Configure FTPS Server Using IIS

FTPS, SFTP & FTP over SSH are three different things. FTPS is like HTTPS, TelentS, SMTP-S, IMAP-S or POP-S. It doesn’t encrypt any data or authentication details. It just transfers everything in clear text inside the SSL tunnel on a different port. However SFTP (SSH File Transfer Protocol) encrypts everything like SCP. Only similarity is it use same kind of syntaxes & do same file transfer. However SFTP is more secure than FTPS. Last one FTP over SSH implementation is in-between both FTPS & SFTP. It tries to tunnel FTP Control channel in a SSH session & then failover to normal data channel for data transfer.

FTPS implementation can be done in two methods i.e. Explicit & Implicit;

In Explicit mode, FTPS aware & unaware clients can work together. It also called as FTPES. 1^st client have to explicitly request security from FTPS server & server will reply accordingly & they will agree on parameters. If client didn’t request, server either can allow on normal mode or can refuse.

In Implicit method both client & server need to be aware of FTPS. Here no security negotiation takes place. Client need to start communication using FTPS control messages. And if such message is not received server will drop connection. In this mode server listens on 990 for control messages & 989 for data channel, however data channel ports can be changed.

Note: for client connectivity we have to use filezilla or winscp. Neither IE nor Windows Explorer support FTPS protocol

As I have a test Windows 2012 server with IIS 8.0. So I am going to use the same. Steps are same for Windows 2008 R2 which comes with IIS 7.5.

• Install IIS Role – FTP Server Services
  • Using Powershell “Add-WindowsFeature Web-FTP-Service, WEB-Mgmt-Console”
  • Or Use Server Manager and Install FTP Service from IIS Web Role

• Open IIS Manager, Right click Sites folder & Click Add FTP Site

• If you want to bind the IP Address type details.
• Type 990 as FTPS Control Channel Port
• Virtual Host Depends on if you are going to host multiple FTP Servers
• Click that check mark to “Start FTP Site Automatically”
• If you are building it out explicitly FTPS server, select Require SSL & Select your installed SSL Cert & click next
• As I have already installed a SSL Cert from my internal Windows Certificate Authority

• If you are creating an Anonymous site select the same else select Basic
• Select right authorization policy. This Policy will be applied at site level & FTP Virtual Directories are going to inherit the same.
• I prefer “Specified roles or user groups” with a Local Group & Read Permission.
• As per my FTP administration procedure I always add FTP users to that group. So all members of that group can get into this FTP site with read access.
• So by default this config will all of my FTP users to have read access to all virtual directories. Then if I need any custom setting for them, I modify Authorization at virtual directory level. Will be discussed later.

• Now you FTPS Site is ready;
• Let’s check till now what has been configured by double clicking specific icons on home page of site

• Authentication & Authorization

• Directory Browsing style as MS-DOS, FTP SSL Settings as we configured at the beginning

• I am selecting “user home directory” as user logon start point. You can restrict them to check other users folders too.

• Another key configuration point is Data Channel Ports. These are Passive Port range.
  We define on which port server & client need to transfer data.
  
• You have to configure on IIS Server Level. So select the IIS server Name & configure Data Channel Ports. I am configuring them to 5000-5001. You can choose your one numbers.
• FTP Sites in this IIS server are going to inherit these numbers.
• If you are going to publish this server to internet thru a firewall & publishing this server to internet using NAT rules. Make sure you configured that Public IP address in the External IP Address box.

• Till now our FTPS server is ready, let’s talk to your External Firewall Administrator & ask him to open 990, 5000-50001 port on this Public IP Address.
• While he is doing that let’s create a Virtual Directory & configure related user access so we can test our FTPS server.
• Create a Local Windows User as “Brajesh”
• Create a Local Windows User Group as “FTPUsers”
• Add the above Brajesh user to “FTPUsers” Group & remove from “Users” group
• Create a folder named as “Brajesh” in the FTP Root folder i.e. inside e:\FTPRoot. Because E:\FTPRoot is our FTP Website Root Folder. Make sure keep that folder name as Brajesh, so it will work like a Home Directory.
• Right click the FTP Website & Add a Virtual Directory

• Keep alias as Brajesh & select the Brajesh Folder we created under E:\FTPRoot

• Now you can select Brajesh virtual directory & check its configurations

• Under Brajesh FTP Authorization Rules, you can see FTPUsers group has been already added with Read Permission
• Add “Brajesh” user as a specified user with read & write permission & remove FTPUsers from this Authorization rules.

• We are ready with FTPS server & Virtual Directory

Let’s download Filezilla & WinSCP to test FTPS connectivity. Note neither IE nor Windows Explorer support FTPS protocol

• In Filezilla client, for host just type ftps://FTPServerURL or IP, then user name & password.
• You can see it will connect on port 990. If your certificate is public trusted it will not prompt you any trust message. In my case it is an internal certificate, so it is asking me to trust it. So I will click “Always trust certificate in future sessions” and click okay.

  If you don’t trust the cert, it will connect but it will not let you upload any data. Because it will not able to authenticate the SSL channel!

• Let’s take a look at FileZilla connection messages.

• Do you see that message “227 Entering Passive Mode (10,10,10,105,19,136)? It has two contents i.e. IP Address & Data Channel Port server is listening on.
• 10.10.10.105 is server IP Address & 19,136 makes port i.e. (19 x 256) +136 = 5000. Remember we configured Data Channel port as 5000 & 5001.
  

Now let’s try with WinSCP. For WinSCP make sure you change the protocol to FTP & SSL/TLS Implicit encryption

• Make sure you accept & select Trust in case any SSL certificate warning

47.606209 -122.332071