Submit a ticketCall us

AnnouncementsSystem Monitoring for Dummies

Tired of monitoring failures disrupting the system, application, and service? Learn the key monitoring concepts needed to help you create sophisticated monitoring and alerting strategies that can help you save time and money. Read the eBook.

Get your free eBook.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U - Knowledgebase Articles > Active and Passive FTP Transfers

Active and Passive FTP Transfers

Updated: January 7. 2019


This article provides an overview of active and passive FTP transfers as used in Serv-U,



  • Serv-U


FTP and FTPS both use multiple connections to perform file transfers. The first "control" connection is always made to a defined TCP port such as 21 or 990 but all directory listing and file transfer data is passed through additional "data" connections.

Passive (or "Firewall Friendly") Mode

In "passive" mode (a.k.a. "PASV"), both control and data connections are made from your FTP client to the FTP server. In firewalled deployments, all connections are made from the Internet to the server (rather than from the server back to the Internet), so passive mode is also known as "firewall friendly" mode in some products.

Active Mode

"Active" mode is how FTP originally worked, and it is still supported (and occasionally required) by many servers. In active mode, the control connection is made from the FTP client but all data connections are made from the FTP server to the FTP client. (Yes, back the other way.) In order for this to work, you usually need either no firewalls or firewalls that understand the FTP protocol and can dynamically open ports between clients and servers that look like they are performing ACTIVE mode FTP transfers.

Recommended Transfer Mode

You should always try to use passive mode, and only use active mode if a legacy deployment absolutely requires it. Fortunately, most modern clients and servers already support passive mode and use it by default when transferring files.

Network security teams prefer passive mode because it avoids inbound connections from the Internet back into individual clients. (Almost no corporate security team would permit this.) End users prefer passive mode because it is more reliable than active mode over the Internet. (Active mode doesn't work unless multiple firewalls have been configured to allow it; passive mode generally only requires the server firewall to have been configured.) Passive mode is also preferred when using FTPS (FTP over SSL/TLS) because firewalls that can make active mode adjustments for plain text FTP cannot read FTPS control channels or make active mode FTPS adjustments.

FTP Voyager Active/Passive Support

Our FTP Voyager FTP client tries to use passive mode by default (and falls back to active mode if passive does not work), but this setting can be overridden on a site-by-site basis under the "Advanced | Connection" settings ("Force PASV Mode") for the occasional server that requires active mode.

Serv-U Active/Passive Support

Our Serv-U FTP server supports both active and passive mode by default. However, it is common to restrict the passive port range offered by Serv-U. Many customers also disable active mode on Serv-U.

FTP Commands

Passive Mode Transfers

The PASV and EPSV commands are both used in passive mode. EPSV is used by modern client/server implementations and is required when using IPv6.

When Passive mode is used the Client first connects to the server on port 21. Then the client issues a PASV or EPSV command. The server then replies with an IP address and port number. The client finally uses that IP Address and port number to establish the data connection.

Active Mode Transfers

The PORT and EPRT commands are both used in active mode. EPRT is used by modern client/server implementations and is required when using IPv6.

An Active connection is different because the server actually connects back to the FTP Client for the data connection. In the illustration below we see the Port command being sent by the client. This time the client sends the server the IP Address and port number to connect to. Then the FTP Server tries to connect back to the FTP Client using that information. (However, this typically only works if the client can receive inbound connections.)



Last modified