Setting Up FTP-over-SSL With IIS7 (FTPS)

┬áPART I – Server Setup

1) Install IIS Web Service role with all FTP Features selected:

2) Create folder you want to use as your FTP root landing point (i.e. D:\FTP)

3) Set permissions to allow anonymous access. Open command prompt as administrator and run the following command (using whatever folder path you created):

ICACLS “D:\FTP” /Grant IUSR:R /T

4) Open IIS. Right-click Sites and Add FTP Site:

5) Name your site and specify the FTP folder you created as the Content Directory:

6) Choose IP/Port and SSL settings below:

7) Specify Authentication and Authorization Information. In this example, we will give ‘Administrator’ full read/write access:

8) Create self-signed certificate. Select your server name in IIS Manager > Create Self-Signed Certificate in the right-hand pane. Complete the wizard, naming the certificate whatever you want:

9) Select your new FTP site under the Sites node, and select FTP SSL Settings. Select the certificate you just created. Select Custom for the SSL Policy, specify Require only credentials for the Control Channel and Allow for the Data Channel. Click Apply to save settings:

10) Edit bindings of the FTP site, and add port 990:

This should complete the setup of the server if you are using it internally. If you need to access it through a firewall (i.e. Cisco ASA) over the Internet, there are additional settings that need to be configured:

PART II – Firewalls, Ports, and External Access

11) Select the server name in IIS Manager > select FTP Firewall Support. Specify your passive port range and the external IP address this server uses. In this example I only specify one port (5000) so that I only need a single access list line on my firewall for a single port. Replace xxx.xxx.xxx.xxx with whichever public address your server uses. Click apply:

12) Now the firewall changes. This example uses Cisco ASA with a single external static address. The principals are the same with other firewalls. Insert the following commands:

//Create the object-group
object-group service FTPS
service-object tcp-udp eq 5000

//Permit the control and data ports with an access list
access-list outside_in extended permit tcp any interface outside eq 990
access-list outside_in extended permit object-group FTPS any host PUBLIC_SERVER_IP

//Specify your static NAT to internal FTP server
static (inside,outside) tcp interface 990 INTERNAL_SERVER_IP 990 netmask 255.255.255.255
static (inside,outside) tcp interface 5000 INTERNAL_SERVER_IP 5000 netmask 255.255.255.255

13) IMPORTANT: Open the services console (services.msc) on the FTP server and restart the Microsoft FTP Server service. This will bring passive port change made above online. Skipping this step will make you bang your head against the wall because it’s all setup correctly, it’s just not handing out the right passive ports when you connect.

PART III – Connecting with FTP Client

14) I use FileZilla for this example. It’s easy, free, lightweight FTP client that can do FTP over SSL. Open FileZilla > File > Site Manager and create a new profile with the following settings:

15) You should now be able to establish this connection. When you attempt you will be prompted if you want to trust the certificate (because it is self-signed), which you’ll want to do, and should be presented the directory listing on the FTP server:

Leave a Reply

Your email address will not be published. Required fields are marked *


*