WinSCP uses passive mode FTP by default, but it supports both active and passive modes. Passive mode is preferred and typically used because it works better with firewalls and NATs, requiring fewer client-side network configuration changes. Users can toggle between active and passive modes in WinSCP’s connection settings if needed. If passive mode is enabled, the client initiates all connections, which simplifies firewall configuration on the client side.
In summary, WinSCP defaults to passive mode for FTP connections but allows manual switching to active mode if necessary.
To force WinSCP to use active mode FTP, follow these steps:
- Open WinSCP and select the site/session you want to edit or create a new site.
- Go to the “Advanced Site Settings” dialog.
- Navigate to the “Connection” section.
- Find the setting “Passive mode” (it is enabled by default).
- Uncheck or disable “Passive mode” to switch to active mode.
- Save the settings and connect.
For command-line or scripting usage, you can add -passive=off to the open command to force active mode, for example:
text open ftp://username:password@hostname -passive=off
This disables passive mode and explicitly uses active FTP mode.
In active mode, ensure the client-side firewall allows incoming connections on the ports WinSCP uses for data transfer (which can be configured in WinSCP’s network settings).
Here is the detailed information on your queries about WinSCP active mode FTP:
- Command-line switch to force active mode in WinSCP:
Use the-passive=offswitch with theopencommand in WinSCP scripting or command line. Example:
text open ftp://user:password@example.com/ -passive=off
This disables passive mode and forces active FTP mode.
- How to set active mode in WinSCP scripting:
In your WinSCP script, add the-passive=offoption to theopencommand line like this:
text open ftp://user:password@example.com/ -passive=off
This sets the session to active mode for the script’s duration.
- Configure WinSCP site profile to use active FTP mode:
- Open WinSCP GUI
- Go to your saved site’s “Advanced Site Settings”
- Under the “Connection” section, find the “Passive mode” option
- Uncheck or disable “Passive mode” to enable active mode
- Save the profile
On the next connection, it will use active mode.
- Firewall ports to open for WinSCP active mode:
- Control connection on TCP port 21 (FTP command)
- Data connection initiated from client on TCP port 20 (server source port) to a random high port on client side
- Client needs to allow incoming connections on random high ports for data transfer in active mode, so also ensure firewall or NAT allows that
Basically, port 21 (control) and port 20 (data) outbound from server, and incoming random ports on the client side must be open.
- Troubleshooting WinSCP active mode connection timeouts:
- Check client firewall and NAT settings to allow incoming data connections on client’s random ports used by active mode FTP
- Verify port 20 outbound is not blocked at server/network firewall
- Enable detailed session logging in WinSCP for diagnostic messages
- Test switching to passive mode to isolate firewall issues
- Use tools like Wireshark to analyze FTP command/data flow to identify connection drops.
This covers exact commands, site settings, firewall requirements, and troubleshooting steps for using and managing active mode FTP with WinSCP.
Port 20 needs to be open on the firewall only if you are using active mode FTP. In active mode FTP, port 20 is used for the data transfer channel, while port 21 is used for FTP commands. The server initiates the data connection from port 20 to a client port. If you use passive mode FTP, only port 21 needs to be open because the client initiates both command and data connections to the server, and data transfers happen on a random port on the server side, not port 20.
In summary:
- For active mode FTP: open both port 20 (data) and port 21 (control).
- For passive mode FTP: open only port 21.
This distinction is important for proper firewall configuration depending on the FTP mode