Your network contains an Active Directory domain named contoso.com. The domain contains an Application
server named Server1. Server1 runs Windows Server 2012.
Server1 is configured as an FTP server.
Client computers use an FTP Application named App1.exe. App1.exe uses TCP port 21 as the control port and
dynamically requests a data port.
On Server1, you create a firewall rule to allow connections on TCP port 21.
You need to configure Server1 to support the clientconnections from App1.exe.
What should you do?
A.
Run netsh firewall addportopening TCP 21 dynamicftp.
B.
Create a tunnel connection security rule.
C.
Create an outbound firewall rule to allow App1.exe.
D.
Run netshadvfirewall set global statefulftp enable.
Explanation:
* add portopening
Used to create a port-based exception.
it’s D and it will open passive FTP ports
Yean Same as Q22
Run netshadvfirewall set global statefulftp enable
D
<>
Because the client will request a dynamic data port, then this is a Passive FTP mode so the Stateful FTP mode should be disabled.
netsh advfirewall set global statefulftp disable
Based on the article http://technet.microsoft.com/en-us/library/dd421710(v=ws.10).aspx
If the client will allows the FTP Server match its inbound connection requests on port 20 with previous outbound PORT commands from the client for port 21 then this will be a Stateful FTP mode, so the Stateful FTP mode should be enabled.
netsh advfirewall set global statefulftp enable
Update to the previous post…
–This is a wrong question–
Because the client will request a dynamic data port, then this is a Passive FTP mode so the Stateful FTP mode should be disabled.
netsh advfirewall set global statefulftp disable
Based on the article http://technet.microsoft.com/en-us/library/dd421710(v=ws.10).aspx
If the client will allows the FTP Server match its inbound connection requests on port 20 with previous outbound PORT commands from the client for port 21 then this will be a Stateful FTP mode, so the Stateful FTP mode should be enabled.
netsh advfirewall set global statefulftp enable
Correction..!
The correct answer is A.
Run netsh advfirewall set global statefulftp enable
Because if the statefulftp is disabled, then the firewall will consider the Data transfer as unsolicited connection.
Read:
http://technet.microsoft.com/en-us/library/cc771920%28v=ws.10%29.aspx#BKMK_set_2a
You are assuming things that are not part of the question. Only go with what is provided.
Based on (http://blogs.iis.net/jaroslad/archive/2007/09/29/windows-firewall-setup-for-microsoft-ftp-publishing-service-for-iis-7-0.aspx):
Windows Firewall and non-secure FTP traffic
Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic
1) Open port 21 on the firewall
netsh advfirewall firewall add rule name=”FTP (no SSL)” action=allow protocol=TCP dir=in localport=21
2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections
netsh advfirewall set global StatefulFtp enable
Warning: Active FTP connections are not necessarily covered by these rules. Outbound connection from port 20 would need to be enabled on server and client machine will have to have exceptions setup for inbound traffic.
Warning: FTPS (FTP over SSL) will not be covered by these rules. SSL negotiation will (most likely) get stuck because firewall filter for FTP will not be able to parse encrypted data. Some firewall filters recognize the beginning of SSL negotiation (AUTH SSL or AUTH TLS commands) and return error to prevent SSL negotiation from starting.
A
netsh firewall command were also replaced:
https://support.microsoft.com/en-us/kb/947709
now the netsh command for windows fireall are with the “advfirewall” context.