Server!: why so many “ports” to configure?

Some of our users have been asking why there are so many “ports” to configure in Server! and if configuring them is really necessary.

First of all, let’s say that Server! is designed to work out-of-the-box, without the need for any special reconfiguration. In fact, by default, it uses the ports defined in each protocol standard (21 and 20 for FTP, 990 and 989 for FTPS, and 22 for SFTP) plus the widest possible port-range for passive FTP(S) connections.

Yet, it is important to understand what all those ports are. Let’s take a look at a screenshot of the Configuration Manager page where ports are configured:


Now let’s explain what all those ports are, by protocol.

  • SFTP: let’s start with SFTP, as it’s the easiest to explain. SFTP is a subsystem of SSH and it simply uses a single port (default: 22) for everything. In spite of that, it is highly efficient, because it is designed to replicate the behavior of a file system, therefore all control packets are handled practically in real-time, no matter how many file transfer are going on at the same time. All in all, SFTP is not only the safest protocol among the supported ones, but also the most elegant and well designed (in our humble opinion).
  • FTP(S): the FTP protocol is much older, and it works differently; In fact, in order to guarantee that control commands are handled as fast as possible, even when a file transfer is going on, all protocols of the FTP family use two ports, one for the “control connection” (to send/receive commands and responses) and one for the “data connection” (where files are actually transferred). By default the control port is 21 and the data port is 20. This is also true for explicit FTPS, because the connections starts unencrypted (plain) and the client explicitly sends a command (AUTH SSL or AUTH TLS) to instruct the server to switch to a secure connection. But it is also possible to use implicit FTPS, and in such case (obviously) we would need a different port to connect to, because the client implicitly expects to connect to a socket that is already encrypted with SSL/TLS. So, for implicit FTPS the standard control port is 990, and the standard data port ir 989.

This explanation covers the reasons why there is only one port to be configured for SFTP, while there are four ports to be configured for FTP(S). But now, for the sake of information completeness, it is necessary to explain what is the “port range for PASV connections”.

Originally, when the FTP protocol was first designed, the control connection was supposed to be initiated by the client (from any port) towards the server (on port 21), and the data connection to be initiated by the server (from port 20) towards the client (to a port negotiated via the PORT command). This is called “active FTP connection”, and it is immediately apparent how this can make your life difficult when clients (onto which you have no control) are behind a firewall.

To solve the issue, “passive FTP connections” (aka PASV) were invented. Basically, PASV works the same way with regards to the control connection, but the data connection works the other way around: the client connects to the server (towards a port that is negotiated at the beginning of every file transfer through the PASV command). Such port must be open on the FTP server and, obviously, the firewall must not block it. But at least in this case, the only firewall that needs to be configured is the one on the server side (where we have control), therefore it’s much easier to make it work this way. So basically the “port range for PASV connections” is a range of ports that the server will negotiate with any client for data transfer, and such ports must also be open on the firewall towards the FTP server’s IP address.

Print Friendly, PDF & Email
Bookmark the permalink.

Comments are closed.