You need to configure Server1 to support the clientconnections from App1.exe

Your network contains an Active Directory domain named contoso.com. The domain contains an Application
server named Server1. Server1 runs Windows Server 2012.
Server1 is configured as an FTP server.
Client computers use an FTP Application named App1.exe. App1.exe uses TCP port 21 as the control port and
dynamically requests a data port.
On Server1, you create a firewall rule to allow connections on TCP port 21.
You need to configure Server1 to support the clientconnections from App1.exe.
What should you do?

Your network contains an Active Directory domain named contoso.com. The domain contains an Application
server named Server1. Server1 runs Windows Server 2012.
Server1 is configured as an FTP server.
Client computers use an FTP Application named App1.exe. App1.exe uses TCP port 21 as the control port and
dynamically requests a data port.
On Server1, you create a firewall rule to allow connections on TCP port 21.
You need to configure Server1 to support the clientconnections from App1.exe.
What should you do?

A.
Run netsh firewall addportopening TCP 21 dynamicftp.

B.
Create a tunnel connection security rule.

C.
Create an outbound firewall rule to allow App1.exe.

D.
Run netshadvfirewall set global statefulftp enable.

Explanation:
* add portopening
Used to create a port-based exception.



Leave a Reply to Rafik Cancel reply9

Your email address will not be published. Required fields are marked *

15 − three =


bean

bean

it’s D and it will open passive FTP ports

Grant

Grant

Yean Same as Q22
Run netshadvfirewall set global statefulftp enable

Ebrahim Hasan

Ebrahim Hasan

<>

Because the client will request a dynamic data port, then this is a Passive FTP mode so the Stateful FTP mode should be disabled.

netsh advfirewall set global statefulftp disable

Based on the article http://technet.microsoft.com/en-us/library/dd421710(v=ws.10).aspx

If the client will allows the FTP Server match its inbound connection requests on port 20 with previous outbound PORT commands from the client for port 21 then this will be a Stateful FTP mode, so the Stateful FTP mode should be enabled.

netsh advfirewall set global statefulftp enable

Ebrahim Hasan

Ebrahim Hasan

Update to the previous post…

–This is a wrong question–

Because the client will request a dynamic data port, then this is a Passive FTP mode so the Stateful FTP mode should be disabled.

netsh advfirewall set global statefulftp disable

Based on the article http://technet.microsoft.com/en-us/library/dd421710(v=ws.10).aspx

If the client will allows the FTP Server match its inbound connection requests on port 20 with previous outbound PORT commands from the client for port 21 then this will be a Stateful FTP mode, so the Stateful FTP mode should be enabled.

netsh advfirewall set global statefulftp enable

Ebrahim Hasan

Ebrahim Hasan

Correction..!

The correct answer is A.
Run netsh advfirewall set global statefulftp enable

Because if the statefulftp is disabled, then the firewall will consider the Data transfer as unsolicited connection.

Read:
http://technet.microsoft.com/en-us/library/cc771920%28v=ws.10%29.aspx#BKMK_set_2a

Brian K

Brian K

You are assuming things that are not part of the question. Only go with what is provided.

Based on (http://blogs.iis.net/jaroslad/archive/2007/09/29/windows-firewall-setup-for-microsoft-ftp-publishing-service-for-iis-7-0.aspx):

Windows Firewall and non-secure FTP traffic

Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic

1) Open port 21 on the firewall

netsh advfirewall firewall add rule name=”FTP (no SSL)” action=allow protocol=TCP dir=in localport=21

2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections

netsh advfirewall set global StatefulFtp enable

Warning: Active FTP connections are not necessarily covered by these rules. Outbound connection from port 20 would need to be enabled on server and client machine will have to have exceptions setup for inbound traffic.

Warning: FTPS (FTP over SSL) will not be covered by these rules. SSL negotiation will (most likely) get stuck because firewall filter for FTP will not be able to parse encrypted data. Some firewall filters recognize the beginning of SSL negotiation (AUTH SSL or AUTH TLS commands) and return error to prevent SSL negotiation from starting.