How to create an FTPS Server in IIS 7.5

How to create an FTPS Server in IIS 7.5

Overview:

The purpose of the document is to illustrate the procedure for creating an IIS 7.5 server.

References:

https://techontip.wordpress.com/2012/09/07/configure-ftps-server-using-iis/

http://www.iis.net/learn/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7

FTP Active Directory User Isolation

• http://www.iis.net/configreference/system.applicationhost/sites/site/ftpserver/userisolation/activedirectory

How to install IIS 7.5 for FTPS:

1.     Using Powershell “Add-WindowsFeature Web-FTP-Service, WEB-Mgmt-Console”

2.     Install the Windows Role FTP

IIS 7.5 FOR WINDOWS SERVER 2008 R2

1.       On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.

2.       In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).

3.       In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.

4.       On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.

5.       Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)

6.       Click Next.

7.       On the Confirm Installation Selections page, click Install.

8.       On the Results page, click Close.

How to configure IIS 7.5 for FTPS:

1.     Open up IIS and click FTP Firewall Support

Data Channel Port Range 5000-5001 

Put in the External IP address of Firewall that is doing NAT

2.     Right-Click on Sites and click Add FTP Site

3.     FTP Authentication

Anonymous Authentication Disabled

Basic Authentication Enabled

4.     FTP Authorization Rules

Mode: Allow

Roles: FTP_Users

Permissions: Read,Write

5.     FTP Firewall Support

Data Channel Port Range 5000-5001 

Put in the External IP address of Firewall that is doing NAT

6.     FTP SSL Settings

Choose your certificate. In our example we uploaded a certificate from DigiCert. 

Require SSL Connections

7.     FTP User Isolation

Isolate Users. Restrict users to the following directory:

User name directory (disable global virtual directories)

8.     Open up command prompt and create the following directories.

a.   Mkdir F:\inetpub\ftproot\LocalUser

b.   mkdir F:\inetpub\ftproot\LocalUser\Public

c.   mkdir F:\inetup\ftproot\LocalUser\adminfiles

d.   mkdir F:\inetup\ftproot\LocalUser\<username>

9.     Site Bindings

Type: ftp

Port:990

IP Address:*

10.  Restart the Microsoft FTP Service

a.   net stop ftpsvc

b.   net start ftpsvc

How to make exclusions in the Firewall:

1.     Ensure that you have ports 990, 5000, and 5001 open.

How to add users:

3.     Log into server that is running IIS 7.5

4.     Click Start > Run (or WinKey+R) and type compmgmt.msc, and expand Local Users and Computers

a.     Right-click on Users and create a new user

b.     After creating the user, add the user to the Security Group FTP_USERS

5.     Open up command prompt, and type the following command mkdir F:\inetpub\ftproot\LocalUser\<username>

 a.     This will create a folder or Home Directory for the user.

6.      Launch IIS Manager (7.5)

a.     Right-click on FTP Site

b.     Click Add Virtual Directory

c.     For the Virtual Directory

                                  i.    Alias:<username>

                                 ii.    Path: F:\inetpub\ftproot\LocalUser\<username>

d.     Click Start > Run (or WinKey+R) and type services.msc to open up the services management console.

e.     Find the Microsoft FTP Service and click Stop. Once it stops completely, click start.

f.      The user should now be added.

How to connect with FileZilla:

g.     Download and install FileZilla

h.     Click File > Site Manager

i.      FileZilla Settings

                                  i.    Host: <DNS name of the server>

                                 ii.    Protocol: FTP – File Transfer Protocol

                                iii.    Encryption: Require implicit FTP over TLS

                                iv.    Logon Type: Normal

                                 v.    User: <Enter Your Username>

                                vi.    Password: <Enter Your Password:>

j.      You will get prompted for the certificate, go ahead and accept the certificate. The certificate warning typically comes up when it’s an internally generated self-signed certificate.

Below are some detailed info on using FileZilla pulled from another website.

k.     Let’s download Filezilla & WinSCP to test FTPS connectivity. Note neither IE nor Windows Explorer support FTPS protocol

l.      In Filezilla client, for host just type ftps://FTPServerURL or IP, then user name & password.

m.   You can see it will connect on port 990. If your certificate is public trusted it will not prompt you any trust message. In my case it is an internal certificate, so it is asking me to trust it. So I will click “Always trust certificate in future sessions” and click okay.

n.     If you don’t trust the cert, it will connect but it will not let you upload any data. Because it will not able to authenticate the SSL channel!

o.      Let’s take a look at FileZilla connection messages.

q.     Do you see that message “227 Entering Passive Mode (10,10,10,105,19,136)? It has two contents i.e. IP Address & Data Channel Port server is listening on.

s.     10.10.10.105 is server IP Address & 19,136 makes port i.e. (19 x 256) +136 = 5000. Remember we configured Data Channel port as 5000 & 5001.

t.      Now let’s try with WinSCP. For WinSCP make sure you change the protocol to FTP & SSL/TLS Implicit encryption

u.      Make sure you accept & select Trust in case any SSL certificate warning.