(13)
Triggers (12)
Data Loss Prevention
(11)
OpenPGP (9)

established, data transfers are made through these client and

server ports.

Reverse Proxy (9)

Cloud Computing (8)
Secure iNet Factory (8)
High Availability (7)
JSCAPE MFT Server
Plugin for Outlook (7)
Mobile (7)
Secure FTP Factory (6)

Active mode vs Passive mode - which is more

suitable for you?

AS2 (5)

There's a reason why I opted to simplify those two diagrams above.

eDiscovery (5)

I wanted to focus on the main difference between active mode and

passive mode FTP data transfers. If you compare those two

FTPS (5)

diagrams, one of the things that should really stand out are the

HIPAA (5)

opposing directions at which the second arrows (which also

Case Studies (5)

PCI-DSS (5)

represent the data channels) are pointing to.

MFTExpress (4)

In this section, we'll focus on those second arrows and the ports
associated with them.

SSH Factory (3)

Big Data (2)

In the active mode, the second arrow is pointing to the client.

Meaning, the client initially specifies which client-side port it has

DLP (2)

opened up for the data channel, and the server initiates the

regular expressions

connection.

(2)

By contrast, in the passive mode, the second arrow is pointing to the

DMZ Streaming (1)

server. Here, the server specifies which server-side port the client

Email Factory for .NET

should connect to and the client initiates the connection.

(1)

There shouldn't be any problem had there not been any firewalls in

Email Large Files (1)

existence. But threats to information security are on the rise and

hence the presence of firewalls is almost always a given. In most
cases, clients are located behind a firewall or a NAT (which basically

Fast File Transfer (1)

JSCAPE Reverse

functions like a firewall). In such cases, only a select number of

Proxy (1)

predefined ports are going to be accessible from the outside.

Load Balancing (1)

Remember that in an active mode configuration, the server will

SaaS (1)

attempt to connect to a random client-side port. So chances are,

1/5/2015 11:31 PM

Active v.s. Passive FTP Simplified

4 of 6

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified

that port wouldn't be one of those predefined ports. As a result, an

attempt to connect to it will be blocked by the firewall and no
connection will be established.

In this particular scenario, a passive configuration will not pose a

problem. That's because the client will be the one initiating the
connection, something that a client-side firewall won't have any
problem with.

Of course, it's possible for the server side to have a firewall too.
However, since the server is expected to receive a greater number
of connection requests compared to a client, then it would be but
logical for the server admin to adapt to the situation and open up a
selection of ports to satisfy passive mode configurations.

Security considerations when setting up passive

FTP
As explained earlier, if you're administering an FTP server, it would
be best for you to configure your server to support passive mode
FTP. However, you should bear in mind that in doing so, you would
be making your system more vulnerable to attacks. Remember that,
in passive mode, clients are supposed to connect to random server
ports.
Thus, to support this mode, not only should your server have to
have multiple ports available, your firewall should also allow
connections to all those ports to pass through!

1/5/2015 11:31 PM

Active v.s. Passive FTP Simplified

5 of 6

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified

But then the more open ports you have, the more there will be to
exploit. To mitigate the risks, a good solution would be to specify a
range of ports on your server and then to allow only that range of
ports on your firewall.

Where to set up passive port range in JSCAPE MFT

Server
For those of you who are already using JSCAPE MFT Server, you
can specify a range of ports for your passive mode FTP connections
by going to Services > FTP/S > Passive port range in your
JSCAPE MFT Server Manager. Because low ports (particularly
those < 1024) are reserved, choose a high port range (i.e. large
numbers). For example, from 5000 to 6000. For better security, don't
just copy the example. Use your own!

In the event that the IP address your server uses in responding to

requests for passive connections is not routable via the
Internet, you'll need to enter your public IP address in the Passive
IP field.
That's it. We hope we were able to explain the difference between
active and passive FTP in a manner you could easily understand.

Recommended Download
Does your FTP server already offer users the convenience of Single
Sign On access like OpenID or SAML? JSCAPE MFT Server does.
This Managed File Transfer server also allows you to share files via
FTP, SFTP, FTPS, and other file transfer protocols and runs on all
popular platforms (including Windows, Linux, Unix, AIX, Solaris, and
Mac OS/X). Download a free evaluation edition now.

1/5/2015 11:31 PM

Active v.s. Passive FTP Simplified

6 of 6

http://www.jscape.com/blog/bid/80512/Active-v-s-Passive-FTP-Simplified

Download
JSCAPE MFT Server

Home | Company | Products | Solutions | Purchase | Support | Services | Blog

2014 JSCAPE LLC

1/5/2015 11:31 PM