They say a picture is worth a 1000 words, in this case it’s worth every one. Recently in the forums @ http://forums.iis.net, a few posts came up people trying to setup FTP over SSL with an external firewall. They were running into issues where they could connect, but couldn’t get a directory list. After answering a few threads stating the configuration to support FTP over SSL with PASV ports. I thought I would blog what few steps to complete the config. This blog isn’t meant to be the ‘end all be all’, but will be a targeted post to help people visually.
I’m assuming you’ve installed FTP 7. If not, here is an article to install FTP 7. This is a great starter article and one I’d recommend for people looking for a secure FTP over SSL solution. (Assuming you have Windows Server 2008 / FTP 7.x of course)
http://learn.iis.net/page.aspx/263/installing-and-troubleshooting-ftp75/
Also, I’m assuming you configured your server to use an SSL certificate. If not, here is an article that can assist setting this up.
http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/
First thing: Define a range of PASV TCP ports on your router or firewall. From my days of running WS-FTP server, they used ports 4900 – 4910 by default. I got hooked and use these ones. The ports can be anything. If you are not sure, check with your network admin.
Secondly – Open IIS Manager, select the computer name, open FTP Firewall Support
Next, type in the Data Channel Port Range and external IP address. The External IP address can be left blank and filled in at a site level. The port range will be inherited by each site. Assuming you have static IP address on each site, there won’t be an issue sharing this range across multiple FTP sites.
TEST, TEST, TEST
You can use FileZilla, CoreFTP to test your connections.
Between the two articles on http://learn.iis.net, and this added tidbit, you should have a secure FTP solution over port 21. I’ve not tried using port 990 for FTP recently, I’ve done it in the past but it’s been too long, so I stick with port 21, require SSL and open a few PASV ports.
Hope this helps,
Steve Schofield
Microsoft MVP – IIS
Resources.
http://support.ipswitch.com/kb/FS-20051115-DM01.htm
Check out Robert’s blog (IIS Team FTP guru)