Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Require Passive FTP transfers or disable Active mode

Require Passive FTP transfers or disable Active mode

Table of contents

Updated March 29, 2017

Overview

Many security teams now prohibit outbound connections from FTP servers. Since outbound connections are required for FTP active mode transfers, this means that passive mode transfers, which only involve inbound connections, must be required instead.

Firewall technicians often enforce this requirement by setting up firewall rules that prohibit all outbound connections. However, this often leads to connectivity issues and support calls from users who simply see failed transfers and timeouts when they attempt to perform active mode transfers.

A more elegant solution is to turn off active mode transfers at the server level and configure the FTP server to send back helpful error messages that tell end users to stop using active mode transfers. The following instructions tell how to do this in the Serv-U FTP server by disabling two active mode commands (PORT and EPRT) and changing the text Serv-U sends in its "command not implemented" error message.

Environment

Serv-U v14.0 and later

Steps

  1. Open your Serv-U Management Console, select the appropriate domain, and then navigate to the Limits & Settings tab. 
  2. Select the FTP Settings tab.
  3. Click Use custom settings.
  4. Double-click the EPRT command, select Disable command, and then click Save. 
     
  5. Double-click the PORT command, select Disable command, and then click Save. 
     
  6. Click Global Properties at the bottom of the FTP Settings tab. This will open the FTP Command Properties tab. 
  7. Double-click the 502 - Command not implemented entry. Change the text from "Command not implemented." to either "Command not implemented. (Note that ACTIVE mode is not supported!)" or "Command not implemented. (ACTIVE mode is not supported - use PASSIVE instead!)" Then click Save. 
     
  8. To test, connect to Serv-U using an FTP client that is set up to only support active mode. Connect to the server, attempt a directory listing or transfer, and look for your custom 502 error message. Then reconfigure the FTP client to support passive mode, reconnect, and make sure passive transfers work.

 

Related Articles

 

Additional Notes

  • Firewall rules that prohibit all outbound connections from Serv-U should still be implemented; these instructions simply avoid support calls by helping end users understand why their active mode transfer are failing.
  • These instructions also apply when Serv-U Gateway is used to avoid deploying Serv-U in a DMZ segment.
  • Also remember to set a specific passive port range on both Serv-U and your firewall.
  • While it is possible to enable or disable FTP commands at the domain level, making this type of change at the server level is preferred because your firewall team will probably not be interested in making outbound connection exceptions for specific FTP server domains.

 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.

 

 

Last modified

Tags

Classifications

Public