Purpose: To install FileZilla Server, an FTP server, on Windows 8 on an Xfinity network with an ARRIS TG1682G Gateway.
Note: It's very cumbersome to safely open ports with Xfinity. Next time, I'll just set up a cygwin SSH server so I only have to open one port.
Configure server
Install FileZilla Server
Once installed, to change startup behavior, run services.msc and edit settings for FileZilla Server FTP server.
Add user
Edit > Users > Users > Add
General > Check "Enable account".
Enter Password.
Shared folders > Add, browse to a directory.
Select permissions, e.g. check all the boxes for full access.
OK
General Settings
Miscellaneous > Check "Start minimized"
Passive mode settings > Check "Use custom port range", input an arbitrary range above 1023, e.g.: 56960-56965
FTP over TLS settings > Check "Enable FTP over TLS support (FTPS)".
Check "Disable plain unencrypted FTP".
Click "Generate new certificate.."
2-Digit country code e.g.: US
Click Browse... and browse for a place to save the certificate.
Click "Generate certificate".
OK
Windows Firewall
Control Panel > Windows Firewall > Allow an app or feature through Windows Firewall
Change settings
Allow another app...
Browse... > Browse to installed location of FileZilla server, e.g. C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
Check Private, uncheck Public.
Get IP of server
https://duckduckgo.com/ip
Note the IP listed after "Your IP Address is".
Configure Xfinity port forwarding
Xfinity Internet/xFi > Network > Network Devices > Gateway > Advanced Settings or https://internet.xfinity.com/network/gateway.
Near bottom: More > Advanced Settings
Port Forwarding
Add port forwarding
Select the device running the FTP server.
Add TCP/UDP for 21, 990, and the custom port range for Passive mode set above, e.g. 56960-56965.
Configure client
Install FileZilla client.
Site Manager... > New site
Protocol: FTP
Host: input the IP of the server noted above.
Encryption: Use explicit FTP over TLS if available.
Input User and Password configured in server above.
OK (to save)
Site Manager... > Double click the newly added host to try to connect. It will fail to connect because of Xfinity's threat detection.
Allow exceptions on Xfinity
Xfinity's threat detection will block incoming requests on every port you've just opened, so you must allow them here.
Xfinity Internet/xFi > Network > Advanced Security or https://internet.xfinity.com/network/security.
Under the device running the FTP server, you will see 1 or more "threats" detected.
Click "Can't Access This Device?" > Threat History.
For each line with Source IP that matches the client's source IP and time of attempted connection, click Allow Access.
On the client computer, disconnect and reconnect to the server as many times as needed to get all the passive ports listed as a "threat" so you can then click Allow on them.
Note that these access exceptions only last 30 days, so you'll have to repeat them then or when the client's IP changes.