Configuring Windows Firewall to enable Aspera FASP transfers

by Per Hansen


It is likely that an external (hardware) firewall exists within your environment and that it is used to block and allow incoming/outgoing traffic. In cases where such a firewall does not exist, or you simply wish to keep using Windows Firewall, certain modifications need to be made to enable Aspera FASP transfers.

Please note that Windows Firewall defaults to ON when Windows is first installed. If you wish to leave it enabled, some ports will need to be opened in Windows Firewall. Aspera transfers use one TCP port to establish the initial SSH connection from client to server, and one UDP port per concurrent client transfer session on the server (each client transfer will run as a separate ascp process on the server).

The ports used are entirely configurable and of your choice, but we strongly recommend that you use a high port (>32568) for the SSH service to avoid port scan attacks against the standard SSH port TCP 22 (such as TCP 33001). The default port used by the FASP data transfer starts with UDP 33001 for the first concurrent client connection, and increments up automatically for each each additional concurrent client connection. Note that the UDP port on the server is only engaged after successful authentication of the client over SSH; there are no services listening on UDP and thus port scan attacks are not possible.

Example: Assuming you have chosen to run SSH on TCP port 33001, and you will have 20 concurrent client connections at most, you will need to make Windows Firewall exceptions for TCP port 33001 and UDP ports 33001-33020.

Please follow the instructions below to open ports based on your Windows system.

Windows 7/8/2008/10

1. Click Windows Firewall from Control Panel > System and Security then click Advanced Settings.

2. On the left pane click Inbound Rules if you are configuring the server machine, or Outbound Rules if you are configuring a client. Note that Aspera transfer servers can act as both server and client. On the right pane select New rule.

3. Select the Port option and click Next.

4. Choose whether the port is for TCP or UDP and enter the port number or port range. Click Next.


5. Choose Allow the connection. Click Next.

6. Choose when to allow the port, based on your computer's network. If you're not sure, leave all options selected. Click Next.

7. Give the rule an appropriate name, then click Finish.

Windows Vista

1. Click Windows Firewall from Control Panel > Security.

2. Click Allow a program through Windows Firewall.

3. Click Add port. 

4. Give the port allowance an appropriate name, enter the port number and specify whether it is TCP or UDP. Click OK.

Windows XP

1. Click Windows Firewall from Control Panel and click the Exceptions tab.
2. Click Add Port, specify the desired TCP or UDP port, and give it a name such as "SSH for Aspera". Click OK.



Adding more than one UDP port to the exceptions cannot easily be done from the GUI. Instead, issue the command below from a command prompt. The command below will add UDP ports from 33001 to 33010, and create an exception called "FASP UDP". If you wish to open even more ports, simply change (33001,33010) to (33001,1,end port number).

FOR /L %I IN (33001,1,33010) DO netsh firewall add portopening UDP %I "FASP UDP"%I

Once finished, you should have two exceptions in your Windows Firewall and be ready to try some transfers.

Powered by Zendesk